Skip to content

chore(go): rebuild with Go 1.26.4 to fix stdlib CVEs#11

Merged
alaudabot merged 1 commit into
alauda-v1.82.0from
fix/go-1264-stdlib-vuln
Jun 8, 2026
Merged

chore(go): rebuild with Go 1.26.4 to fix stdlib CVEs#11
alaudabot merged 1 commit into
alauda-v1.82.0from
fix/go-1264-stdlib-vuln

Conversation

@l-qing

@l-qing l-qing commented Jun 7, 2026

Copy link
Copy Markdown

Why

Released binaries on alauda-v1.82.0 build with Go 1.26.3 and carry stdlib
CVE-2026-42504 (HIGH), CVE-2026-27145 (MEDIUM) and CVE-2026-42507
(MEDIUM), all fixed in Go 1.26.4.

What

Bump the go directive in go.mod to 1.26.4. The Alauda release
workflow uses actions/setup-go with go-version-file: go.mod, so the
next auto-cut -alauda-N release builds on Go 1.26.4 and scans clean.

Consumed downstream by AlaudaDevops/catalog images.

@l-qing
chore(go): bump go directive to 1.26.4 to rebuild with fixed Go stdlib
43cce47 
Rebuild released binaries with Go 1.26.4 to clear stdlib CVE-2026-42504,
CVE-2026-27145 and CVE-2026-42507. The Alauda release workflow resolves the
toolchain via setup-go go-version-file: go.mod, so bumping this directive is
sufficient for the next -alauda-N release to build on Go 1.26.4.
@alaudabot alaudabot merged commit b1feb01 into alauda-v1.82.0 Jun 8, 2026
6 checks passed
@alaudabot alaudabot deleted the fix/go-1264-stdlib-vuln branch June 8, 2026 01:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alaudabot alaudabot alaudabot approved these changes

+1 more reviewer

@yuzichen12123 yuzichen12123 yuzichen12123 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@l-qing @alaudabot @yuzichen12123