Skip to content

Bump Go 1.26.3→1.26.4 (stdlib crypto/x509, mime, net/textproto CVE fixes)#3608

Open
max-santiago wants to merge 1 commit into
temporalio:mainfrom
max-santiago:bump-go-1.26.4
Open

Bump Go 1.26.3→1.26.4 (stdlib crypto/x509, mime, net/textproto CVE fixes)#3608
max-santiago wants to merge 1 commit into
temporalio:mainfrom
max-santiago:bump-go-1.26.4

Conversation

@max-santiago

Copy link
Copy Markdown

Description & motivation 💭

Bumps the Go toolchain 1.26.31.26.4 in server/Dockerfile (both the
server-builder and dockerize-builder stages) and the go directive in
server/go.mod. No dependency changes, so go.sum is untouched.

This is the same kind of change as #3409 — clearing Go-toolchain CVEs flagged
against the temporalio/ui-server Docker image to avoid vulnerability-scanner
noise. None are exploitable in a normal Temporal UI deployment; all three fixes
land in the standard library, which is compiled in from the toolchain, so a
toolchain bump is the whole fix.

Go 1.26.4 (released 2026-06-02)
security fixes:

  • CVE-2026-42504mime: quadratic complexity in WordDecoder.DecodeHeader
  • CVE-2026-42507net/textproto: input included in errors without escaping
    (log / terminal-control-byte injection)
  • CVE-2026-27145crypto/x509: quadratic hostname verification with large
    DNS SAN lists, incurred even for untrusted certificates

Testing 🧪

How was this tested 👻

Mechanical version-string bump only — no source or dependency changes (go.sum
unchanged). Relying on CI to build the server image and run the suite against the
1.26.4 toolchain.

  • Manual testing
  • E2E tests added
  • Unit tests added

Steps for others to test: 🚶🏽‍♂️🚶🏽‍♀️

Build the server image and confirm it compiles under Go 1.26.4:
docker build -f server/Dockerfile .

Docs

Any docs updates needed?

No.

@max-santiago max-santiago requested a review from a team as a code owner June 29, 2026 16:40
@vercel

vercel Bot commented Jun 29, 2026

Copy link
Copy Markdown

@max-santiago is attempting to deploy a commit to the Temporal Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant