From 06c054bbc8ad13fa7eca7180c15eeede31658b3e Mon Sep 17 00:00:00 2001
From: Nick Craig-Wood <nick@craig-wood.com>
Date: Wed, 8 Apr 2026 09:50:20 +0100
Subject: [PATCH] Update to go 1.25.9 to fix multiple CVEs

- CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux
- CVE-2026-32289: html/template: JS template literal context incorrectly tracked
- CVE-2026-33810: crypto/x509: excluded DNS constraints not properly applied to wildcard domains
- CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking
- CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination
- CVE-2026-32288: archive/tar: unbounded allocation when parsing old format GNU sparse map
- CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock
- CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG
- CVE-2026-32280: crypto/x509: unexpected work during chain building
- CVE-2026-32281: crypto/x509: inefficient policy validation

Fixes #9302
---
 .github/workflows/build.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9ed966690..ecb9bc014 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,7 +34,7 @@ jobs:
         include:
           - job_name: linux
             os: ubuntu-latest
-            go: '~1.25.8'
+            go: '~1.25.9'
             gotags: cmount
             build_flags: '-include "^linux/"'
             check: true
@@ -45,14 +45,14 @@ jobs:
 
           - job_name: linux_386
             os: ubuntu-latest
-            go: '~1.25.8'
+            go: '~1.25.9'
             goarch: 386
             gotags: cmount
             quicktest: true
 
           - job_name: mac_amd64
             os: macos-latest
-            go: '~1.25.8'
+            go: '~1.25.9'
             gotags: 'cmount'
             build_flags: '-include "^darwin/amd64" -cgo'
             quicktest: true
@@ -61,14 +61,14 @@ jobs:
 
           - job_name: mac_arm64
             os: macos-latest
-            go: '~1.25.8'
+            go: '~1.25.9'
             gotags: 'cmount'
             build_flags: '-include "^darwin/arm64" -cgo -macos-arch arm64 -cgo-cflags=-I/usr/local/include -cgo-ldflags=-L/usr/local/lib'
             deploy: true
 
           - job_name: windows
             os: windows-latest
-            go: '~1.25.8'
+            go: '~1.25.9'
             gotags: cmount
             cgo: '0'
             build_flags: '-include "^windows/"'
@@ -78,7 +78,7 @@ jobs:
 
           - job_name: other_os
             os: ubuntu-latest
-            go: '~1.25.8'
+            go: '~1.25.9'
             build_flags: '-exclude "^(windows/|darwin/|linux/)"'
             compile_all: true
             deploy: true
@@ -218,7 +218,7 @@ jobs:
         id: setup-go
         uses: actions/setup-go@v6
         with:
-          go-version: '~1.25.8'
+          go-version: '~1.25.9'
           check-latest: true
           cache: false
 
@@ -309,7 +309,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '~1.25.8'
+          go-version: '~1.25.9'
 
       - name: Set global environment variables
         run: |