From 2a7b0d0d3b6decabdc8a5e4d4d977ae36b619dcc Mon Sep 17 00:00:00 2001
From: Nick Craig-Wood <nick@craig-wood.com>
Date: Wed, 3 Jun 2026 12:40:28 +0100
Subject: [PATCH] build: fix multiple CVEs by upgrading to go1.26.4

- CVE-2026-42504: mime: quadratic complexity in WordDecoder.DecodeHeader
- CVE-2026-42507: net/textproto: arbitrary input are included in errors without any escaping
- CVE-2026-27145: crypto/x509: split candidate hostname only once
---
 .github/workflows/build.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9dacf0ebf..0d714242c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -37,7 +37,7 @@ jobs:
         include:
           - job_name: linux
             os: ubuntu-latest
-            go: '~1.26.3'
+            go: '~1.26.4'
             gotags: cmount
             build_flags: '-include "^linux/"'
             check: true
@@ -48,14 +48,14 @@ jobs:
 
           - job_name: linux_386
             os: ubuntu-latest
-            go: '~1.26.3'
+            go: '~1.26.4'
             goarch: 386
             gotags: cmount
             quicktest: true
 
           - job_name: mac_amd64
             os: macos-latest
-            go: '~1.26.3'
+            go: '~1.26.4'
             gotags: 'cmount'
             build_flags: '-include "^darwin/amd64" -cgo'
             quicktest: true
@@ -64,14 +64,14 @@ jobs:
 
           - job_name: mac_arm64
             os: macos-latest
-            go: '~1.26.3'
+            go: '~1.26.4'
             gotags: 'cmount'
             build_flags: '-include "^darwin/arm64" -cgo -macos-arch arm64 -cgo-cflags=-I/usr/local/include -cgo-ldflags=-L/usr/local/lib'
             deploy: true
 
           - job_name: windows
             os: windows-latest
-            go: '~1.26.3'
+            go: '~1.26.4'
             gotags: cmount
             cgo: '0'
             build_flags: '-include "^windows/"'
@@ -81,7 +81,7 @@ jobs:
 
           - job_name: other_os
             os: ubuntu-latest
-            go: '~1.26.3'
+            go: '~1.26.4'
             build_flags: '-exclude "^(windows/|darwin/|linux/)"'
             compile_all: true
             deploy: true
@@ -278,7 +278,7 @@ jobs:
         id: setup-go
         uses: actions/setup-go@v6
         with:
-          go-version: '~1.26.3'
+          go-version: '~1.26.4'
           check-latest: true
           cache: false
           
@@ -393,7 +393,7 @@ jobs:
         id: setup-go
         uses: actions/setup-go@v6
         with:
-          go-version: '~1.26.3'
+          go-version: '~1.26.4'
           # Caching is handled explicitly below to share the module cache
           # with the other jobs - see the build job for the rationale.
           cache: false