build: fix multiple CVEs by upgrading to go1.26.5

- CVE-2026-39822: os: Root escape via symlink plus trailing slash
- CVE-2026-42505: crypto/tls: Encrypted Client Hello privacy leak

(cherry picked from commit e753736df6)
This commit is contained in:
Nick Craig-Wood
2026-07-08 15:00:33 +01:00
parent 0f4a8fad64
commit 9ebca99cd2

View File

@@ -37,7 +37,7 @@ jobs:
include:
- job_name: linux
os: ubuntu-latest
go: '~1.26.4'
go: '~1.26.5'
gotags: cmount
build_flags: '-include "^linux/"'
check: true
@@ -48,14 +48,14 @@ jobs:
- job_name: linux_386
os: ubuntu-latest
go: '~1.26.4'
go: '~1.26.5'
goarch: 386
gotags: cmount
quicktest: true
- job_name: mac_amd64
os: macos-latest
go: '~1.26.4'
go: '~1.26.5'
gotags: 'cmount'
build_flags: '-include "^darwin/amd64" -cgo'
quicktest: true
@@ -64,14 +64,14 @@ jobs:
- job_name: mac_arm64
os: macos-latest
go: '~1.26.4'
go: '~1.26.5'
gotags: 'cmount'
build_flags: '-include "^darwin/arm64" -cgo -macos-arch arm64 -cgo-cflags=-I/usr/local/include -cgo-ldflags=-L/usr/local/lib'
deploy: true
- job_name: windows
os: windows-latest
go: '~1.26.4'
go: '~1.26.5'
gotags: cmount
cgo: '0'
build_flags: '-include "^windows/"'
@@ -81,14 +81,14 @@ jobs:
- job_name: other_os
os: ubuntu-latest
go: '~1.26.4'
go: '~1.26.5'
build_flags: '-exclude "^(windows/|darwin/|linux/)"'
compile_all: true
deploy: true
- job_name: go1.25
os: ubuntu-latest
go: '~1.25.7'
go: '~1.25.12'
quicktest: true
racequicktest: true
@@ -278,7 +278,7 @@ jobs:
id: setup-go
uses: actions/setup-go@v6
with:
go-version: '~1.26.4'
go-version: '~1.26.5'
check-latest: true
cache: false
@@ -393,7 +393,7 @@ jobs:
id: setup-go
uses: actions/setup-go@v6
with:
go-version: '~1.26.4'
go-version: '~1.26.5'
# Caching is handled explicitly below to share the module cache
# with the other jobs - see the build job for the rationale.
cache: false