Skip to content

fix: bump Go to 1.26.4 to patch CVE-2026-42504#59

Merged
tristanw-relativity merged 1 commit into
mainfrom
fix/go-1.26.4-cve-2026-42504
Jun 5, 2026
Merged

fix: bump Go to 1.26.4 to patch CVE-2026-42504#59
tristanw-relativity merged 1 commit into
mainfrom
fix/go-1.26.4-cve-2026-42504

Conversation

@tristanw-relativity

@tristanw-relativity tristanw-relativity commented Jun 5, 2026

Copy link
Copy Markdown

Summary

CVE-2026-42504 (high, published 2026-06-02) affects Go stdlib v1.26.3. Fix versions: Go 1.25.11 or 1.26.4.

This is blocking the Aqua scan in gpt-candidate-experiments (and prefect-infra), which COPY the scuttle binary from the ACR image.

Changes:

  • go.mod: go 1.26.3go 1.26.4
  • Dockerfile: golang:1.26.3-bookwormgolang:1.26.4-bookworm
  • .github/workflows/release.yaml: go-version: 1.26.31.26.4
  • .github/workflows/relativity-ci.yml: go-version: 1.26.31.26.4

After merge

Tag v1.3.33-rel on main to trigger relativity-ci.yml, which builds and pushes the new image to ACR. Then bump consumers:

  • relativityone/gpt-candidate-experiments Dockerfile line 54
  • relativityone/prefect-infra Dockerfile line 48

Fixes: REL-1312617, REL-1312618, REL-1312619

fix: bump Go to 1.26.4 to patch CVE-2026-42504
0e4de94 
CVE-2026-42504 (high, published 2026-06-02) affects Go stdlib v1.26.3.
Fix versions: Go 1.25.11 or 1.26.4.

Updates go.mod, Dockerfile base image, and both CI workflows.
@tristanw-relativity tristanw-relativity merged commit 17509c2 into main Jun 5, 2026
6 checks passed
@tristanw-relativity tristanw-relativity deleted the fix/go-1.26.4-cve-2026-42504 branch June 5, 2026 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amlynczak-rel amlynczak-rel amlynczak-rel approved these changes

Assignees

@amlynczak-rel amlynczak-rel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tristanw-relativity @amlynczak-rel