Update Go to 1.24.13 to fix remaining critical vulnerability (CVE-2025-68121)#21327
Merged
Update Go to 1.24.13 to fix remaining critical vulnerability (CVE-2025-68121)#21327
Conversation
The local-app Go binaries are embedded in the ide-proxy Docker image. They were compiled with Go 1.24.9 (from the CI environment), which contains CVE-2025-68121 (critical Go stdlib vulnerability). Bump the toolchain directive in local-app/go.mod to go1.24.13, which forces the Go tool to auto-download 1.24.13 regardless of the CI environment's installed Go version. Also add apk upgrade to the ide-proxy Dockerfile to pick up Alpine security patches at build time (matching the proxy Dockerfile pattern). The .devcontainer/Dockerfile Go version bump is included for dev environment consistency but does not affect CI builds. Co-authored-by: Ona <no-reply@ona.com>
geropl
force-pushed
the
fix/go-1.24.13-cve-2025-68121
branch
from
a785ad1 to
ada8491
Compare
The CI image (dev/image/Dockerfile) inherits Go from the base image gitpod/workspace-gitpod-dev, which ships Go 1.24.9. That version contains CVE-2025-68121 (critical Go stdlib vulnerability). Install Go 1.24.13 explicitly in the CI image so all Go binaries built in CI use a patched toolchain. Bump TRIGGER_REBUILD to force an image rebuild. Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
geropl
force-pushed
the
fix/go-1.24.13-cve-2025-68121
branch
from
a00035a to
ef9107d
Compare
corneliusludmann
approved these changes
Mar 4, 2026
Co-authored-by: Ona <no-reply@ona.com>
geropl
force-pushed
the
fix/go-1.24.13-cve-2025-68121
branch
from
20b4c34 to
1544040
Compare
…onment:fix-go-1-24-13-cve-2025-68121-gha.181
Contributor
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the remaining critical vulnerability from the build after #21326, where
ide-proxy:dockerstill reported 1 critical finding.Root cause
The local-app Go binaries embedded in the ide-proxy image are compiled with Go 1.24.9 (from the CI build environment), which contains CVE-2025-68121 (critical Go stdlib vulnerability, fixed in 1.24.13).
The
.devcontainer/DockerfileGo version does not affect CI — the CI uses a separate pre-built image (dev/image/Dockerfile→gitpod/workspace-gitpod-dev). However, Go'stoolchaindirective ingo.modforces auto-download of the specified version regardless of what's installed.Changes
components/local-app/go.mod: Bumptoolchainfrom go1.24.3 to go1.24.13 — this forces the Go tool to download and use 1.24.13 in CI even though the environment has 1.24.9components/ide-proxy/Dockerfile: Addapk upgrade --no-cacheto match the proxy Dockerfile pattern.devcontainer/Dockerfile: BumpGO_VERSIONto 1.24.13 for dev environment consistencyFollow-up to #21326. Resolves: CLC-2225