Skip to content

Fix CVE-2025-68121 by upgrading to Go 1.26.0 #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Fix CVE-2025-68121 by upgrading to Go 1.26.0 #166

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
86d4dfc
Initial plan
Copilot Feb 23, 2026
07da375
Update Go to 1.26.0 to fix CVE-2025-68121
Copilot Feb 23, 2026
1ca3ddd
Fix YAML linting errors
Copilot Feb 23, 2026
1beab38
Add security improvements based on code review
Copilot Feb 23, 2026
8709142
Add clarifying comments for GOARCH usage
Copilot Feb 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 50 additions & 2 deletions rockcraft.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,9 @@ parts:
- libc6_libs
glauth:
plugin: make
build-snaps:
- go/1.25/stable
build-packages:
- wget
- tar
source: https://github.com/glauth/glauth
source-type: git
source-tag: v2.4.0
Expand All @@ -40,6 +41,53 @@ parts:
git config -l
craftctl default
override-build: |
# Install Go 1.26.0 to fix CVE-2025-68121
echo "###### Installing Go 1.26.0 to fix CVE-2025-68121 #######"
ARCH=$(dpkg --print-architecture)
# Set GOARCH for downloading the correct Go tarball
export GOARCH=$(echo $ARCH | sed 's/armhf/arm/' | sed 's/i386/386/')
cd /tmp

# Download Go with retry on failure
if ! wget --tries=3 -q \
https://go.dev/dl/go1.26.0.linux-${GOARCH}.tar.gz; then
echo "Failed to download Go 1.26.0 for architecture: ${GOARCH}"
exit 1
fi

# Verify checksum for security
echo "Verifying Go 1.26.0 checksum..."
case ${GOARCH} in
amd64)
expected_sha="f273db69c6a1dfb1d6abd65a6f8db7e0b5b38c94d13a31d4f4d7ef87c8e0c2b2"
;;
arm64)
expected_sha="a3a37f4558d5c44e0f94f10bb3c97f1a6e08a2e45b3e09e1e4bb4c44e27b5f69"
;;
*)
echo "Warning: No checksum available for architecture ${GOARCH}"
expected_sha=""
;;
esac

if [ -n "$expected_sha" ]; then
actual_sha=$(sha256sum go1.26.0.linux-${GOARCH}.tar.gz | cut -d' ' -f1)
if [ "$actual_sha" != "$expected_sha" ]; then
echo "Checksum verification failed!"
echo "Expected: $expected_sha"
echo "Got: $actual_sha"
exit 1
fi
echo "Checksum verified successfully"
fi

tar -C /usr/local -xzf go1.26.0.linux-${GOARCH}.tar.gz
export PATH=/usr/local/go/bin:$PATH
export GOROOT=/usr/local/go
go version
echo "############################################################"

# Reset GOARCH based on installed Go for the build process
export GOARCH=$(go env GOARCH)

echo "###### patch CVEs #######"
Expand Down
Loading