chore(deps): update go toolchain directive to v1.26.4 [security] #366

2026-06-04T14:02:33Z

renovate commented

2026-06-04 14:02:33 +00:00

This PR contains the following updates:

Package	Type	Update	Change
go (source)	toolchain	patch	`1.26.3` → `1.26.4`

Inefficient candidate hostname parsing in crypto/x509

CVE-2026-27145 / GO-2026-5037

More information

Details

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Quadratic complexity in WordDecoder.DecodeHeader in mime

CVE-2026-42504 / GO-2026-5038

More information

Details

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Arbitrary inputs are included in errors without any escaping in net/textproto

CVE-2026-42507 / GO-2026-5039

More information

Details

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [go](https://go.dev/) ([source](https://github.com/golang/go)) | toolchain | patch | `1.26.3` → `1.26.4` | --- ### Inefficient candidate hostname parsing in crypto/x509 [CVE-2026-27145](https://nvd.nist.gov/vuln/detail/CVE-2026-27145) / [GO-2026-5037](https://pkg.go.dev/vuln/GO-2026-5037) <details> <summary>More information</summary> #### Details (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates. #### Severity Unknown #### References - [https://go.dev/cl/783621](https://go.dev/cl/783621) - [https://go.dev/issue/79694](https://go.dev/issue/79694) - [https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw](https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5037) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Quadratic complexity in WordDecoder.DecodeHeader in mime [CVE-2026-42504](https://nvd.nist.gov/vuln/detail/CVE-2026-42504) / [GO-2026-5038](https://pkg.go.dev/vuln/GO-2026-5038) <details> <summary>More information</summary> #### Details Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. #### Severity Unknown #### References - [https://go.dev/issue/79217](https://go.dev/issue/79217) - [https://go.dev/cl/774481](https://go.dev/cl/774481) - [https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw](https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5038) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Arbitrary inputs are included in errors without any escaping in net/textproto [CVE-2026-42507](https://nvd.nist.gov/vuln/detail/CVE-2026-42507) / [GO-2026-5039](https://pkg.go.dev/vuln/GO-2026-5039) <details> <summary>More information</summary> #### Details When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. #### Severity Unknown #### References - [https://go.dev/issue/79346](https://go.dev/issue/79346) - [https://go.dev/cl/777060](https://go.dev/cl/777060) - [https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw](https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5039) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate added 1 commit 2026-06-04 14:02:34 +00:00

chore(deps): update go toolchain directive to v1.26.4 [security]

cron-checker / vulnerabilities (pull_request) Failing after 2m46s

Details

cron-checker / test (pull_request) Successful in 3m39s

Details

cron-checker / build (pull_request) Has been skipped

Details

463ff31614

renovate scheduled this pull request to auto merge when all checks succeed 2026-06-04 14:02:35 +00:00

argoyle added 1 commit 2026-06-04 14:49:47 +00:00

fix(deps): bump golang.org/x/net to v0.55.0 for GO-2026-5026

cron-checker / vulnerabilities (pull_request) Successful in 2m3s

Details

cron-checker / test (pull_request) Successful in 2m9s

Details

cron-checker / build (pull_request) Successful in 15m56s

Details

f901bd89b7

renovate commented

2026-06-04 15:02:16 +00:00

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

### Edited/Blocked Notification Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠️ **Warning**: custom changes will be lost.

renovate merged commit 7bfda0f1dd into main

2026-06-04 15:08:33 +00:00

renovate deleted branch renovate/golang-version-go-vulnerability

2026-06-04 15:08:36 +00:00

releaser referenced this pull request

2026-06-04 15:10:27 +00:00

chore(release): prepare for 1.6.6 #367

releaser referenced this pull request

2026-06-06 08:55:45 +00:00

chore(release): prepare for 1.6.6 #369

argoyle referenced this issue from a commit

2026-06-11 06:04:14 +00:00