[backport v1.6] fix: bumping Go version to 1.24.13#4342
[backport v1.6] fix: bumping Go version to 1.24.13#4342behzad-mir wants to merge 1 commit intorelease/v1.6from
Conversation
Bumps Go version from 1.23.x to 1.24 in: - cni/Dockerfile - cns/Dockerfile - azure-ipam/Dockerfile New SHA: sha256:b05a9bbf50a8ccfdd0ebe9f673ef29dca7c1d5e209434b35a560a4e8ae5f72b2 (mcr.microsoft.com/oss/go/microsoft/golang:1.24-cbl-mariner2.0) This addresses 5 stdlib CVEs including: - CVE-2025-68121 (CRITICAL) - crypto/tls - CVE-2025-68132 (HIGH) - net/http - CVE-2025-68133 (MEDIUM) - os - CVE-2025-68134 (MEDIUM) - strings - CVE-2025-68135 (LOW) - encoding/json Backport of #4289 to release/v1.6 (manual SHA update since this branch uses cbl-mariner2.0 base images instead of azurelinux3.0).
There was a problem hiding this comment.
Pull request overview
Backport to release/v1.6 that updates the pinned Go builder image used to build ACN components, intended to remediate Go stdlib CVEs by moving from Go 1.23.x to Go 1.24.x.
Changes:
- Update the pinned
mcr.microsoft.com/oss/go/microsoft/golangdigest used incnsandcnibuilds. - Update the pinned
mcr.microsoft.com/oss/go/microsoft/golangdigest used in theazure-ipambuild. - Update adjacent version-reference comments to match the new base image tag.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| cns/Dockerfile | Updates the pinned Go builder image digest used for building azure-cns. |
| cni/Dockerfile | Updates the pinned Go builder image digest used for building CNI artifacts and dropgz. |
| azure-ipam/Dockerfile | Updates the pinned Go builder image digest used for building azure-ipam and dropgz. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # mcr.microsoft.com/oss/go/microsoft/golang:1.24-cbl-mariner2.0 | ||
| FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:b05a9bbf50a8ccfdd0ebe9f673ef29dca7c1d5e209434b35a560a4e8ae5f72b2 AS go |
There was a problem hiding this comment.
This Dockerfile is marked AUTOGENERATED from cns/Dockerfile.tmpl (which renders {{.GO_PIN}} from the GO_IMG/GO_PIN values in build/images.mk). In this branch, build/images.mk still defaults GO_IMG to .../golang:1.23-cbl-mariner2.0, so re-running the standard dockerfile generation will likely revert this change back to Go 1.23 and reintroduce the CVE exposure. Please update the source of truth (e.g., build/images.mk GO_IMG or the rendering inputs used by CI) and regenerate, rather than only editing the rendered Dockerfile.
| # mcr.microsoft.com/oss/go/microsoft/golang:1.24-cbl-mariner2.0 | ||
| FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:b05a9bbf50a8ccfdd0ebe9f673ef29dca7c1d5e209434b35a560a4e8ae5f72b2 AS go |
There was a problem hiding this comment.
The comment indicates mcr.microsoft.com/oss/go/microsoft/golang:1.24-cbl-mariner2.0, but the PR title/description say the Go bump is to 1.24.13. Please align the referenced version/tag in the Dockerfile comments (and, ideally, the upstream GO_IMG input used for rendering) so it’s clear which Go patch level the pinned digest corresponds to.
| # mcr.microsoft.com/oss/go/microsoft/golang:1.24-cbl-mariner2.0 | ||
| FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:b05a9bbf50a8ccfdd0ebe9f673ef29dca7c1d5e209434b35a560a4e8ae5f72b2 AS go |
There was a problem hiding this comment.
This Dockerfile is marked AUTOGENERATED from cni/Dockerfile.tmpl (which renders {{.GO_PIN}} from the GO_IMG/GO_PIN values in build/images.mk). In this branch, build/images.mk still defaults GO_IMG to .../golang:1.23-cbl-mariner2.0, so re-running the standard dockerfile generation will likely revert this change back to Go 1.23 and reintroduce the CVE exposure. Please update the source of truth (e.g., build/images.mk GO_IMG or the rendering inputs used by CI) and regenerate, rather than only editing the rendered Dockerfile.
| # mcr.microsoft.com/oss/go/microsoft/golang:1.24-cbl-mariner2.0 | ||
| FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:b05a9bbf50a8ccfdd0ebe9f673ef29dca7c1d5e209434b35a560a4e8ae5f72b2 AS go |
There was a problem hiding this comment.
The comment indicates mcr.microsoft.com/oss/go/microsoft/golang:1.24-cbl-mariner2.0, but the PR title/description say the Go bump is to 1.24.13. Please align the referenced version/tag in the Dockerfile comments (and, ideally, the upstream GO_IMG input used for rendering) so it’s clear which Go patch level the pinned digest corresponds to.
| # skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.24-cbl-mariner2.0 --format "{{.Name}}@{{.Digest}}" | ||
| FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:b05a9bbf50a8ccfdd0ebe9f673ef29dca7c1d5e209434b35a560a4e8ae5f72b2 AS go |
There was a problem hiding this comment.
The skopeo inspect comment was updated to reference .../golang:1.24-cbl-mariner2.0, but the PR title/description state the bump is to Go 1.24.13. Please align this comment/tag (and ensure the pinned digest corresponds to the intended patch release) to avoid confusion during future maintenance.
jpayne3506
left a comment
jpayne3506
left a comment
There was a problem hiding this comment.
Need to update signed pipeline as well
Summary
Backport of #4289 to release/v1.6 — bumps Go from 1.23.x to 1.24 to fix critical CVEs.
Changes
Updates Go image SHA in:
cni/Dockerfilecns/Dockerfileazure-ipam/DockerfileNew image:
mcr.microsoft.com/oss/go/microsoft/golang:1.24-cbl-mariner2.0SHA:
sha256:b05a9bbf50a8ccfdd0ebe9f673ef29dca7c1d5e209434b35a560a4e8ae5f72b2CVE Impact
Notes
Related