From 6769f627467ffaed311eedb4422e441762baccd4 Mon Sep 17 00:00:00 2001
From: Austin Vazquez <austin.vazquez@docker.com>
Date: Fri, 8 Aug 2025 08:34:44 -0500
Subject: [PATCH] update to go1.24.6
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- https://github.com/golang/go/issues?q=milestone%3AGo1.24.6+label%3ACherryPickApproved
- full diff: golang/go@go1.24.5...go1.24.6

These minor releases include 2 security fixes following the security policy:

- os/exec: LookPath may return unexpected paths

If the PATH environment variable contains paths which are executables (rather
than just directories), passing certain strings to LookPath ("", ".", and ".."),
can result in the binaries listed in the PATH being unexpectedly returned.

Thanks to Olivier Mengué for reporting this issue.

This is CVE-2025-47906 and Go issue https://go.dev/issue/74466.

- database/sql: incorrect results returned from Rows.Scan

Cancelling a query (e.g. by cancelling the context passed to one of the query
methods) during a call to the Scan method of the returned Rows can result in
unexpected results if other queries are being made in parallel. This can result
in a race condition that may overwrite the expected results with those of
another query, causing the call to Scan to return either unexpected results
from the other query or an error.

We believe this affects most database/sql drivers.

Thanks to Spike Curtis from Coder for reporting this issue.

This is CVE-2025-47907 and https://go.dev/issue/74831.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.6

Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
---
 .github/workflows/codeql.yml     | 2 +-
 .github/workflows/test.yml       | 2 +-
 .golangci.yml                    | 2 +-
 Dockerfile                       | 2 +-
 docker-bake.hcl                  | 2 +-
 dockerfiles/Dockerfile.dev       | 2 +-
 dockerfiles/Dockerfile.lint      | 2 +-
 dockerfiles/Dockerfile.vendor    | 2 +-
 e2e/testdata/Dockerfile.gencerts | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 4ba63f3f03..8c6e1d7b9d 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -63,7 +63,7 @@ jobs:
         name: Update Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.24.5"
+          go-version: "1.24.6"
       -
         name: Initialize CodeQL
         uses: github/codeql-action/init@v3
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7b84754248..854fe9e88c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -66,7 +66,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.24.5"
+          go-version: "1.24.6"
       -
         name: Test
         run: |
diff --git a/.golangci.yml b/.golangci.yml
index b6a21014e4..bf093a63c7 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -5,7 +5,7 @@ run:
   # which causes it to fallback to go1.17 semantics.
   #
   # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24
-  go: "1.24.5"
+  go: "1.24.6"
 
   timeout: 5m
 
diff --git a/Dockerfile b/Dockerfile
index f92be70c10..f2e249eb69 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,7 +8,7 @@ ARG BASE_VARIANT=alpine
 ARG ALPINE_VERSION=3.22
 ARG BASE_DEBIAN_DISTRO=bookworm
 
-ARG GO_VERSION=1.24.5
+ARG GO_VERSION=1.24.6
 ARG XX_VERSION=1.6.1
 ARG GOVERSIONINFO_VERSION=v1.4.1
 
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 670e31c1f5..e486e2e037 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.24.5"
+    default = "1.24.6"
 }
 variable "VERSION" {
     default = ""
diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev
index 0fdbfb19a8..24662ee592 100644
--- a/dockerfiles/Dockerfile.dev
+++ b/dockerfiles/Dockerfile.dev
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.24.5
+ARG GO_VERSION=1.24.6
 
 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image.
 # It must be a supported tag in the docker.io/library/alpine image repository
diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint
index b2de76bdd6..c58dac3aab 100644
--- a/dockerfiles/Dockerfile.lint
+++ b/dockerfiles/Dockerfile.lint
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.24.5
+ARG GO_VERSION=1.24.6
 
 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image.
 # It must be a supported tag in the docker.io/library/alpine image repository
diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor
index 42374094ef..7878c8ecb6 100644
--- a/dockerfiles/Dockerfile.vendor
+++ b/dockerfiles/Dockerfile.vendor
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.24.5
+ARG GO_VERSION=1.24.6
 
 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image.
 # It must be a supported tag in the docker.io/library/alpine image repository
diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts
index 390ed58e0b..fbb0c4b309 100644
--- a/e2e/testdata/Dockerfile.gencerts
+++ b/e2e/testdata/Dockerfile.gencerts
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.24.5
+ARG GO_VERSION=1.24.6
 
 FROM golang:${GO_VERSION}-alpine AS generated
 ENV GOTOOLCHAIN=local