Skip to content

Bump Go to v1.26 and update vulnerable package#490

Merged
harshavardhana merged 4 commits into
minio:masterfrom
klauspost:bump-go-x-net
May 30, 2026
Merged

Bump Go to v1.26 and update vulnerable package#490
harshavardhana merged 4 commits into
minio:masterfrom
klauspost:bump-go-x-net

Conversation

@klauspost

@klauspost klauspost commented May 8, 2026

Copy link
Copy Markdown
Collaborator

Fixes Go problems and:

Vulnerability #1: GO-2026-4918
    Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in
    net/http/internal/http2 in golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2026-4918
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.52.0
    Fixed in: golang.org/x/net@v0.53.0
    Example traces found:
      #1: pkg/iceberg/catalog.go:365:24: iceberg.DeleteWarehouse calls http.Client.Do, which eventually calls http2.Transport.NewClientConn
      #2: pkg/iceberg/catalog.go:365:24: iceberg.DeleteWarehouse calls http.Client.Do, which eventually calls http2.Transport.RoundTrip
      #3: pkg/iceberg/catalog.go:365:24: iceberg.DeleteWarehouse calls http.Client.Do, which eventually calls http2.noDialH2RoundTripper.NewClientConn
      #4: pkg/iceberg/catalog.go:365:24: iceberg.DeleteWarehouse calls http.Client.Do, which eventually calls http2.noDialH2RoundTripper.RoundTrip
      #5: pkg/iceberg/catalog.go:365:24: iceberg.DeleteWarehouse calls http.Client.Do, which eventually calls http2.unencryptedTransport.RoundTrip

@klauspost
Bump Go to v1.26 and update vulnerable package
63fac6d 
Fixes Go problems and:

```
Vulnerability minio#1: GO-2026-4918
    Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in
    net/http/internal/http2 in golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2026-4918
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.52.0
    Fixed in: golang.org/x/net@v0.53.0
    Example traces found:
      minio#1: pkg/iceberg/catalog.go:365:24: iceberg.DeleteWarehouse calls http.Client.Do, which eventually calls http2.Transport.NewClientConn
      minio#2: pkg/iceberg/catalog.go:365:24: iceberg.DeleteWarehouse calls http.Client.Do, which eventually calls http2.Transport.RoundTrip
      minio#3: pkg/iceberg/catalog.go:365:24: iceberg.DeleteWarehouse calls http.Client.Do, which eventually calls http2.noDialH2RoundTripper.NewClientConn
      minio#4: pkg/iceberg/catalog.go:365:24: iceberg.DeleteWarehouse calls http.Client.Do, which eventually calls http2.noDialH2RoundTripper.RoundTrip
      minio#5: pkg/iceberg/catalog.go:365:24: iceberg.DeleteWarehouse calls http.Client.Do, which eventually calls http2.unencryptedTransport.RoundTrip
```
@klauspost klauspost requested a review from harshavardhana May 8, 2026 12:04
@klauspost klauspost mentioned this pull request May 29, 2026
Draft
5 tasks
@harshavardhana harshavardhana merged commit c985a44 into minio:master May 30, 2026
7 checks passed
@klauspost klauspost deleted the bump-go-x-net branch June 1, 2026 08:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@harshavardhana harshavardhana Awaiting requested review from harshavardhana

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@klauspost @harshavardhana