Skip to content

[BugFix][CVE] update pprof prebuilt to release/20260610 built with Go 1.25.11 (backport #74669)#74718

Open
mergify[bot] wants to merge 1 commit into
branch-4.1.2from
mergify/bp/branch-4.1.2/pr-74669
Open

[BugFix][CVE] update pprof prebuilt to release/20260610 built with Go 1.25.11 (backport #74669)#74718
mergify[bot] wants to merge 1 commit into
branch-4.1.2from
mergify/bp/branch-4.1.2/pr-74669

Conversation

@mergify

@mergify mergify Bot commented Jun 12, 2026
edited by wanpengfei-git
Loading

Copy link
Copy Markdown
Contributor

The pprof prebuilt binaries from release/20260520 were built with Go 1.24.10, whose standard library is affected by CVEs fixed in later Go releases, notably CVE-2025-61727 and CVE-2025-61729 (crypto/x509, fixed in Go 1.24.11 / 1.25.5) and subsequent stdlib security fixes.

The release/20260610 binaries are rebuilt with Go 1.25.11, which includes all of those fixes.

Changes:

  • thirdparty/vars-x86_64.sh: bump PPROF_DOWNLOAD to release/20260610 pprof-linux-amd64 and update PPROF_MD5SUM
  • thirdparty/vars-aarch64.sh: bump PPROF_DOWNLOAD to release/20260610 pprof-linux-arm64 and update PPROF_MD5SUM

Both assets were downloaded and their SHA256 digests verified against the GitHub release asset digests; MD5 sums computed from the verified binaries.

Why I'm doing:

What I'm doing:

Fixes #issue

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This pr needs user documentation (for new or modified features or behaviors)
    • I have added documentation for my new feature or new function
    • This pr needs auto generate documentation
  • This is a backport pr

Bugfix cherry-pick branch check:

  • I have checked the version labels which the pr will be auto-backported to the target branch
    • 4.1
    • 4.0
    • 3.5
This is an automatic backport of pull request #74669 done by [Mergify](https://mergify.com).

@kevincai @mergify
[BugFix][CVE] update pprof prebuilt to release/20260610 built with Go…
b41567f 
… 1.25.11 (#74669)

Signed-off-by: Kevin Cai <kevin.cai@phoenixdata.ai>
(cherry picked from commit cc676f7)
@wanpengfei-git wanpengfei-git enabled auto-merge (squash) June 12, 2026 03:04
@mergify mergify Bot mentioned this pull request Jun 12, 2026
Merged
23 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevincai kevincai kevincai approved these changes

Assignees

@kevincai kevincai

Labels

automerge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kevincai