TUN-10216: TUN fix cloudflare vulnerabilities GO-2026-4340 and GO-2026-4341

* TUN-10216: TUN fix cloudflare vulnerabilities GO-2026-4340 and GO-2026-4341

Closes TUN-10216

Author: lmpn

.ci/image/Dockerfile

@@ -2,38 +2,38 @@ ARG CLOUDFLARE_DOCKER_REGISTRY_HOST
 
 FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/trixie/main:2026.1.0@sha256:e32092fd01520f5ae7de1fa6bb5a721720900ebeaa48e98f36f6f86168833cd7
 RUN apt-get update && \
-    apt-get upgrade -y && \
-    apt-get install --no-install-recommends --allow-downgrades -y \
-        build-essential \
-        git \
-        go-boring=1.24.11-1 \
-        libffi-dev \
-        procps \
-        python3-dev \
-        python3-pip \
-        python3-setuptools \
-        python3-venv \
-        # tool to create msi packages
-        wixl \
-        # install ruby and rpm which are required to install fpm package builder
-        rpm \
-        ruby \
-        ruby-dev \
-        rubygems \
-        # create deb and rpm repository files
-        reprepro \
-        createrepo-c \
-        # gcc for cross architecture compilation in arm
-        gcc-aarch64-linux-gnu \
-        libc6-dev-arm64-cross && \
-    rm -rf /var/lib/apt/lists/* && \
-    # Install fpm gem
-    gem install fpm --no-document && \
-    # Initialize rpm repository, SQL Lite DB
-    mkdir -p /var/lib/rpm && \
-    rpm --initdb && \
-    chmod -R 777 /var/lib/rpm && \
-    # Create work directory
-    mkdir -p opt
+  apt-get upgrade -y && \
+  apt-get install --no-install-recommends --allow-downgrades -y \
+  build-essential \
+  git \
+  go-boring=1.24.13-1 \
+  libffi-dev \
+  procps \
+  python3-dev \
+  python3-pip \
+  python3-setuptools \
+  python3-venv \
+  # tool to create msi packages
+  wixl \
+  # install ruby and rpm which are required to install fpm package builder
+  rpm \
+  ruby \
+  ruby-dev \
+  rubygems \
+  # create deb and rpm repository files
+  reprepro \
+  createrepo-c \
+  # gcc for cross architecture compilation in arm
+  gcc-aarch64-linux-gnu \
+  libc6-dev-arm64-cross && \
+  rm -rf /var/lib/apt/lists/* && \
+  # Install fpm gem
+  gem install fpm --no-document && \
+  # Initialize rpm repository, SQL Lite DB
+  mkdir -p /var/lib/rpm && \
+  rpm --initdb && \
+  chmod -R 777 /var/lib/rpm && \
+  # Create work directory
+  mkdir -p opt
 
 WORKDIR /opt

.ci/linux.gitlab-ci.yml

@@ -1,11 +1,11 @@
 .golang-inputs: &golang_inputs
   runOnMR: true
-  runOnBranches: '^master$'
+  runOnBranches: "^master$"
   outputDir: artifacts
   runner: linux-x86-8cpu-16gb
   stage: build
   golangVersion: "boring-1.24"
-  imageVersion: "3393-947ec7a@sha256:f81acc2c8ecaa84acb290c43c080702ae3aba6464201a20f9d6eff619be7c878"
+  imageVersion: "3462-0b23466e0715@sha256:42e8533370666a2463041572293a79e1449001ef803a993e6a860be00858c806"
   CGO_ENABLED: 1
 
 .default-packaging-job: &packaging-job-defaults
@@ -65,7 +65,7 @@ include:
   - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
     inputs:
       <<: *golang_inputs
-      runOnBranches: '^$'
+      runOnBranches: "^$"
       stage: validate
       jobPrefix: vulncheck
       GOLANG_MAKE_TARGET: vulncheck

.ci/mac.gitlab-ci.yml

@@ -28,7 +28,7 @@ macos-build-cloudflared: &mac-build
     - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
     - ARCH=$(uname -m)
     - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
-    - ./.ci/scripts/mac/install-go.sh
+    - ./.ci/scripts/mac/install-go.sh "$MAC_GO_VERSION"
     - BUILD_SCRIPT=.ci/scripts/mac/build.sh
     - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
     - set -euo pipefail

.ci/scripts/mac/install-go.sh

@@ -2,9 +2,13 @@ rm -rf /tmp/go
 export GOCACHE=/tmp/gocache
 rm -rf $GOCACHE
 
-brew install go@1.24
+if [ -z "$1" ]
+  then
+    echo "No go version supplied"
+fi
+
+brew install "$1"
 
 go version
 which go
 go env
-

.ci/scripts/vuln-check.sh

@@ -4,13 +4,14 @@ set -e -u
 # Define the file to store the list of vulnerabilities to ignore.
 IGNORE_FILE=".vulnignore"
 
+go version
 # Check if the ignored vulnerabilities file exists. If not, create an empty one.
 if [ ! -f "$IGNORE_FILE" ]; then
-    touch "$IGNORE_FILE"
-    echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
-    echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE"
-    echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE"
-    echo "" >> "$IGNORE_FILE"
+  touch "$IGNORE_FILE"
+  echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
+  echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >>"$IGNORE_FILE"
+  echo "# You can also add comments on the same line after the ID." >>"$IGNORE_FILE"
+  echo "" >>"$IGNORE_FILE"
 fi
 
 # Run govulncheck and capture its output.
@@ -35,18 +36,18 @@ UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability')
 
 # If the list of ignored vulnerabilities is not empty, filter them out.
 if [ -n "$CLEAN_IGNORES" ]; then
-    UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
+  UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
 fi
 
 # If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
 if [ -n "$UNIGNORED_VULNS" ]; then
-    echo "🚨 Found new, unignored vulnerabilities:"
-    echo "-------------------------------------"
-    echo "$UNIGNORED_VULNS"
-    echo "-------------------------------------"
-    echo "Exiting with an error. ❌"
-    exit 1
+  echo "🚨 Found new, unignored vulnerabilities:"
+  echo "-------------------------------------"
+  echo "$UNIGNORED_VULNS"
+  echo "-------------------------------------"
+  echo "Exiting with an error. ❌"
+  exit 1
 else
-    echo "🎉 No new vulnerabilities found. All clear! ✨"
-    exit 0
+  echo "🎉 No new vulnerabilities found. All clear! ✨"
+  exit 0
 fi

.ci/windows.gitlab-ci.yml

@@ -18,7 +18,7 @@ windows-build-cloudflared:
   <<: *windows-build-defaults
   stage: build
   script:
-    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
+    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${WIN_GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
   artifacts:
     paths:
       - artifacts/*
@@ -73,7 +73,7 @@ windows-component-tests-cloudflared:
   script:
     # We have to decode the secret we encoded on the `windows-load-env-variables` job
     - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
-    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
+    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${WIN_GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
   artifacts:
     reports:
       junit: report.xml

.gitlab-ci.yml

@@ -1,5 +1,7 @@
 variables:
-  GO_VERSION: "go1.24.11"
+  GO_VERSION: "1.24.13"
+  MAC_GO_VERSION: "go@$GO_VERSION"
+  WIN_GO_VERSION: "go$GO_VERSION"
   GIT_DEPTH: "0"
 
 default:

Dockerfile

@@ -1,7 +1,7 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.24.11 AS builder
+FROM golang:1.24.13 AS builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0 \
   TARGET_GOOS=${TARGET_GOOS} \

Dockerfile.amd64

@@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.11 AS builder
+FROM golang:1.24.13 AS builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0 \
   # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual

Dockerfile.arm64

@@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.11 AS builder
+FROM golang:1.24.13 AS builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0 \
   # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual