chore(core): cve mitigation

- **CRITICAL** `CVE-2026-33186` — google.golang.org/grpc/grpc-go: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation.
- **HIGH** `CVE-2026-39883` — opentelemetry-go: BSD `kenv` command not using absolute path enables PATH hijacking.
- **HIGH** `CVE-2026-34986` — Go JOSE: Denial of Service via crafted JSON Web Encryption.
- **HIGH** `CVE-2026-34040` — Moby: Authorization bypass vulnerability.
- **HIGH** `CVE-2026-25679` — net/url: Incorrect parsing of IPv6 host literals in `net/url`.
- **HIGH** `CVE-2026-32280` — During chain building, the amount of work that is done is not properly limited.
- **HIGH** `CVE-2026-32282` — golang `internal/syscall/unix`: `Root.Chmod` can follow symlinks out of the root.
- **MEDIUM** `CVE-2026-33726` — Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic.
- **MEDIUM** `CVE-2026-33997` — Moby: Privilege validation bypass during plugin installation.
- **MEDIUM** `CVE-2026-27142` — `html/template`: URLs in meta content attribute actions are not escaped.
- **MEDIUM** `CVE-2026-32281` — Go `crypto/x509`: Denial of Service via inefficient certificate chain validation.
- **MEDIUM** `CVE-2026-32288` — Go `archive/tar` package: Denial of Service via maliciously-crafted archive.
- **MEDIUM** `CVE-2026-32289` — `html/template`: Cross-Site Scripting (XSS) via improper context and brace depth handling.
- **LOW** `CVE-2026-27139` — `os`: `FileInfo` can escape from a Root in golang `os` module.
- **UNKNOWN** `CVE-2026-32283` — If one side of the TLS connection sends multiple key update messages, connection handling may be unsafe.

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>

Author: LopatinDmitr

.dmtlint.yaml

@@ -53,3 +53,4 @@ linters-settings:
           - tools/addlicense/testdata
           - test/performance/ssh
           - test/e2e/legacy/testdata/sshkeys
+          - images/dvcr-artifact/staging

.github/workflows/dev_module_build-and-registration.yml

@@ -25,7 +25,7 @@ env:
   MODULES_MODULE_TAG: ${{ github.event.inputs.tag }}
   SOURCE_REPO: "${{secrets.SOURCE_REPO}}"
   SOURCE_REPO_GIT: "${{secrets.SOURCE_REPO_GIT}}"
-  GO_VERSION: "1.24.13"
+  GO_VERSION: "1.25.9"
   MODULE_EDITION: "EE"
 
 on:

.github/workflows/dev_module_build.yml

@@ -21,8 +21,8 @@ env:
   MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }}
   MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
   MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
-  GO_VERSION: "1.24.13"
-  GOLANGCI_LINT_VERSION: "1.64.8"
+  GO_VERSION: "1.25.9"
+  GOLANGCI_LINT_VERSION: "2.11.1"
   SOURCE_REPO: "${{secrets.SOURCE_REPO}}"
   SOURCE_REPO_GIT: "${{secrets.SOURCE_REPO_GIT}}"
   TRIVY_DISABLE_VEX_NOTICE: "true"

.github/workflows/dev_validation.yaml

@@ -15,7 +15,7 @@
 name: Validations
 
 env:
-  GO_VERSION: "1.24.13"
+  GO_VERSION: "1.25.9"
 on:
   pull_request:
     types: [opened, synchronize, labeled, unlabeled]
@@ -137,9 +137,9 @@ jobs:
       matrix:
         # Define two groups of components with their respective Go versions
         components:
-          - { component: virtualization-artifact, go-version: "1.24.13" }
-          - { component: vm-route-forge, go-version: "1.24.13" }
-          - { component: api, go-version: "1.24.13" }
+          - { component: virtualization-artifact, go-version: "1.25.9" }
+          - { component: vm-route-forge, go-version: "1.25.9" }
+          - { component: api, go-version: "1.25.9" }
 
     steps:
       - name: Set skip flag

.github/workflows/e2e-matrix.yml

@@ -339,7 +339,7 @@ jobs:
       virtualization_tag: main
       deckhouse_channel: alpha
       default_user: cloud
-      go_version: "1.24.13"
+      go_version: "1.25.9"
       e2e_timeout: "3.5h"
       date_start: ${{ needs.set-vars.outputs.date_start }}
       randuuid4c: ${{ needs.set-vars.outputs.randuuid4c }}
@@ -362,7 +362,7 @@ jobs:
       virtualization_tag: main
       deckhouse_channel: alpha
       default_user: cloud
-      go_version: "1.24.13"
+      go_version: "1.25.9"
       e2e_timeout: "3.5h"
       date_start: ${{ needs.set-vars.outputs.date_start }}
       randuuid4c: ${{ needs.set-vars.outputs.randuuid4c }}

.github/workflows/nightly_e2e_tests_ceph.yaml

@@ -18,7 +18,7 @@ env:
   CSI: rbd.csi.ceph.com
   STORAGE_CLASS_NAME: ceph-pool-r2-csi-rbd-immediate
   CI_COMMIT_REF_NAME: ${{ github.ref_name }}
-  GO_VERSION: "1.24.13"
+  GO_VERSION: "1.25.9"
   TIMEOUT: "3h"
 
 on:

.github/workflows/nightly_e2e_tests_replicated.yaml

@@ -18,7 +18,7 @@ env:
   CSI: replicated.csi.storage.deckhouse.io
   STORAGE_CLASS_NAME: linstor-thin-r1
   CI_COMMIT_REF_NAME: ${{ github.ref_name }}
-  GO_VERSION: "1.24.13"
+  GO_VERSION: "1.25.9"
   TIMEOUT: "3h"
 
 on:

.github/workflows/release_module_release-channels.yml

@@ -358,7 +358,7 @@ jobs:
     name: Check version on release channel
     runs-on: ubuntu-latest
     env:
-      GO_VERSION: "1.24.13"
+      GO_VERSION: "1.25.9"
       input_channel: ${{ github.event.inputs.channel }}
       input_version: ${{ github.event.inputs.tag }}
     needs:

api/client/examples/cancel-evacuation/go.mod

@@ -2,7 +2,7 @@ module github.com/deckhouse/virtualization/api/client/examples/cancel-evacuation
 
 replace github.com/deckhouse/virtualization/api => ./../../../../api
 
-go 1.24.13
+go 1.25.9
 
 require (
 	github.com/deckhouse/virtualization/api v0.0.0-00010101000000-000000000000

api/client/examples/list-resources/go.mod

@@ -1,6 +1,6 @@
 module github.com/deckhouse/virtualization/api/client/examples/list-resources
 
-go 1.24.13
+go 1.25.9
 
 require (
 	github.com/deckhouse/virtualization/api v0.0.0-20240322104947-2d492906a8b2