[Security] Fix CVE-2025-68121: Upgrade Go to 1.24.8

[guyscher]

Pull Request

Related Github Issues

• CVE-2025-68121 (NVD, GO-2025-4008)

Description

Remediates CVE-2025-68121 (CWE-295: Improper Certificate Validation), a vulnerability
in Go's crypto/tls standard library that affects all Go versions prior to 1.24.8.
This CVE was detected by Upwind Security.

Vulnerability Details

• CVE: CVE-2025-68121
• Advisory: GO-2025-4008
• Affected package: stdlib crypto/tls
• Affected versions: All Go versions < 1.24.8 (and 1.25.0–1.25.1)
• Fixed in: Go 1.24.8, Go 1.25.2

During TLS session resumption, if the underlying tls.Config has its ClientCAs or
RootCAs fields mutated between the initial handshake and a resumed handshake, the
resumed handshake may succeed when it should have failed — bypassing intended certificate
authority restrictions. Additionally, ALPN negotiation errors can leak unescaped
attacker-controlled data.

While this repository contains no direct crypto/tls code, its transitive dependencies
(Terragrunt, go-getter, cloud SDKs) rely on Go's stdlib crypto/tls for all HTTPS
connections.

Changes

File	Change
go.mod	go 1.23.5 → go 1.24.8
Dockerfile	GO_VERSION=1.23 → GO_VERSION=1.24
.github/workflows/run_tests.yml	Go matrix version 1.23 → 1.24
.github/workflows/release.yml	Go version + cache keys 1.23 → 1.24

Security Implications

• Fixes a TLS authentication bypass that could allow resumed sessions to bypass certificate authority restrictions
• Fixes information leakage via unescaped ALPN error messages

System Availability

• No expected impact on availability. Go 1.24 is backwards compatible with 1.23.
• go build verified locally with no errors.

[guyscher]

@Almenon can you please take a look?

[guyscher]

@dmattia