update to go1.26.4

[thaJeztah]

This release include 3 security fixes following the security policy:

• mime: quadratic complexity in WordDecoder.DecodeHeader

  Decoding a maliciously-crafted MIME header containing many invalid
  encoded-words could consume excessive CPU.
  The MIME decoder now better handles this case.

  Thanks to p4p3r (https://hackerone.com/p4p3r_hak) for reporting this issue.

  This is CVE-2026-42504 and Go issue https://go.dev/issue/79217.

• net/textproto: arbitrary input are included in errors without any escaping

  When returning errors, functions in the net/textproto package would
  include its input as part of the error, without any escaping. Note that
  said input is often controlled by external parties when using this
  package naturally. For example, a net/http client uses ReadMIMEHeader
  when parsing the headers it receive from a server.

  As a result, an attacker could inject arbitrary content into the error.
  Practically, this can result in an attacker injecting misleading
  content, terminal control bytes, etc. into a victim's output or logs.

  This is CVE-2026-42507 and Go issue https://go.dev/issue/79346

• crypto/x509: split candidate hostname only once

  (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop
  over all DNS Subject Alternative Name (SAN) entries. This caused
  strings.Split(host, ".") to execute repeatedly on the same input hostname.

  With a large DNS SAN list, verification costs scaled quadratically based on the
  number of SAN entries multiplied by the hostname's label count. Because
  x509.Verify validates hostnames before building the certificate chain, this
  overhead occurred even for untrusted certificates.

  Thanks to Jakub Ciolek (https://ciolek.dev) for reporting this issue.

  This is CVE-2026-27145 and https://go.dev/issue/79694.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.26.4

What I did

Related issue

(not mandatory) A picture of a cute animal, if possible in relation to what you did

[Copilot]

Pull request overview

Updates the repository’s Go toolchain pin to Go 1.26.4, aligning local development, CI (via .go-version), and the build container base image with the latest patch release that includes the security fixes referenced in the PR description.

Changes:

• Bump Go version in the build Dockerfile from 1.26.3 → 1.26.4.
• Bump the repo-wide Go version file .go-version from 1.26.3 → 1.26.4.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
Dockerfile	Updates GO_VERSION build arg to use Go 1.26.4 in the build image.
.go-version	Updates the Go version consumed by CI (actions/setup-go via go-version-file).

[docker-agent]

Assessment: 🟢 APPROVE

This PR updates the Go toolchain from go1.26.3 to go1.26.4 — a security patch release addressing three CVEs:

• CVE-2026-42504: quadratic complexity in mime.WordDecoder.DecodeHeader
• CVE-2026-42507: unescaped input in net/textproto error messages
• CVE-2026-27145: quadratic cost in crypto/x509 hostname verification

Both changed files (.go-version and Dockerfile) are updated consistently to 1.26.4. The bump follows the same incremental pattern as all prior patch updates in the file history. No logic errors, no version mismatches, no issues found.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!