Release new version built with Go >= 1.25.7 (CVE-2025-68121)

[gifi71]

Hi! The pre-built binaries in v0.2.1 are compiled with Go 1.25.4, which is affected by CVE-2025-68121 (unexpected TLS session resumption in crypto/tls).
The fix is available in Go 1.24.13, 1.25.7, and 1.26.0-rc.3.
Could you publish a new release built with a patched Go version?
Detected by Trivy scanning the binary as gobinary in a Docker image. Currently working around this with .trivyignore.

Thanks!

[gifi71]

The same Go 1.25.4 stdlib also has these HIGH severity CVEs, all fixed in >= 1.25.6:

• CVE-2025-61730 — TLS 1.3 handshake issue with multiple messages in records
• CVE-2025-61729 — x509 DoS via crafted certificate
• CVE-2025-61728 — stdlib (Go 1.25.6)
• CVE-2025-61726 — stdlib (Go 1.25.6)

A single rebuild with Go >= 1.25.7 would resolve all five CVEs (including the critical one from the original report).

[fdomain]

Hi, thanks for raising this issue.
I believe we're not impacted by these vulns, since ocserv-exporter is not using TLS.
Anyway, we'll bump to latest go version in next realease, which should happen once #7 is merged