deps: update go to 1.24.11 and selinux

[rollandf]

Fix several CVES reported by govulncheck

With this change:

$ govulncheck ./...
No vulnerabilities found.

Before this change:

$ govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2025-4175
    Improper application of excluded DNS name constraints when verifying
    wildcard names in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4175
  Standard library
    Found in: crypto/x509@go1.24.2
    Fixed in: crypto/x509@go1.24.11
    Example traces found:
      #1: plugins/ipam/dhcp/daemon.go:236:11: dhcp.runDaemon calls http.Server.Serve, which eventually calls x509.Certificate.Verify

Vulnerability #2: GO-2025-4155
    Excessive resource consumption when printing error string for host
    certificate validation in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4155
  Standard library
    Found in: crypto/x509@go1.24.2
    Fixed in: crypto/x509@go1.24.11
    Example traces found:
      #1: plugins/ipam/dhcp/daemon.go:236:11: dhcp.runDaemon calls http.Server.Serve, which eventually calls x509.Certificate.Verify
      #2: plugins/ipam/dhcp/daemon.go:236:11: dhcp.runDaemon calls http.Server.Serve, which eventually calls x509.Certificate.VerifyHostname

Vulnerability #3: GO-2025-4098
    Container escape and DDoS due to arbitrary write gadgets and procfs write
    redirects in github.com/opencontainers/runc
  More info: https://pkg.go.dev/vuln/GO-2025-4098
  Module: github.com/opencontainers/selinux
    Found in: github.com/opencontainers/selinux@v1.12.0
    Fixed in: github.com/opencontainers/selinux@v1.13.0
    Example traces found:
      #1: plugins/main/tap/tap.go:27:2: tap.init calls selinux.init, which calls pwalkdir.init
      #2: plugins/main/tap/tap.go:179:33: tap.createLink calls selinux.SetExecLabel
      #3: pkg/testutils/ping.go:45:21: testutils.Ping calls exec.Command, which eventually calls selinux.attrPath
      #4: pkg/testutils/ping.go:45:21: testutils.Ping calls exec.Command, which eventually calls selinux.getSELinuxfs
      #5: plugins/main/tap/tap.go:27:2: tap.init calls selinux.init
      #6: pkg/testutils/ping.go:45:21: testutils.Ping calls exec.Command, which eventually calls selinux.policyRoot

Vulnerability #4: GO-2025-4013
    Panic when validating certificates with DSA public keys in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4013
  Standard library
    Found in: crypto/x509@go1.24.2
    Fixed in: crypto/x509@go1.24.8
    Example traces found:
      #1: plugins/ipam/dhcp/daemon.go:236:11: dhcp.runDaemon calls http.Server.Serve, which eventually calls x509.Certificate.Verify

Vulnerability #5: GO-2025-4011
    Parsing DER payload can cause memory exhaustion in encoding/asn1
  More info: https://pkg.go.dev/vuln/GO-2025-4011
  Standard library
    Found in: encoding/asn1@go1.24.2
    Fixed in: encoding/asn1@go1.24.8
    Example traces found:
      #1: pkg/testutils/ping.go:45:21: testutils.Ping calls exec.Command, which eventually calls asn1.Unmarshal

Vulnerability #6: GO-2025-4010
    Insufficient validation of bracketed IPv6 hostnames in net/url
  More info: https://pkg.go.dev/vuln/GO-2025-4010
  Standard library
    Found in: net/url@go1.24.2
    Fixed in: net/url@go1.24.8
    Example traces found:
      #1: plugins/ipam/dhcp/daemon.go:236:11: dhcp.runDaemon calls http.Server.Serve, which eventually calls url.Parse
      #2: plugins/ipam/dhcp/daemon.go:236:11: dhcp.runDaemon calls http.Server.Serve, which eventually calls url.ParseRequestURI

Vulnerability #7: GO-2025-4009
    Quadratic complexity when parsing some invalid inputs in encoding/pem
  More info: https://pkg.go.dev/vuln/GO-2025-4009
  Standard library
    Found in: encoding/pem@go1.24.2
    Fixed in: encoding/pem@go1.24.8
    Example traces found:
      #1: pkg/testutils/ping.go:45:21: testutils.Ping calls exec.Command, which eventually calls pem.Decode

Vulnerability #8: GO-2025-4008
    ALPN negotiation error contains attacker controlled information in
    crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2025-4008
  Standard library
    Found in: crypto/tls@go1.24.2
    Fixed in: crypto/tls@go1.24.8
    Example traces found:
      #1: plugins/ipam/dhcp/daemon.go:236:11: dhcp.runDaemon calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
      #2: pkg/ip/link_linux.go:108:21: ip.RandomVethName calls rand.Read, which eventually calls tls.Conn.Read

Vulnerability #9: GO-2025-4007
    Quadratic complexity when checking name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4007
  Standard library
    Found in: crypto/x509@go1.24.2
    Fixed in: crypto/x509@go1.24.9
    Example traces found:
      #1: pkg/testutils/ping.go:45:21: testutils.Ping calls exec.Command, which eventually calls x509.CertPool.AppendCertsFromPEM
      #2: plugins/ipam/dhcp/daemon.go:236:11: dhcp.runDaemon calls http.Server.Serve, which eventually calls x509.Certificate.Verify
      #3: pkg/testutils/ping.go:45:21: testutils.Ping calls exec.Command, which eventually calls x509.ParseCertificate

Vulnerability #10: GO-2025-3956
    Unexpected paths returned from LookPath in os/exec
  More info: https://pkg.go.dev/vuln/GO-2025-3956
  Standard library
    Found in: os/exec@go1.24.2
    Fixed in: os/exec@go1.24.6
    Example traces found:
      #1: pkg/testutils/ping.go:45:21: testutils.Ping calls exec.Command, which calls exec.LookPath

Vulnerability #11: GO-2025-3750
    Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in
    syscall
  More info: https://pkg.go.dev/vuln/GO-2025-3750
  Standard library
    Found in: os@go1.24.2
    Fixed in: os@go1.24.4
    Platforms: windows
    Example traces found:
      #1: pkg/testutils/netns_linux.go:97:32: testutils.NewNS calls os.Create
      #2: pkg/testutils/dns.go:30:25: testutils.TmpResolvConf calls os.CreateTemp
      #3: plugins/ipam/host-local/backend/disk/backend.go:177:19: disk.Store.GetByID calls filepath.Walk, which eventually calls os.File.Readdirnames
      #4: pkg/testutils/ping.go:49:19: testutils.Ping calls exec.Cmd.Run, which eventually calls os.Getwd
      #5: plugins/ipam/host-local/backend/disk/backend.go:177:19: disk.Store.GetByID calls filepath.Walk, which calls os.Lstat
      #6: pkg/testutils/netns_linux.go:64:19: testutils.NewNS calls os.MkdirAll
      #7: plugins/meta/tuning/tuning.go:25:2: tuning.init calls os.init, which calls os.NewFile
      #8: pkg/ns/ns_linux.go:151:20: ns.GetNS calls os.Open
      #9: plugins/ipam/host-local/backend/disk/backend.go:63:23: disk.Store.Reserve calls os.OpenFile
      #10: pkg/testutils/cmd.go:46:22: testutils.CmdAdd calls os.Pipe
      #11: plugins/main/host-device/host-device.go:500:28: host.linkFromPath calls os.ReadDir
      #12: plugins/ipam/host-local/backend/disk/backend.go:91:26: disk.Store.LastReservedIP calls os.ReadFile
      #13: pkg/testutils/netns_linux.go:162:22: testutils.UnmountNS calls os.Remove
      #14: pkg/testutils/netns_linux.go:106:2: testutils.NewNS calls os.RemoveAll
      #15: pkg/testutils/ping.go:49:19: testutils.Ping calls exec.Cmd.Run, which eventually calls os.StartProcess
      #16: plugins/ipam/host-local/backend/disk/lock.go:31:20: disk.NewFileLock calls os.Stat
      #17: plugins/ipam/host-local/backend/disk/backend.go:81:20: disk.Store.Reserve calls os.WriteFile
      #18: pkg/ip/ipmasq_iptables_linux.go:151:23: ip.TeardownIPMasq calls iptables.IPTables.DeleteChain, which eventually calls syscall.Open

Vulnerability #12: GO-2025-3749
    Usage of ExtKeyUsageAny disables policy validation in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-3749
  Standard library
    Found in: crypto/x509@go1.24.2
    Fixed in: crypto/x509@go1.24.4
    Example traces found:
      #1: plugins/ipam/dhcp/daemon.go:236:11: dhcp.runDaemon calls http.Server.Serve, which eventually calls x509.Certificate.Verify

Your code is affected by 12 vulnerabilities from 1 module and the Go standard library.
This scan also found 3 vulnerabilities in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

[jpayne3506]

I am not a maintainer here, but the go version you are referencing is a minimum requirement. It should not be changed to circumvent stdlib vulns. The correct process is to build the binaries you require with the higher version of go present on your machine.

To add to the vulns conversation.. I was originally looking here to better understand the release process the repo is using to overcome the same issues as the go stdlib has CVE(s) for 1.25.4 as well. ( The version the current release used )

• The release cadence is paired with features.
• Version control is generalized https://github.com/containernetworking/plugins/blob/main/.github/go-version
• https://github.com/containernetworking/plugins/actions/workflows/release.yaml
• Everything is manual

If possible, it would be nice to introduce some minor changes/automation to alleviate the above. Dependbot takes care of the selinux issue #1215, but the release cadence wouldn't allow us to see it for quite some time...