chore: bump versions to fix CVE

[zhijie-yang]

• Have you signed the CLA?

---

The minimal required Go version is bumped to 1.24.6 to fix GO-2025-3956/CVE-2025-47906. The Go version 1.23.12 cannot be used due to the unavailability in the snapstore.

The version of package github.com/ulikunitz/xz is bumped to v0.5.15 to fix GO-2025-3922/CVE-2025-58058.

A complete govulncheck before the fix goes as follows:

=== Symbol Results ===

Vulnerability #1: GO-2025-3956
    Unexpected paths returned from LookPath in os/exec
  More info: https://pkg.go.dev/vuln/GO-2025-3956
  Standard library
    Found in: os/exec@go1.24.4
    Fixed in: os/exec@go1.24.6
    Example traces found:
      #1: internal/testutil/exec.go:35:28: testutil.init#1 calls exec.LookPath

Vulnerability #2: GO-2025-3922
    Memory leaks when decoding a corrupted multiple LZMA archives in
    github.com/ulikunitz/xz
  More info: https://pkg.go.dev/vuln/GO-2025-3922
  Module: github.com/ulikunitz/xz
    Found in: github.com/ulikunitz/xz@v0.5.12
    Fixed in: github.com/ulikunitz/xz@v0.5.15
    Example traces found:
      #1: internal/deb/extract.go:18:2: deb.init calls xz.init, which eventually calls hash.init
      #2: internal/cache/cache.go:160:25: cache.Cache.Read calls io.ReadAll, which eventually calls lzma.ByteReader
      #3: internal/cache/cache.go:160:25: cache.Cache.Read calls io.ReadAll, which eventually calls lzma.DecodeDictCap
      #4: internal/testutil/filecontentchecker.go:84:45: testutil.fileContentCheck calls lzma.Properties.String
      #5: internal/cache/cache.go:160:25: cache.Cache.Read calls io.ReadAll, which eventually calls lzma.Reader2.Read
      #6: internal/cache/cache.go:160:25: cache.Cache.Read calls io.ReadAll, which eventually calls lzma.Reader2Config.NewReader2
      #7: internal/deb/extract.go:403:33: deb.DataReader calls xz.NewReader, which eventually calls lzma.Reader2Config.Verify
      #8: internal/cache/cache.go:160:25: cache.Cache.Read calls io.ReadAll, which eventually calls lzma.breader.ReadByte
      #9: internal/testutil/filecontentchecker.go:84:45: testutil.fileContentCheck calls lzma.chunkHeader.String
      #10: internal/testutil/filecontentchecker.go:84:45: testutil.fileContentCheck calls lzma.chunkType.String
      #11: internal/pgputil/openpgp.go:90:19: pgputil.VerifySignature calls io.Copy, which eventually calls lzma.decoderDict.Write
      #12: internal/deb/extract.go:18:2: deb.init calls xz.init, which calls lzma.init
      #13: internal/deb/extract.go:403:33: deb.DataReader calls xz.NewReader, which eventually calls xlog.Debugf
      #14: internal/deb/extract.go:18:2: deb.init calls xz.init, which calls xlog.init
      #15: internal/deb/extract.go:403:33: deb.DataReader calls xz.NewReader
      #16: internal/cache/cache.go:160:25: cache.Cache.Read calls io.ReadAll, which calls xz.Reader.Read
      #17: internal/testutil/filecontentchecker.go:84:45: testutil.fileContentCheck calls xz.blockHeader.String
      #18: internal/cache/cache.go:160:25: cache.Cache.Read calls io.ReadAll, which eventually calls xz.countingReader.Read
      #19: internal/testutil/filecontentchecker.go:84:45: testutil.fileContentCheck calls xz.footer.String
      #20: internal/testutil/filecontentchecker.go:84:45: testutil.fileContentCheck calls xz.header.String
      #21: internal/deb/extract.go:18:2: deb.init calls xz.init
      #22: internal/testutil/filecontentchecker.go:84:45: testutil.fileContentCheck calls xz.lzmaFilter.String
      #23: internal/deb/extract.go:388:33: deb.DataReader calls ar.Reader.Next, which eventually calls xz.noneHash.Write

Your code is affected by 2 vulnerabilities from 1 module and the Go standard library.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.

There are no vulnerabilities found after this version bump.

[github-actions]

Command	Mean [s]	Min [s]	Max [s]	Relative
BASE	8.867 ± 0.055	8.777	8.966	1.04 ± 0.01
HEAD	8.557 ± 0.042	8.506	8.607	1.00

[letFunny]

Thanks James for working on this so proactively! Only a few minor questions.

[letFunny]

Why not go for 1.25 now that we are updating. The last time we discussed this (Gustavo & me) the problem is that only the last two major versions are supported officially by the Go team, so if we could update to the latest that would mean we don't have to upgrade as often.

Not saying we have to do it, just asking.

[zhijie-yang]

That's a good consideration. The major reason pushing us away from doing this is that go 1.25 is still on the edge channel of the go snap. A minor reason is that we cannot necessarily save the efforts of bumping versions, as vulnerabilities can also exist in newer minor versions with older patch version numbers.

[letFunny]

The major reason pushing us away from doing this is that go 1.25 is still on the edge channel of the go snap.

This is enough reason for me. Thanks for the context

[letFunny]

Thanks for this James, greatly appreciated!

[niemeyer]

Thanks!

[niemeyer]

There are no vulnerabilities found after this version bump.

Famous last words. ;-)