Bump Golang, Ubuntu, and golang.org/x/oauth2 to fix CVEs.

[blackpiglet]

Thank you for contributing to Velero!

Please add a summary of your change

Does your change fix a particular issue?

Fixes #(issue)

Please indicate you've done the following:

• Accepted the DCO. Commits without the DCO will delay acceptance.
• Created a changelog file (make new-changelog) or comment /kind changelog-not-required on this PR.
• Updated the corresponding documentation in site/content/docs/main.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 59.62%. Comparing base (0fc7e2f) to head (79ac568).
Report is 1 commits behind head on release-1.16.

Additional details and impacted files

@@               Coverage Diff                @@
##           release-1.16    #9104      +/-   ##
================================================
- Coverage         59.62%   59.62%   -0.01%     
================================================
  Files               370      370              
  Lines             40308    40308              
================================================
- Hits              24035    24032       -3     
- Misses            14772    14774       +2     
- Partials           1501     1502       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kaovilai]

Security Vulnerabilities Addressed

This PR addresses the following security vulnerabilities:

1. CVE-2025-22868 - Fixed by golang.org/x/oauth2 update (0.4.0 → 0.27.0)

• Severity: Critical
• Description: Unexpected memory consumption vulnerability in the golang.org/x/oauth2/jws package that can lead to denial of service
• Impact: An attacker can pass a malicious malformed token which causes excessive memory consumption during parsing, potentially leading to application crashes or DoS
• Fix: Updated to v0.27.0 which includes the patch for this vulnerability

2. Go 1.23.11 Security Fixes (1.23.10 → 1.23.11)

• The Go 1.23.11 release includes security fixes to the go command, as well as bug fixes to the compiler, linker, and runtime
• While specific CVE numbers for 1.23.11 are not yet published, this follows Go's regular security update cadence

3. Ubuntu Base Image Updates (paketobuildpacks/run-jammy-tiny:0.2.60 → 0.2.73)

• Updates the Ubuntu Jammy base image which typically includes security patches for various system libraries and packages
• This helps address any CVEs present in the base OS layer

Additional Notes

• The PR also removes the toolchain go1.23.10 directive from go.mod, allowing for more flexible Go version usage
• Updates are also applied to the restic dependency patch file (hack/fix_restic_cve.txt) to ensure consistent versions

Thank you for keeping Velero secure! 🔒

[kaovilai]

Note on Toolchain Directive Removal

I noticed this PR removes the toolchain go1.23.10 directive from go.mod. I'll wait for other maintainers' decision on whether this removal should be included in this security update PR.

For context, removing the toolchain directive means:

• The project will require Go 1.23.0+ (via go 1.23.0) but won't force a specific patch version
• Developers can use any Go 1.23.x version locally
• The GOTOOLCHAIN environment variable can be used to specify versions (e.g., GOTOOLCHAIN=go1.23.11 make build)
• Docker builds will still use Go 1.23.11 as specified in the Dockerfiles

This provides more flexibility but changes the development experience slightly. Happy to discuss the implications further if needed.

[kaovilai]

GitHub Actions Workflow Analysis

I've analyzed the GitHub Actions workflows and found an important detail:

Current Workflow Configuration

All workflows use:

- name: Set up Go
  uses: actions/setup-go@v5
  with:
    go-version-file: 'go.mod'

Key Finding

The go-version-file parameter reads the go directive from go.mod (currently go 1.23.0), NOT the toolchain directive. This means:

1. Workflows currently use Go 1.23.0 (the minimum version) rather than the specific toolchain version
2. CI builds may use a different Go version than Docker builds (which explicitly use 1.23.11)
3. GitHub actions workflows will no longer use 1.23.10, or 1.23.11, but 1.23.0 due to More specific handling/detection of Go toolchain versions actions/setup-go#457

Recommendation

If you want CI to use Go 1.23.11 specifically, you have options:

1. Update the go directive to go 1.23.11 (but this raises the minimum required version)
2. Add the toolchain directive to 1.23.11 recommended.
3. Explicitly set Go version in workflows: go-version: '1.23.11'
4. Keep current setup and let CI use any Go 1.23.x version

The current setup works fine - just noting the version difference between CI and Docker builds.

[blackpiglet]

@kaovilai
Thanks for the analysis.
There were back-and-forth discussions about the toolchain usage.
I think now it's clear. We need the toolchain and need to bump it to the latest for releasing.

I added the toolchain back. PTAL.

[kaovilai]

Thanks for the update