CVEs: bump Go to 1.23.11 and golang.org/x/net

[M4tteoP]

Hi there, this PR proposes to:

• bump Go to 1.23.11.
  • I would even move to 1.24.x, but I'm not sure about the policies of this repo in terms of minimum supported Go version, hence bumping just the patch version.
• bump golang.org/x/net to latest v0.41.0.
  It would allow fixing CVE-2025-22870, CVE-2025-22872, CVE-2025-0913, CVE-2025-4673, CVE-2025-22871, all reported scanning the latest v0.17.1 image.

Before:

▶ grype prometheuscommunity/postgres-exporter:v0.17.1
 ✔ Scanned for vulnerabilities     [11 vulnerability matches]
   ├── by severity: 1 critical, 1 high, 7 medium, 2 low, 0 negligible
   └── by status:   5 fixed, 6 not-fixed, 0 ignored
NAME                 INSTALLED  FIXED-IN         TYPE       VULNERABILITY        SEVERITY  EPSS%  RISK
golang.org/x/crypto  v0.32.0    0.35.0           go-module  GHSA-hcg3-q754-cr77  High      34.26    0.1
stdlib               go1.23.6   1.23.10, 1.24.4  go-module  CVE-2025-4673        Medium    11.33  < 0.1
stdlib               go1.23.6   1.23.8, 1.24.2   go-module  CVE-2025-22871       Critical   4.44  < 0.1
busybox              1.36.1                      binary     CVE-2023-42364       Medium     7.49  < 0.1
busybox              1.36.1                      binary     CVE-2023-42365       Medium     7.49  < 0.1
golang.org/x/net     v0.33.0    0.38.0           go-module  GHSA-vvgc-356p-c3xw  Medium     7.89  < 0.1
busybox              1.36.1                      binary     CVE-2023-42366       Medium     5.76  < 0.1
busybox              1.36.1                      binary     CVE-2023-42363       Medium     5.45  < 0.1
golang.org/x/net     v0.33.0    0.36.0           go-module  GHSA-qxp5-gwg8-xv66  Medium     1.24  < 0.1
busybox              1.36.1                      binary     CVE-2025-46394       Low        2.91  < 0.1
busybox              1.36.1                      binary     CVE-2024-58251       Low        2.59  < 0.1

After:

▶ grype postgres_exporter:local
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 4 medium, 2 low, 0 negligible
   └── by status:   0 fixed, 6 not-fixed, 0 ignored
NAME     INSTALLED  FIXED-IN  TYPE    VULNERABILITY   SEVERITY  EPSS%  RISK
busybox  1.36.1               binary  CVE-2023-42364  Medium     7.49  < 0.1
busybox  1.36.1               binary  CVE-2023-42365  Medium     7.49  < 0.1
busybox  1.36.1               binary  CVE-2023-42366  Medium     5.76  < 0.1
busybox  1.36.1               binary  CVE-2023-42363  Medium     5.45  < 0.1
busybox  1.36.1               binary  CVE-2025-46394  Low        2.91  < 0.1
busybox  1.36.1               binary  CVE-2024-58251  Low        2.59  < 0.1

Thanks!

[SuperQ]

This does not actually control the version of Go used to build Prometheus projects. It only changes the compiler build requirements.

[M4tteoP]

I see, thanks! Any chance there's a timeline for a CVE-free patch release? 🙇🏻‍♂️

[SuperQ]

No. We do not cut releases unless the vulnerabilities are real. For example, GHSA-hcg3-q754-cr77 listed above is for SSH. This software does not use the golang.org/x/crypto/ssh package.

Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable.