fix: resolve April 2026 docker-ptf security vulnerabilities

- Upgrade Go toolchain 1.25.8 → 1.25.9 (fixes CVE-2026-32280 through
  CVE-2026-32289: stdlib crypto/tls, archive/tar, html/template, os)
- Bump go.opentelemetry.io/otel/sdk v1.40.0 → v1.43.0 in gnmic
  (CVE-2026-39883: PATH hijacking via BSD kenv)
- Add github.com/go-jose/go-jose/v4@v4.1.4 to gnmic, gnoic, grpcurl
  (CVE-2026-34986: DoS via crafted JSON Web Encryption)
- Bump github.com/docker/docker to latest in gnmic
  (CVE-2026-34040: authorization bypass, CVE-2026-33997: privilege
  validation bypass during plugin installation)
- Add aws-sdk-go-v2 eventstream/s3 latest to gnmic
  (GHSA-xmrv-pmrh-hhx2: DoS via panic in AWS SDK for Go v2)
- Existing apt-get upgrade covers libpng16-16 fix
  (CVE-2026-33416: use-after-free, CVE-2026-33636: OOB read/write)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Ubuntu <austinpham@austinpham-dev-vm-2.d4y3nv5wwgfelhhopdxv1tqjld.dx.internal.cloudapp.net>

Author: 2 people

dockers/docker-ptf/Dockerfile.j2

@@ -112,7 +112,7 @@ RUN GO_ARCH=arm64 \
 {% else %}
 RUN GO_ARCH=amd64 \
 {% endif %}
-    && GO_VERSION=1.25.8 \
+    && GO_VERSION=1.25.9 \
     && curl -L "https://go.dev/dl/go${GO_VERSION}.linux-${GO_ARCH}.tar.gz" -o /tmp/go.tar.gz \
     && tar -C /usr/local -xzf /tmp/go.tar.gz \
     && rm /tmp/go.tar.gz
@@ -125,12 +125,14 @@ RUN GRPCURL_VERSION=v1.9.3 \
     && git clone --depth 1 --branch "${GRPCURL_VERSION}" https://github.com/fullstorydev/grpcurl.git /tmp/grpcurl \
     && cd /tmp/grpcurl \
     && go get google.golang.org/grpc@v1.79.3 \
+    && go get github.com/go-jose/go-jose/v4@v4.1.4 \
     && go get golang.org/x/crypto@latest golang.org/x/net@latest golang.org/x/text@latest golang.org/x/sys@latest golang.org/x/oauth2@latest \
     && go mod tidy \
     && go build -o /usr/local/bin/grpcurl ./cmd/grpcurl \
     && chmod +x /usr/local/bin/grpcurl \
     && rm -rf /tmp/grpcurl
 # Security fixes: upgrade all vulnerable system packages (S360 scan remediation)
+# Covers CVE-2026-33416 and CVE-2026-33636 (libpng16-16) among others
 RUN apt-get update && apt-get upgrade -y \
     && rm -rf /var/lib/apt/lists/*
 
@@ -406,6 +408,7 @@ RUN git clone https://github.com/karimra/gnoic.git \
     && git checkout 27bc5a6 \
     && go get google.golang.org/grpc@v1.79.3 \
     && go get github.com/go-viper/mapstructure/v2@v2.4.0 \
+    && go get github.com/go-jose/go-jose/v4@v4.1.4 \
     && go get golang.org/x/crypto@latest golang.org/x/net@latest golang.org/x/text@latest golang.org/x/sys@latest golang.org/x/oauth2@latest \
     && go mod tidy \
     && go build -o /usr/local/bin/gnoic . \
@@ -420,8 +423,11 @@ RUN GNMIC_VERSION=v0.43.0 \
     && go get github.com/cloudflare/circl@v1.6.3 \
     && go get github.com/go-git/go-git/v5@latest \
     && go get github.com/nats-io/nats-server/v2@latest \
-    && go get go.opentelemetry.io/otel/sdk@v1.40.0 \
+    && go get go.opentelemetry.io/otel/sdk@v1.43.0 \
     && go get github.com/docker/docker@latest \
+    && go get github.com/go-jose/go-jose/v4@v4.1.4 \
+    && go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@latest github.com/aws/aws-sdk-go-v2/service/s3@latest github.com/aws/aws-sdk-go-v2/feature/s3/manager@latest \
+    && go get gocloud.dev@latest \
     && go get golang.org/x/crypto@latest golang.org/x/net@latest golang.org/x/text@latest golang.org/x/sys@latest golang.org/x/oauth2@latest \
     && go mod tidy \
     && go build -o /usr/local/bin/gnmic . \