From 1f7e8cdda34e1ff568a7df091d022cd1395d5489 Mon Sep 17 00:00:00 2001
From: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>
Date: Mon, 18 Aug 2025 10:48:21 -0400
Subject: [PATCH] deps: bump go-getter to v1.7.9 (#26533)

* deps: bump go-getter to v1.7.9

* add changelog

* update changelog
---
 .changelog/26533.txt | 3 +++
 go.mod               | 2 +-
 go.sum               | 4 ++--
 3 files changed, 6 insertions(+), 3 deletions(-)
 create mode 100644 .changelog/26533.txt

diff --git a/.changelog/26533.txt b/.changelog/26533.txt
new file mode 100644
index 000000000..710e6edd8
--- /dev/null
+++ b/.changelog/26533.txt
@@ -0,0 +1,3 @@
+```release-note:security
+build: Update go-getter to 1.7.9 to address CVE-2025-8959. Nomad Client Agents with Landlock support are not impacted by this vulnerability.
+```
diff --git a/go.mod b/go.mod
index 93a4f1c2e..f2ab0ee53 100644
--- a/go.mod
+++ b/go.mod
@@ -55,7 +55,7 @@ require (
 	github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840
 	github.com/hashicorp/go-discover v1.1.0
 	github.com/hashicorp/go-envparse v0.1.0
-	github.com/hashicorp/go-getter v1.7.8
+	github.com/hashicorp/go-getter v1.7.9
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-immutable-radix/v2 v2.1.0
 	github.com/hashicorp/go-kms-wrapping/v2 v2.0.18
diff --git a/go.sum b/go.sum
index cfb20bcaa..f7c18b055 100644
--- a/go.sum
+++ b/go.sum
@@ -1156,8 +1156,8 @@ github.com/hashicorp/go-envparse v0.1.0 h1:bE++6bhIsNCPLvgDZkYqo3nA+/PFI51pkrHdm
 github.com/hashicorp/go-envparse v0.1.0/go.mod h1:OHheN1GoygLlAkTlXLXvAdnXdZxy8JUweQ1rAXx1xnc=
 github.com/hashicorp/go-gatedio v0.5.0 h1:Jm1X5yP4yCqqWj5L1TgW7iZwCVPGtVc+mro5r/XX7Tg=
 github.com/hashicorp/go-gatedio v0.5.0/go.mod h1:Lr3t8L6IyxD3DAeaUxGcgl2JnRUpWMCsmBl4Omu/2t4=
-github.com/hashicorp/go-getter v1.7.8 h1:mshVHx1Fto0/MydBekWan5zUipGq7jO0novchgMmSiY=
-github.com/hashicorp/go-getter v1.7.8/go.mod h1:2c6CboOEb9jG6YvmC9xdD+tyAFsrUaJPedwXDGr0TM4=
+github.com/hashicorp/go-getter v1.7.9 h1:G9gcjrDixz7glqJ+ll5IWvggSBR+R0B54DSRt4qfdC4=
+github.com/hashicorp/go-getter v1.7.9/go.mod h1:dyFCmT1AQkDfOIt9NH8pw9XBDqNrIKJT5ylbpi7zPNE=
 github.com/hashicorp/go-hclog v0.9.1/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
 github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=