Skip to content

chore(core): cve mitigation 13-06-2026#2648

Open
LopatinDmitr wants to merge 1 commit into
mainfrom
chore/core/cve-mitigation-13072026-for-main
Open

chore(core): cve mitigation 13-06-2026#2648
LopatinDmitr wants to merge 1 commit into
mainfrom
chore/core/cve-mitigation-13072026-for-main

Conversation

@LopatinDmitr

@LopatinDmitr LopatinDmitr commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Description

Fixed CVEs across most components (via Go stdlib bump 1.25.11 → 1.25.12):

  • CVE-2026-39822 (HIGH) — os: os.Root symlink following allows directory traversal
  • CVE-2026-42505 (MEDIUM) — crypto/tls: information disclosure in Encrypted Client Hello

Additionally fixed for usr/bin/registry:

golang.org/x/crypto (v0.49.0 → 0.52.0):

golang.org/x/net (v0.52.0 → 0.55.0):

golang.org/x/sys (v0.42.0 → 0.44.0):

  • CVE-2026-39824

  • GO-2026-5932 — golang.org/x/crypto/openpgp is unmaintained; requires removing the dependency rather than upgrading.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: chore
summary: |
  Fixed vulnerability:
  - CVE-2026-39822
  - CVE-2026-42505
  - CVE-2026-39828
  - CVE-2026-39829
  - CVE-2026-39830
  - CVE-2026-39831
  - CVE-2026-39832
  - CVE-2026-39835
  - CVE-2026-42508
  - CVE-2026-46595
  - CVE-2026-46597
  - CVE-2026-39827
  - CVE-2026-39833
  - CVE-2026-39834
  - CVE-2026-46598
  - CVE-2026-25681
  - CVE-2026-27136
  - CVE-2026-33814
  - CVE-2026-39821
  - CVE-2026-25680
  - CVE-2026-42502
  - CVE-2026-42506
  - CVE-2026-39824
  - GO-2026-5932

@LopatinDmitr LopatinDmitr self-assigned this Jul 13, 2026
@LopatinDmitr LopatinDmitr added this to the v1.10.0 milestone Jul 13, 2026
@LopatinDmitr LopatinDmitr marked this pull request as ready for review July 13, 2026 17:07
Fixed vulnerability:
  - CVE-2026-39822
  - CVE-2026-42505
  - CVE-2026-39828
  - CVE-2026-39829
  - CVE-2026-39830
  - CVE-2026-39831
  - CVE-2026-39832
  - CVE-2026-39835
  - CVE-2026-42508
  - CVE-2026-46595
  - CVE-2026-46597
  - CVE-2026-39827
  - CVE-2026-39833
  - CVE-2026-39834
  - CVE-2026-46598
  - CVE-2026-25681
  - CVE-2026-27136
  - CVE-2026-33814
  - CVE-2026-39821
  - CVE-2026-25680
  - CVE-2026-42502
  - CVE-2026-42506
  - CVE-2026-39824
  - GO-2026-5932

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>

chore(core): bump Go to 1.25.12 for CVE mitigation

Go 1.25.12 fixes CVE-2026-39822 (os.Root symlink traversal) and
CVE-2026-42505 (crypto/tls ECH info disclosure) reported across all
module binaries. Bump the go directive in every go.mod, the GO_VERSION
in CI workflows, and the golang base image in the dlv debug Dockerfiles.

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>

fix(core): add openpgp VEX mitigation for the module bundle image

The hooks/go/virtualization-module-hooks binary carries GO-2026-5932
(golang.org/x/crypto/openpgp), which has no fixed version. The hook does
not use OpenPGP, so mark it not_affected via an OpenVEX attestation on
the bundle image (predicate in repo-root known_vulnerabilities.vex).

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>

fix(core): add openpgp VEX mitigation for dvcr-importer and dvcr-uploader

GO-2026-5932 (golang.org/x/crypto/openpgp) has no fixed version. The
package is only a transitive dependency and neither the importer nor the
uploader uses OpenPGP, so mark it not_affected via OpenVEX attestations
(same approach as the dvcr and virtualization-api images).

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>

fix(core): add openpgp VEX mitigation for virtualization-api

GO-2026-5932 (golang.org/x/crypto/openpgp) has no fixed version. The
package is only a transitive dependency and the aggregated apiserver
does not use OpenPGP, so mark it not_affected via an OpenVEX attestation
(same approach as the dvcr image).

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>

fix(core): sync vendor tree after dvcr dependency bump

distribution vendors its deps, so the go.mod replace edits for the CVE
mitigation must be followed by 'go mod vendor' — otherwise the build
fails with inconsistent vendoring. Also align x/sys to v0.45.0, the
version the crypto/net bumps pull up transitively (>= the CVE fix),
instead of downgrading it to v0.44.0.

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>

fix cve for dvcr

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the chore/core/cve-mitigation-13072026-for-main branch from d77af1a to 2bad4ef Compare July 13, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant