chore(core): cve mitigation 13-06-2026#2648
Open
LopatinDmitr wants to merge 1 commit into
Open
Conversation
Fixed vulnerability: - CVE-2026-39822 - CVE-2026-42505 - CVE-2026-39828 - CVE-2026-39829 - CVE-2026-39830 - CVE-2026-39831 - CVE-2026-39832 - CVE-2026-39835 - CVE-2026-42508 - CVE-2026-46595 - CVE-2026-46597 - CVE-2026-39827 - CVE-2026-39833 - CVE-2026-39834 - CVE-2026-46598 - CVE-2026-25681 - CVE-2026-27136 - CVE-2026-33814 - CVE-2026-39821 - CVE-2026-25680 - CVE-2026-42502 - CVE-2026-42506 - CVE-2026-39824 - GO-2026-5932 Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com> chore(core): bump Go to 1.25.12 for CVE mitigation Go 1.25.12 fixes CVE-2026-39822 (os.Root symlink traversal) and CVE-2026-42505 (crypto/tls ECH info disclosure) reported across all module binaries. Bump the go directive in every go.mod, the GO_VERSION in CI workflows, and the golang base image in the dlv debug Dockerfiles. Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com> fix(core): add openpgp VEX mitigation for the module bundle image The hooks/go/virtualization-module-hooks binary carries GO-2026-5932 (golang.org/x/crypto/openpgp), which has no fixed version. The hook does not use OpenPGP, so mark it not_affected via an OpenVEX attestation on the bundle image (predicate in repo-root known_vulnerabilities.vex). Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com> fix(core): add openpgp VEX mitigation for dvcr-importer and dvcr-uploader GO-2026-5932 (golang.org/x/crypto/openpgp) has no fixed version. The package is only a transitive dependency and neither the importer nor the uploader uses OpenPGP, so mark it not_affected via OpenVEX attestations (same approach as the dvcr and virtualization-api images). Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com> fix(core): add openpgp VEX mitigation for virtualization-api GO-2026-5932 (golang.org/x/crypto/openpgp) has no fixed version. The package is only a transitive dependency and the aggregated apiserver does not use OpenPGP, so mark it not_affected via an OpenVEX attestation (same approach as the dvcr image). Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com> fix(core): sync vendor tree after dvcr dependency bump distribution vendors its deps, so the go.mod replace edits for the CVE mitigation must be followed by 'go mod vendor' — otherwise the build fails with inconsistent vendoring. Also align x/sys to v0.45.0, the version the crypto/net bumps pull up transitively (>= the CVE fix), instead of downgrading it to v0.44.0. Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com> fix cve for dvcr Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
d77af1a to
2bad4ef
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixed CVEs across most components (via Go stdlib bump 1.25.11 → 1.25.12):
Additionally fixed for usr/bin/registry:
golang.org/x/crypto (v0.49.0 → 0.52.0):
golang.org/x/net (v0.52.0 → 0.55.0):
golang.org/x/sys (v0.42.0 → 0.44.0):
CVE-2026-39824
GO-2026-5932 — golang.org/x/crypto/openpgp is unmaintained; requires removing the dependency rather than upgrading.
Checklist
Changelog entries