Skip to content

chore(core): cve mitigation 13-06-2026 for release 1.8#2655

Merged
LopatinDmitr merged 2 commits into
release-1.8from
chore/core/cve-mitigation-13072026-for-release-1-8
Jul 14, 2026
Merged

chore(core): cve mitigation 13-06-2026 for release 1.8#2655
LopatinDmitr merged 2 commits into
release-1.8from
chore/core/cve-mitigation-13072026-for-release-1-8

Conversation

@LopatinDmitr

@LopatinDmitr LopatinDmitr commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Description

Fixed CVEs across most components (via Go stdlib bump 1.25.11 → 1.25.12):

  • CVE-2026-39822 (HIGH) — os: os.Root symlink following allows directory traversal
  • CVE-2026-42505 (MEDIUM) — crypto/tls: information disclosure in Encrypted Client Hello
  • GO-2026-5932 — golang.org/x/crypto/openpgp is unmaintained; requires removing the dependency rather than upgrading.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.
section: core
type: chore
summary: |
  Fixed vulnerabilities:
  - CVE-2026-39822
  - CVE-2026-42505
  - GO-2026-5932

Fixed vulnerability:
  - CVE-2026-39822
  - CVE-2026-42505
  - GO-2026-5932

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
GO-2026-5932 (golang.org/x/crypto/openpgp) has no fixed version and is
only a transitive dependency of the CDI binaries, which do not use
OpenPGP. Mark it not_affected via OpenVEX attestations on cdi-apiserver,
cdi-operator, cdi-controller and cdi-importer (same approach as the other
module images). cdi-cloner is unaffected and needs no statement.

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr self-assigned this Jul 13, 2026
@LopatinDmitr LopatinDmitr added this to the v1.8.5 milestone Jul 13, 2026
@LopatinDmitr LopatinDmitr marked this pull request as ready for review July 13, 2026 19:03
@LopatinDmitr LopatinDmitr merged commit eca31cb into release-1.8 Jul 14, 2026
30 of 34 checks passed
@LopatinDmitr LopatinDmitr deleted the chore/core/cve-mitigation-13072026-for-release-1-8 branch July 14, 2026 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants