Skip to content

chore(core): mitigate CVEs based on report 2026-06-29#2557

Merged
diafour merged 4 commits into
mainfrom
chore/core/cve-migitation-2026-06-29
Jul 6, 2026
Merged

chore(core): mitigate CVEs based on report 2026-06-29#2557
diafour merged 4 commits into
mainfrom
chore/core/cve-migitation-2026-06-29

Conversation

@diafour

@diafour diafour commented Jun 29, 2026

Copy link
Copy Markdown
Member

Description

Mitigate Trivy-reported High/Critical vulnerabilities in dependencies.

Updated CVE-related replacements:

  • golang.org/x/crypto -> v0.52.0
  • golang.org/x/net -> v0.55.0
  • golang.org/x/oauth2 -> v0.34.0
  • golang.org/x/sys -> v0.45.0

See also support PRs:

Backports:

Why do we need it, and what problem does it solve?

Mitigate CVE list:

CVE-2026-25680
CVE-2026-25681
CVE-2026-27136
CVE-2026-33814
CVE-2026-39821
CVE-2026-39827
CVE-2026-39828
CVE-2026-39829
CVE-2026-39830
CVE-2026-39832
CVE-2026-39835
CVE-2026-42502
CVE-2026-42506
CVE-2026-42508
CVE-2026-46595
CVE-2026-46597

Add CVE-2026-41579 justification in VEX format for for github.com/opencontainers/runc dependency.

What is the expected result?

No Critical and High severity CVEs in the Trivy report.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: chore
summary: |
  Fixed vulnerabilities:
  - CVE-2026-25680
  - CVE-2026-25681
  - CVE-2026-27136
  - CVE-2026-33814
  - CVE-2026-39821
  - CVE-2026-39827
  - CVE-2026-39828
  - CVE-2026-39829
  - CVE-2026-39830
  - CVE-2026-39832
  - CVE-2026-39835
  - CVE-2026-41579
  - CVE-2026-42502
  - CVE-2026-42506
  - CVE-2026-42508
  - CVE-2026-46595
  - CVE-2026-46597

@diafour diafour force-pushed the chore/core/cve-migitation-2026-06-29 branch from 4413ea4 to 517ae09 Compare June 30, 2026 14:24
@diafour diafour added this to the v1.10.0 milestone Jun 30, 2026
@diafour diafour force-pushed the chore/core/cve-migitation-2026-06-29 branch 3 times, most recently from 4d8e036 to 944c100 Compare July 2, 2026 12:43
@diafour diafour requested a review from LopatinDmitr July 2, 2026 15:21
@diafour diafour marked this pull request as ready for review July 2, 2026 15:27
Comment thread images/virt-artifact/werf.inc.yaml Outdated
Comment thread images/virt-handler/known_vulnerabilities.vex
Comment thread images/virt-launcher/known_vulnerabilities.vex
LopatinDmitr
LopatinDmitr previously approved these changes Jul 3, 2026
diafour added a commit to deckhouse/3p-containerized-data-importer that referenced this pull request Jul 6, 2026
Updated CVE-related replacements
- golang.org/x/crypto -> v0.52.0
- golang.org/x/net -> v0.55.0
- golang.org/x/oauth2 -> v0.34.0

See deckhouse/virtualization#2557
diafour added a commit to deckhouse/3p-kubevirt that referenced this pull request Jul 6, 2026
* fix: mitigate CVEs based on report 2026-06-29

Updated CVE-related replacements
- golang.org/x/crypto -> v0.52.0
- golang.org/x/net -> v0.55.0
- golang.org/x/oauth2 -> v0.34.0
- Go 1.24 -> Go 1.25

See deckhouse/virtualization#2557

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
diafour and others added 4 commits July 6, 2026 13:55
- Mitigate Trivy-reported High/Critical vulnerabilities in dependencies.

Updated CVE-related replacements:
golang.org/x/crypto -> v0.52.0
golang.org/x/net -> v0.55.0
golang.org/x/oauth2 -> v0.34.0

- Add CVE-2026-41579 justification in VEX format for for github.com/opencontainers/runc dependency.

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour diafour force-pushed the chore/core/cve-migitation-2026-06-29 branch from c5c69bd to 8bf68ed Compare July 6, 2026 10:56
@LopatinDmitr LopatinDmitr self-requested a review July 6, 2026 11:07
@diafour diafour merged commit ab74177 into main Jul 6, 2026
33 of 34 checks passed
@diafour diafour deleted the chore/core/cve-migitation-2026-06-29 branch July 6, 2026 11:23
diafour added a commit to deckhouse/3p-kubevirt that referenced this pull request Jul 6, 2026
Backport for release 1.9.

* fix: mitigate CVEs based on report 2026-06-29

Updated CVE-related replacements
- golang.org/x/crypto -> v0.52.0
- golang.org/x/net -> v0.55.0
- golang.org/x/oauth2 -> v0.34.0
- Go 1.24 -> Go 1.25

See deckhouse/virtualization#2557

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
diafour added a commit that referenced this pull request Jul 8, 2026
* chore(core): mitigate CVEs based on report 2026-06-29

- Mitigate Trivy-reported High/Critical vulnerabilities in dependencies.

Updated CVE-related replacements:
golang.org/x/crypto -> v0.52.0
golang.org/x/net -> v0.55.0
golang.org/x/oauth2 -> v0.34.0

- Fixed vulnerabilities:
  - CVE-2026-25680
  - CVE-2026-25681
  - CVE-2026-27136
  - CVE-2026-33814
  - CVE-2026-39821
  - CVE-2026-39827
  - CVE-2026-39828
  - CVE-2026-39829
  - CVE-2026-39830
  - CVE-2026-39832
  - CVE-2026-39835
  - CVE-2026-42502
  - CVE-2026-42506
  - CVE-2026-42508
  - CVE-2026-46595
  - CVE-2026-46597
  - CVE-2026-53935

- Add CVE-2026-41579 justification in VEX format for for github.com/opencontainers/runc dependency.

- Skip cyrillic validation in VEX files

---------

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Co-authored-by: Maksim Khimchenko <maksim.khimchenko@flant.com>

(cherry picked from commit ab74177)
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
diafour added a commit that referenced this pull request Jul 8, 2026
* chore(core): mitigate CVEs based on report 2026-06-29

- Mitigate Trivy-reported High/Critical vulnerabilities in dependencies.

Updated CVE-related replacements:
golang.org/x/crypto -> v0.52.0
golang.org/x/net -> v0.55.0
golang.org/x/oauth2 -> v0.34.0

- Fixed vulnerabilities:
  - CVE-2026-25680
  - CVE-2026-25681
  - CVE-2026-27136
  - CVE-2026-33814
  - CVE-2026-39821
  - CVE-2026-39827
  - CVE-2026-39828
  - CVE-2026-39829
  - CVE-2026-39830
  - CVE-2026-39832
  - CVE-2026-39835
  - CVE-2026-42502
  - CVE-2026-42506
  - CVE-2026-42508
  - CVE-2026-46595
  - CVE-2026-46597
  - CVE-2026-53935

- Add CVE-2026-41579 justification in VEX format for for github.com/opencontainers/runc dependency.

- Skip cyrillic validation in VEX files

---------

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Co-authored-by: Maksim Khimchenko <maksim.khimchenko@flant.com>

(cherry picked from commit ab74177)
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
diafour added a commit to deckhouse/3p-kubevirt that referenced this pull request Jul 9, 2026
Backport for release 1.9.

* fix: mitigate CVEs based on report 2026-06-29

Updated CVE-related replacements
- golang.org/x/crypto -> v0.52.0
- golang.org/x/net -> v0.55.0
- golang.org/x/oauth2 -> v0.34.0
- Go 1.24 -> Go 1.25

See deckhouse/virtualization#2557

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
diafour added a commit to deckhouse/3p-kubevirt that referenced this pull request Jul 9, 2026
Backport for release 1.9.

* fix: mitigate CVEs based on report 2026-06-29

Updated CVE-related replacements
- golang.org/x/crypto -> v0.52.0
- golang.org/x/net -> v0.55.0
- golang.org/x/oauth2 -> v0.34.0
- Go 1.24 -> Go 1.25

See deckhouse/virtualization#2557

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
diafour added a commit that referenced this pull request Jul 9, 2026
* chore(core): mitigate CVEs based on report 2026-06-29

- Mitigate Trivy-reported High/Critical vulnerabilities in dependencies.

Updated CVE-related replacements:
golang.org/x/crypto -> v0.52.0
golang.org/x/net -> v0.55.0
golang.org/x/oauth2 -> v0.34.0

- Fixed vulnerabilities:
  - CVE-2026-25680
  - CVE-2026-25681
  - CVE-2026-27136
  - CVE-2026-33814
  - CVE-2026-39821
  - CVE-2026-39827
  - CVE-2026-39828
  - CVE-2026-39829
  - CVE-2026-39830
  - CVE-2026-39832
  - CVE-2026-39835
  - CVE-2026-42502
  - CVE-2026-42506
  - CVE-2026-42508
  - CVE-2026-46595
  - CVE-2026-46597
  - CVE-2026-53935

- Add CVE-2026-41579 justification in VEX format for for github.com/opencontainers/runc dependency.

- Skip cyrillic validation in VEX files

---------

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Co-authored-by: Maksim Khimchenko <maksim.khimchenko@flant.com>

(cherry picked from commit ab74177)
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
diafour added a commit that referenced this pull request Jul 9, 2026
* chore(core): mitigate CVEs based on report 2026-06-29

- Mitigate Trivy-reported High/Critical vulnerabilities in dependencies.

Updated CVE-related replacements:
golang.org/x/crypto -> v0.52.0
golang.org/x/net -> v0.55.0
golang.org/x/oauth2 -> v0.34.0

- Fixed vulnerabilities:
  - CVE-2026-25680
  - CVE-2026-25681
  - CVE-2026-27136
  - CVE-2026-33814
  - CVE-2026-39821
  - CVE-2026-39827
  - CVE-2026-39828
  - CVE-2026-39829
  - CVE-2026-39830
  - CVE-2026-39832
  - CVE-2026-39835
  - CVE-2026-42502
  - CVE-2026-42506
  - CVE-2026-42508
  - CVE-2026-46595
  - CVE-2026-46597
  - CVE-2026-53935

- Add CVE-2026-41579 justification in VEX format for for github.com/opencontainers/runc dependency.

- Skip cyrillic validation in VEX files

---------

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Co-authored-by: Maksim Khimchenko <maksim.khimchenko@flant.com>

(cherry picked from commit ab74177)
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants