Skip to content

Backport: chore(core): mitigate CVEs based on report 2026-06-29 (#2557) for release 1.8#2609

Merged
diafour merged 2 commits into
release-1.8from
chore/core/cve-mitigation-20260629-backport-1-8
Jul 9, 2026
Merged

Backport: chore(core): mitigate CVEs based on report 2026-06-29 (#2557) for release 1.8#2609
diafour merged 2 commits into
release-1.8from
chore/core/cve-mitigation-20260629-backport-1-8

Conversation

@diafour

@diafour diafour commented Jul 7, 2026

Copy link
Copy Markdown
Member

Description

Backport PR #2557 for release 1.8.

Mitigate Trivy-reported High/Critical vulnerabilities in dependencies.

Updated CVE-related replacements:

golang.org/x/crypto -> v0.52.0
golang.org/x/net -> v0.55.0
golang.org/x/oauth2 -> v0.34.0
golang.org/x/sys -> v0.45.0

See also supportive PRs:

Why do we need it, and what problem does it solve?

Mitigate CVE list:

CVE-2026-25680
CVE-2026-25681
CVE-2026-27136
CVE-2026-33814
CVE-2026-39821
CVE-2026-39827
CVE-2026-39828
CVE-2026-39829
CVE-2026-39830
CVE-2026-39832
CVE-2026-39835
CVE-2026-42502
CVE-2026-42506
CVE-2026-42508
CVE-2026-46595
CVE-2026-46597
CVE-2026-53935

Add CVE-2026-41579 justification in VEX format for for github.com/opencontainers/runc dependency.

What is the expected result?

No Critical and High severity CVEs in the Trivy report.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: chore
summary: |
  Fixed vulnerabilities:
  - CVE-2026-25680
  - CVE-2026-25681
  - CVE-2026-27136
  - CVE-2026-33814
  - CVE-2026-39821
  - CVE-2026-39827
  - CVE-2026-39828
  - CVE-2026-39829
  - CVE-2026-39830
  - CVE-2026-39832
  - CVE-2026-39835
  - CVE-2026-41579
  - CVE-2026-42502
  - CVE-2026-42506
  - CVE-2026-42508
  - CVE-2026-46595
  - CVE-2026-46597
  - CVE-2026-53935

@diafour diafour self-assigned this Jul 7, 2026
@diafour diafour changed the title Backport: chore(core): mitigate CVEs based on report 2026-06-29 (#2557) Backport: chore(core): mitigate CVEs based on report 2026-06-29 (#2557) for release 1.8 Jul 7, 2026
@diafour diafour marked this pull request as ready for review July 8, 2026 09:03
LopatinDmitr and others added 2 commits July 8, 2026 19:12
* chore(core): cve mitigation 22-06-2026

- Fix CVE-2026-2303

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>

(cherry picked from commit b7318ff)
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
* chore(core): mitigate CVEs based on report 2026-06-29

- Mitigate Trivy-reported High/Critical vulnerabilities in dependencies.

Updated CVE-related replacements:
golang.org/x/crypto -> v0.52.0
golang.org/x/net -> v0.55.0
golang.org/x/oauth2 -> v0.34.0

- Fixed vulnerabilities:
  - CVE-2026-25680
  - CVE-2026-25681
  - CVE-2026-27136
  - CVE-2026-33814
  - CVE-2026-39821
  - CVE-2026-39827
  - CVE-2026-39828
  - CVE-2026-39829
  - CVE-2026-39830
  - CVE-2026-39832
  - CVE-2026-39835
  - CVE-2026-42502
  - CVE-2026-42506
  - CVE-2026-42508
  - CVE-2026-46595
  - CVE-2026-46597
  - CVE-2026-53935

- Add CVE-2026-41579 justification in VEX format for for github.com/opencontainers/runc dependency.

- Skip cyrillic validation in VEX files

---------

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Co-authored-by: Maksim Khimchenko <maksim.khimchenko@flant.com>

(cherry picked from commit ab74177)
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour diafour force-pushed the chore/core/cve-mitigation-20260629-backport-1-8 branch 2 times, most recently from d58dabc to 54dc004 Compare July 9, 2026 08:38
@diafour diafour merged commit a6e9636 into release-1.8 Jul 9, 2026
24 of 28 checks passed
@diafour diafour deleted the chore/core/cve-mitigation-20260629-backport-1-8 branch July 9, 2026 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants