Skip to content

OCPBUGS-83833: fix(deps): update dependencies to address CVE-2025-52881#8748

Open
dhgautam99 wants to merge 1 commit into
openshift:release-4.21from
dhgautam99:CVE-2025-52881-mce-2-11
Open

OCPBUGS-83833: fix(deps): update dependencies to address CVE-2025-52881#8748
dhgautam99 wants to merge 1 commit into
openshift:release-4.21from
dhgautam99:CVE-2025-52881-mce-2-11

Conversation

@dhgautam99

@dhgautam99 dhgautam99 commented Jun 17, 2026

Copy link
Copy Markdown

What this PR does / why we need it:

Updates vendored dependencies to remediate CVE-2025-52881:

  • github.com/opencontainers/selinux v1.11.1 -> v1.13.0
  • github.com/opencontainers/runc (transitive dependency update)

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-83833

Special notes for your reviewer:

Vendor-only change. No application code modified.

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

@dhruv-gautam
fix(deps): update dependencies to address CVE-2025-52881
355fac2 
Update vendored dependencies to remediate CVE-2025-52881:
- github.com/opencontainers/selinux v1.11.1 -> v1.13.0
- github.com/stretchr/testify v1.9.0 -> v1.11.1
- github.com/cyphar/filepath-securejoin v0.3.6 -> v0.6.0 (new)
- cyphar.com/go-pathrs v0.2.1 (new indirect)

Fixes: https://issues.redhat.com/browse/OCPBUGS-83833

Signed-off-by: Dhruv Gautam <[email protected]>
@openshift-merge-bot

openshift-merge-bot Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 17, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 17, 2026

Copy link
Copy Markdown

@dhgautam99: This pull request references Jira Issue OCPBUGS-83833, which is invalid:

  • expected Jira Issue OCPBUGS-83833 to depend on a bug targeting a version in 4.22.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

Updates vendored dependencies to remediate CVE-2025-52881:

  • github.com/opencontainers/selinux v1.11.1 -> v1.13.0
  • github.com/opencontainers/runc (transitive dependency update)

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-83833

Special notes for your reviewer:

Vendor-only change. No application code modified.

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e4ddc2a1-63e3-445e-ba51-a9228d26540e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from bryan-cox and sjenning June 17, 2026 07:08
@openshift-ci openshift-ci Bot added area/api Indicates the PR includes changes for the API and removed do-not-merge/needs-area labels Jun 17, 2026
@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 17, 2026
@openshift-merge-bot

openshift-merge-bot Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test verify-deps

@openshift-ci

openshift-ci Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, dhgautam99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 17, 2026
@openshift-ci

openshift-ci Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@dhgautam99: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sjenning sjenning Awaiting requested review from sjenning

1 more reviewer

@bryan-cox bryan-cox bryan-cox approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@bryan-cox bryan-cox

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api Indicates the PR includes changes for the API jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dhgautam99 @openshift-ci-robot @bryan-cox @dhruv-gautam