OCPBUGS-95470: bump deps for containerd CVE fix#1473
Conversation
Bump `operator-framework/operator-registry` and `helm/v3` to a version where the containerd version used has the CVE-2026-53488 fix.
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@r4f4: This pull request references Jira Issue OCPBUGS-95470, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@r4f4: This pull request references Jira Issue OCPBUGS-95470, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughUpdated the Go toolchain directive and refreshed direct and indirect dependencies in ChangesDependency and logging refresh
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested reviewers: Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 1 warning)
✅ Passed checks (13 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: r4f4 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 17: Update the operator-registry dependency in go.mod from the unreleased
pseudo-version to the stable tagged release v1.72.0. Preserve the existing
dependency configuration and do not retain the pseudo-version unless an approved
exception and provenance documentation are provided.
- Line 3: Update the go directive in go.mod from Go 1.26.3 to 1.26.5, and align
CI and build-image Go version references with 1.26.5.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: e896894d-97d0-449d-b22f-db34bc8d5938
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
| module github.com/openshift/oc-mirror/v2 | ||
|
|
||
| go 1.25.7 | ||
| go 1.26.3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
set -euo pipefail
printf '\n== go.mod ==\n'
cat -n go.mod | sed -n '1,80p'
printf '\n== matching build/toolchain files ==\n'
git ls-files | rg '(^|/)(go\.mod|go\.sum|Makefile|Dockerfile|dockerfile|\.github/workflows/.*|.*\.ya?ml|.*\.sh)$' || true
printf '\n== search for Go version/toolchain references ==\n'
rg -n --hidden --glob '!.git' 'go 1\.26|toolchain go1\.26|go1\.26\.|GOTOOLCHAIN|1\.26\.3|1\.26\.5|1\.26\.4' .
printf '\n== go env if available ==\n'
(go version && go env GOTOOLCHAIN GOFLAGS GOVERSION) || trueRepository: openshift/oc-mirror
Length of output: 50376
🏁 Script executed:
set -euo pipefail
printf '\n== version pins in key config files ==\n'
rg -n --hidden --glob '!.git' --glob '.github/workflows/*' --glob '.ci-operator.yaml' --glob '.golangci*.yaml' --glob 'Dockerfile*' --glob 'Makefile' --glob 'images/**' --glob 'hack/**' \
'go1\.[0-9]+(\.[0-9]+)?|golang:[^ ]+|GO_VERSION|GOVERSION|toolchain|GOTOOLCHAIN|1\.26\.3|1\.26\.4|1\.26\.5' \
.github .ci-operator.yaml .golangci.yaml .golangci.v2.yaml Dockerfile Dockerfile.tests-extension Makefile images hack 2>/dev/null || true
printf '\n== go directive occurrences ==\n'
rg -n --hidden --glob '!.git' '^\s*go\s+1\.[0-9]+(\.[0-9]+)?\s*$|^\s*toolchain\s+go1\.[0-9]+(\.[0-9]+)?\s*$' go.mod tests/**/go.mod v1/**/go.mod 2>/dev/null || trueRepository: openshift/oc-mirror
Length of output: 1380
🏁 Script executed:
set -euo pipefail
for f in .ci-operator.yaml .golangci.yaml .golangci.v2.yaml Dockerfile Dockerfile.tests-extension Makefile images/cli/Dockerfile.ci images/cli/Dockerfile.art .github/dependabot.yml; do
if [ -f "$f" ]; then
printf '\n== %s ==\n' "$f"
rg -n 'go1\.[0-9]+(\.[0-9]+)?|toolchain|GOTOOLCHAIN|GO_VERSION|GOVERSION|golang:[^ ]+' "$f" || true
fi
doneRepository: openshift/oc-mirror
Length of output: 1271
🌐 Web query:
Go 1.26.4 1.26.5 release notes security fixes
💡 Result:
Go versions 1.26.4 and 1.26.5 are both security releases of the Go programming language [1][2]. Go 1.26.4 Released on June 2, 2026, this version addressed three security issues [1][3]: - mime: Fixed a quadratic complexity issue in WordDecoder.DecodeHeader, where maliciously crafted MIME headers could consume excessive CPU (CVE-2026-42504) [4][5]. - net/textproto: Fixed an issue where arbitrary input was included in errors without proper escaping, potentially allowing an attacker to inject misleading content or terminal control bytes into logs or output (CVE-2026-42507) [3][4]. - crypto/x509: Resolved a performance issue where candidate hostnames were split repeatedly in a loop during VerifyHostname, leading to quadratic scaling overhead (CVE-2026-27145) [3][4]. Go 1.26.5 Released on July 7, 2026, this version addressed two additional security issues [2][6]: - os: Fixed a root escape vulnerability on Unix systems where opening a file in an os.Root would incorrectly follow symlinks outside of the root if the path ended in a trailing slash (CVE-2026-39822) [2][6]. - crypto/tls: Fixed a privacy leak in the Encrypted Client Hello (ECH) implementation, where pre-shared key identities could be leaked during the handshake, allowing passive observers to de-anonymize server hostnames (CVE-2026-42505) [2][6].
Citations:
- 1: https://go.dev/doc/devel/release
- 2: https://groups.google.com/g/golang-announce/c/OrmQE_Yp5Sc
- 3: https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw
- 4: https://www.openwall.com/lists/oss-security/2026/06/03/2
- 5: https://www.mail-archive.com/[email protected]/msg55997.html
- 6: https://seclists.org/oss-sec/2026/q3/102
Bump the Go toolchain floor. go 1.26.3 is behind the current Go 1.26 security releases; move this to 1.26.5 and keep CI/build images aligned.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 3, Update the go directive in go.mod from Go 1.26.3 to
1.26.5, and align CI and build-image Go version references with 1.26.5.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@internal/pkg/release/local_stored_collector.go`:
- Line 506: Update the logging calls around icm.Data.Stream and the
corresponding locations at lines 519 and 628 to avoid emitting raw ConfigMap
contents, image/release references, or errors. Replace them with allowlisted,
non-sensitive metadata or redact sensitive fields before passing values to
o.Log.Trace.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 8bd351f7-663b-4bfc-b557-0922f3b48a89
📒 Files selected for processing (7)
internal/pkg/batch/common.gointernal/pkg/batch/concurrent_chan_worker.gointernal/pkg/cli/executor.gointernal/pkg/manifest/oci-manifest.gointernal/pkg/release/cincinnati.gointernal/pkg/release/local_stored_collector.gointernal/pkg/release/signature.go
| } | ||
|
|
||
| o.Log.Trace(fmt.Sprintf("data %v", icm.Data.Stream)) | ||
| o.Log.Trace("data %v", icm.Data.Stream) |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Avoid logging raw configuration and image references.
These calls log the complete ConfigMap stream, full image/release references, and raw errors. Those values may contain internal registry hostnames, customer data, or other sensitive details. Log only allowlisted metadata or redact sensitive fields before emission.
As per coding guidelines, Go files must flag logging that may expose passwords, tokens, API keys, PII, session IDs, internal hostnames, or customer data.
Also applies to: 519-519, 628-628
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@internal/pkg/release/local_stored_collector.go` at line 506, Update the
logging calls around icm.Data.Stream and the corresponding locations at lines
519 and 628 to avoid emitting raw ConfigMap contents, image/release references,
or errors. Replace them with allowlisted, non-sensitive metadata or redact
sensitive fields before passing values to o.Log.Trace.
Source: Coding guidelines
|
@r4f4: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description
Bump
operator-framework/operator-registryandhelm/v3to a version where the containerd version used has the CVE-2026-53488 fix.Github / Jira issue: OCPBUGS-95470
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
Expected Outcome
Please describe the outcome expected from the tests.
Summary by CodeRabbit