Skip to content

OCPBUGS-95470: bump deps for containerd CVE fix#1473

Open
r4f4 wants to merge 2 commits into
openshift:mainfrom
r4f4:ocpbugs-95470-containerd-cve
Open

OCPBUGS-95470: bump deps for containerd CVE fix#1473
r4f4 wants to merge 2 commits into
openshift:mainfrom
r4f4:ocpbugs-95470-containerd-cve

Conversation

@r4f4

@r4f4 r4f4 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Description

Bump operator-framework/operator-registry and helm/v3 to a version where the containerd version used has the CVE-2026-53488 fix.

Github / Jira issue: OCPBUGS-95470

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Code Improvements (Refactoring, Performance, CI upgrades, etc)
  • Internal repo assets (diagrams / docs on github repo)
  • This change requires a documentation update on openshift docs

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

Expected Outcome

Please describe the outcome expected from the tests.

Summary by CodeRabbit

  • Chores
    • Updated Go to 1.26.3 and refreshed key dependency versions across Kubernetes/Helm/Podman, Operator Framework, Git, CEL, and OpenTelemetry.
  • Bug Fixes
    • Improved logging for errors and trace output to make messages clearer and more consistent.
    • Adjusted signature cache file permissions for improved security.

Bump `operator-framework/operator-registry` and `helm/v3` to a version
where the containerd version used has the CVE-2026-53488 fix.
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jul 14, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@r4f4: This pull request references Jira Issue OCPBUGS-95470, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Description

Bump operator-framework/operator-registry and helm/v3 to a version where the containerd version used has the CVE-2026-53488 fix.

Github / Jira issue: OCPBUGS-95470

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Code Improvements (Refactoring, Performance, CI upgrades, etc)
  • Internal repo assets (diagrams / docs on github repo)
  • This change requires a documentation update on openshift docs

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

Expected Outcome

Please describe the outcome expected from the tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot

Copy link
Copy Markdown

@r4f4: This pull request references Jira Issue OCPBUGS-95470, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Description

Bump operator-framework/operator-registry and helm/v3 to a version where the containerd version used has the CVE-2026-53488 fix.

Github / Jira issue: OCPBUGS-95470

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Code Improvements (Refactoring, Performance, CI upgrades, etc)
  • Internal repo assets (diagrams / docs on github repo)
  • This change requires a documentation update on openshift docs

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

Expected Outcome

Please describe the outcome expected from the tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Walkthrough

Updated the Go toolchain directive and refreshed direct and indirect dependencies in go.mod, including application, container, Kubernetes, and OpenTelemetry modules. Selected logging calls now use explicit format strings, and signature cache writes use an octal permission literal.

Changes

Dependency and logging refresh

Layer / File(s) Summary
Go toolchain and dependency refresh
go.mod
Go 1.26.3 and application, container, Kubernetes, OpenTelemetry, and related module versions were updated or removed.
Logging and cache write updates
internal/pkg/batch/common.go, internal/pkg/batch/concurrent_chan_worker.go, internal/pkg/cli/executor.go, internal/pkg/manifest/oci-manifest.go, internal/pkg/release/*.go
Selected log calls now use explicit formatting verbs, one progress call was reformatted, and signature cache writes use 0o600.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: dorzel, adolfo-ab


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error PR logs raw ConfigMap stream and release/image refs in local_stored_collector.go, which can expose internal hostnames or customer data. Redact or whitelist logged fields; remove raw icm.Data.Stream/image refs and avoid emitting full releaseImage/error text.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (13 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: dependency bumps to pick up a containerd CVE fix for OCPBUGS-95470.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No test files or Ginkgo titles were changed; the PR only touches non-test Go code.
Test Structure And Quality ✅ Passed No Ginkgo test code was changed; the PR only updates go.mod/go.sum and non-test logging code, so this test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the diff only touches go.mod and internal/pkg code, with no MicroShift-sensitive APIs or test constructs.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PASS: The PR only changes go.mod and logging code; no new Ginkgo e2e tests or multi-node assumptions were added.
Topology-Aware Scheduling Compatibility ✅ Passed Diff only changes logging/formatting and a cache file mode; no manifests, controllers, replicas, affinity, nodeSelectors, or topology logic were added.
Ote Binary Stdout Contract ✅ Passed No process-level stdout writes were added; the diff only changes internal logger formatting and dependency versions, and doesn’t touch main/init/TestMain/suite setup.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No Ginkgo e2e tests were added or changed; the commit only touches go.mod and non-test logging code, and the diff has no It/Describe/Context/When additions.
No-Weak-Crypto ✅ Passed Touched hunks only change logging format and a file mode; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons were added.
Container-Privileges ✅ Passed The commit only changes Go source files; no K8s/container manifests were modified, and scans found no privileged/hostPID/hostNetwork/allowPrivilegeEscalation/SYS_ADMIN settings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci
openshift-ci Bot requested review from adolfo-ab and dorzel July 14, 2026 13:23
@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: r4f4

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 14, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 17: Update the operator-registry dependency in go.mod from the unreleased
pseudo-version to the stable tagged release v1.72.0. Preserve the existing
dependency configuration and do not retain the pseudo-version unless an approved
exception and provenance documentation are provided.
- Line 3: Update the go directive in go.mod from Go 1.26.3 to 1.26.5, and align
CI and build-image Go version references with 1.26.5.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e896894d-97d0-449d-b22f-db34bc8d5938

📥 Commits

Reviewing files that changed from the base of the PR and between 4cbc362 and b63ba75.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

Comment thread go.mod
module github.com/openshift/oc-mirror/v2

go 1.25.7
go 1.26.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

set -euo pipefail

printf '\n== go.mod ==\n'
cat -n go.mod | sed -n '1,80p'

printf '\n== matching build/toolchain files ==\n'
git ls-files | rg '(^|/)(go\.mod|go\.sum|Makefile|Dockerfile|dockerfile|\.github/workflows/.*|.*\.ya?ml|.*\.sh)$' || true

printf '\n== search for Go version/toolchain references ==\n'
rg -n --hidden --glob '!.git' 'go 1\.26|toolchain go1\.26|go1\.26\.|GOTOOLCHAIN|1\.26\.3|1\.26\.5|1\.26\.4' .

printf '\n== go env if available ==\n'
(go version && go env GOTOOLCHAIN GOFLAGS GOVERSION) || true

Repository: openshift/oc-mirror

Length of output: 50376


🏁 Script executed:

set -euo pipefail

printf '\n== version pins in key config files ==\n'
rg -n --hidden --glob '!.git' --glob '.github/workflows/*' --glob '.ci-operator.yaml' --glob '.golangci*.yaml' --glob 'Dockerfile*' --glob 'Makefile' --glob 'images/**' --glob 'hack/**' \
  'go1\.[0-9]+(\.[0-9]+)?|golang:[^ ]+|GO_VERSION|GOVERSION|toolchain|GOTOOLCHAIN|1\.26\.3|1\.26\.4|1\.26\.5' \
  .github .ci-operator.yaml .golangci.yaml .golangci.v2.yaml Dockerfile Dockerfile.tests-extension Makefile images hack 2>/dev/null || true

printf '\n== go directive occurrences ==\n'
rg -n --hidden --glob '!.git' '^\s*go\s+1\.[0-9]+(\.[0-9]+)?\s*$|^\s*toolchain\s+go1\.[0-9]+(\.[0-9]+)?\s*$' go.mod tests/**/go.mod v1/**/go.mod 2>/dev/null || true

Repository: openshift/oc-mirror

Length of output: 1380


🏁 Script executed:

set -euo pipefail

for f in .ci-operator.yaml .golangci.yaml .golangci.v2.yaml Dockerfile Dockerfile.tests-extension Makefile images/cli/Dockerfile.ci images/cli/Dockerfile.art .github/dependabot.yml; do
  if [ -f "$f" ]; then
    printf '\n== %s ==\n' "$f"
    rg -n 'go1\.[0-9]+(\.[0-9]+)?|toolchain|GOTOOLCHAIN|GO_VERSION|GOVERSION|golang:[^ ]+' "$f" || true
  fi
done

Repository: openshift/oc-mirror

Length of output: 1271


🌐 Web query:

Go 1.26.4 1.26.5 release notes security fixes

💡 Result:

Go versions 1.26.4 and 1.26.5 are both security releases of the Go programming language [1][2]. Go 1.26.4 Released on June 2, 2026, this version addressed three security issues [1][3]: - mime: Fixed a quadratic complexity issue in WordDecoder.DecodeHeader, where maliciously crafted MIME headers could consume excessive CPU (CVE-2026-42504) [4][5]. - net/textproto: Fixed an issue where arbitrary input was included in errors without proper escaping, potentially allowing an attacker to inject misleading content or terminal control bytes into logs or output (CVE-2026-42507) [3][4]. - crypto/x509: Resolved a performance issue where candidate hostnames were split repeatedly in a loop during VerifyHostname, leading to quadratic scaling overhead (CVE-2026-27145) [3][4]. Go 1.26.5 Released on July 7, 2026, this version addressed two additional security issues [2][6]: - os: Fixed a root escape vulnerability on Unix systems where opening a file in an os.Root would incorrectly follow symlinks outside of the root if the path ended in a trailing slash (CVE-2026-39822) [2][6]. - crypto/tls: Fixed a privacy leak in the Encrypted Client Hello (ECH) implementation, where pre-shared key identities could be leaked during the handshake, allowing passive observers to de-anonymize server hostnames (CVE-2026-42505) [2][6].

Citations:


Bump the Go toolchain floor. go 1.26.3 is behind the current Go 1.26 security releases; move this to 1.26.5 and keep CI/build images aligned.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, Update the go directive in go.mod from Go 1.26.3 to
1.26.5, and align CI and build-image Go version references with 1.26.5.

Comment thread go.mod

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/pkg/release/local_stored_collector.go`:
- Line 506: Update the logging calls around icm.Data.Stream and the
corresponding locations at lines 519 and 628 to avoid emitting raw ConfigMap
contents, image/release references, or errors. Replace them with allowlisted,
non-sensitive metadata or redact sensitive fields before passing values to
o.Log.Trace.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8bd351f7-663b-4bfc-b557-0922f3b48a89

📥 Commits

Reviewing files that changed from the base of the PR and between b63ba75 and b9a633b.

📒 Files selected for processing (7)
  • internal/pkg/batch/common.go
  • internal/pkg/batch/concurrent_chan_worker.go
  • internal/pkg/cli/executor.go
  • internal/pkg/manifest/oci-manifest.go
  • internal/pkg/release/cincinnati.go
  • internal/pkg/release/local_stored_collector.go
  • internal/pkg/release/signature.go

}

o.Log.Trace(fmt.Sprintf("data %v", icm.Data.Stream))
o.Log.Trace("data %v", icm.Data.Stream)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Avoid logging raw configuration and image references.

These calls log the complete ConfigMap stream, full image/release references, and raw errors. Those values may contain internal registry hostnames, customer data, or other sensitive details. Log only allowlisted metadata or redact sensitive fields before emission.

As per coding guidelines, Go files must flag logging that may expose passwords, tokens, API keys, PII, session IDs, internal hostnames, or customer data.

Also applies to: 519-519, 628-628

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/pkg/release/local_stored_collector.go` at line 506, Update the
logging calls around icm.Data.Stream and the corresponding locations at lines
519 and 628 to avoid emitting raw ConfigMap contents, image/release references,
or errors. Replace them with allowlisted, non-sensitive metadata or redact
sensitive fields before passing values to o.Log.Trace.

Source: Coding guidelines

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

@r4f4: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants