fix(cve): upgrade Go stdlib to 1.26.4 to address CVE-2026-27145 and CVE-2026-42504#3679
fix(cve): upgrade Go stdlib to 1.26.4 to address CVE-2026-27145 and CVE-2026-42504#3679jkhelil wants to merge 1 commit into
Conversation
- Update go directive from 1.25.11 to 1.26.4 in go.mod - Addresses Go runtime vulnerabilities detected in image scan: CVE-2026-27145 (GO-2026-5037, CVSS 7.5, Important) CVE-2026-42504 (GO-2026-5038, CVSS 7.5, Important) - Both CVEs are fixed in Go 1.26.4 - Breaking changes: none expected (patch-level stdlib update) Resolves: SRVKP-12754 Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@jkhelil: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
CVE Details
These Go runtime vulnerabilities were detected in the
pipelines-rhel9-operatorcontainer image scan (ROSA-GovCloud compliance monitoring).Fix Summary
Updates the
godirective ingo.modfrom1.25.11to1.26.4to pull in the patched Go stdlib runtime.Change:
go.mod:go 1.25.11→go 1.26.4Test Results
✅ Build:
go build ./...— PASSED with Go 1.26.4✅ Unit tests:
go test -short ./pkg/...— ALL PASSED (no failures)Breaking Changes
None expected. This is a Go minor version bump (1.25 → 1.26) within a patch release that contains only security fixes for the identified CVEs.
Jira References
SRVKP-12754 — [GovCloud] pipelines-rhel9-operator - 5 CVEs (CRITICAL)
Verification Steps
go.moddeclaresgo 1.26.4go build ./...withGOTOOLCHAIN=go1.26.4make testlocallyRisk Assessment
Risk: Low
Automated fix — reviewed by CVE Fixer Bot