fix(cve): upgrade Go stdlib to 1.26.4 to address CVE-2026-27145 and CVE-2026-42504 (operator-webhook)#3680
Conversation
- Update go directive from 1.25.11 to 1.26.4 in go.mod - Addresses Go runtime vulnerabilities in pipelines-operator-webhook-rhel9: CVE-2026-27145 (GO-2026-5037, CVSS 7.5, Important) CVE-2026-42504 (GO-2026-5038, CVSS 7.5, Important) - Both CVEs are fixed in Go 1.26.4 Resolves: SRVKP-12762 Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@jkhelil: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
CVE Details
Detected in the
pipelines-operator-webhook-rhel9container image scan (ROSA-GovCloud compliance monitoring).Fix Summary
Updates the
godirective ingo.modfrom1.25.11to1.26.4to pull in the patched Go stdlib runtime.Change:
go.mod:go 1.25.11→go 1.26.4Test Results
✅ Build:
go build ./...— PASSED with Go 1.26.4✅ Unit tests:
go test -short ./pkg/...— ALL PASSED✅ go mod verify — all modules verified
Breaking Changes
None expected. Patch-level stdlib security update within Go 1.26.x.
Jira References
SRVKP-12762 — [GovCloud] pipelines-operator-webhook-rhel9 - 4 CVEs (CRITICAL)
Verification Steps
go.moddeclaresgo 1.26.4make testlocallyRisk Assessment
Risk: Low — Single-line change to go directive, all tests pass, no API changes.
Automated fix — reviewed by CVE Fixer Bot