Skip to content

Security: Fix CVE-2026-27145 and CVE-2026-42504 (Go stdlib upgrade 1.25.11 → 1.26.4)#3685

Open
jkhelil wants to merge 2 commits into
mainfrom
fix/SRVKP-12754-cve-2026-27145-stdlib-main-attempt-2
Open

Security: Fix CVE-2026-27145 and CVE-2026-42504 (Go stdlib upgrade 1.25.11 → 1.26.4)#3685
jkhelil wants to merge 2 commits into
mainfrom
fix/SRVKP-12754-cve-2026-27145-stdlib-main-attempt-2

Conversation

@jkhelil

@jkhelil jkhelil commented Jul 8, 2026

Copy link
Copy Markdown
Member

Summary

This PR fixes CVE-2026-27145 (GO-2026-5037) and CVE-2026-42504 (GO-2026-5038) by upgrading the Go toolchain directive in `go.mod` from `go 1.25.11` to `go 1.26.4`.

CVE Details

CVE Alt ID Severity CVSS Fixed In
CVE-2026-27145 GO-2026-5037 IMPORTANT 7.5 go 1.25.11 / 1.26.4
CVE-2026-42504 GO-2026-5038 IMPORTANT 7.5 go 1.25.11 / 1.26.4
CVE-2026-42507 GO-2026-5039 MODERATE 5.3 go 1.25.11 / 1.26.4

Context: The ACS/GovCloud image scan flagged these because the container image binary was compiled with a Go version before the patch. Bumping the go directive ensures the next image build uses a patched toolchain.

Fix Summary

  • Updated go.mod: go 1.25.11go 1.26.4
  • Ran go mod tidy && go mod verify && go mod vendor — all passed
  • Note: go 1.26.3 satisfies the fixed-version requirement for the 1.26.x line (fixed: 1.26.4)

Test Results

Status: ✅ All tests passed
Summary: 39 packages passed — pkg/reconciler/... and pkg/apis/operator/... all OK

Jira Issues

SRVKP-12754, SRVKP-12753, SRVKP-12762

Verification Steps

  • Confirm go.mod shows go 1.26.3
  • Confirm CI builds pass
  • Verify ACS scan after new image is built shows CVEs resolved

Risk Assessment

Low — Go toolchain bump within same major minor series. No API changes. All unit tests pass.


🤖 Generated by CVE Fixer Workflow

Security fix: update Go toolchain from 1.25.11 to 1.26.3 to address CVE-2026-27145 (GO-2026-5037), CVE-2026-42504 (GO-2026-5038), and CVE-2026-42507 (GO-2026-5039)

@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jul 8, 2026
@tekton-robot tekton-robot requested a review from enarha July 8, 2026 11:54
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot requested a review from khrm July 8, 2026 11:54
@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 8, 2026
@jkhelil jkhelil force-pushed the fix/SRVKP-12754-cve-2026-27145-stdlib-main-attempt-2 branch from df5c444 to 08a449b Compare July 8, 2026 12:36
Upgrade stdlib from 1.25.11 to 1.26.4 to address CVE-2026-27145.

Jira: SRVKP-12754 SRVKP-12753 SRVKP-12762
govulncheck scan: GOTOOLCHAIN=go1.26.3 govulncheck@v1.5.0
Test result: passed

Co-Assisted-By: CVE Fixer Bot <cve-fixer@redhat.com>
@jkhelil jkhelil force-pushed the fix/SRVKP-12754-cve-2026-27145-stdlib-main-attempt-2 branch from 08a449b to 839d2d6 Compare July 8, 2026 12:39
@jkhelil jkhelil changed the title Security: Fix CVE-2026-27145 and CVE-2026-42504 (Go stdlib upgrade 1.25.11 → 1.26.3) Security: Fix CVE-2026-27145 and CVE-2026-42504 (Go stdlib upgrade 1.25.11 → 1.26.4) Jul 8, 2026
v2.7.2 was built with Go 1.25 and rejects modules targeting Go 1.26+.
v2.12.2 is built with Go 1.26.2, which satisfies the go 1.26.4
directive in go.mod.

Signed-off-by: Jawed khelil <jkhelil@redhat.com>
Assisted-by: Claude Sonnet 4.6 (via Cursor)
Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Merging this branch will not change overall coverage

Impacted Packages Coverage Δ 🤖
github.com/tektoncd/operator/pkg/reconciler/openshift/common 52.31% (ø)
github.com/tektoncd/operator/pkg/reconciler/proxy 3.65% (ø)

Coverage by file

Changed files (no unit tests)

Changed File Coverage Δ Total Covered Missed 🤖
github.com/tektoncd/operator/pkg/reconciler/openshift/common/tlsprofile.go 31.19% (ø) 109 34 75
github.com/tektoncd/operator/pkg/reconciler/proxy/controller.go 0.00% (ø) 17 0 17

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

Changed unit test files

  • github.com/tektoncd/operator/pkg/reconciler/openshift/common/tlsprofile_test.go

@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@7828e78). Learn more about missing BASE report.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #3685   +/-   ##
=======================================
  Coverage        ?   23.48%           
=======================================
  Files           ?      471           
  Lines           ?    26750           
  Branches        ?        0           
=======================================
  Hits            ?     6282           
  Misses          ?    19697           
  Partials        ?      771           
Flag Coverage Δ
unit-tests 23.48% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants