Security: Fix CVE-2026-27145 and CVE-2026-42504 (Go stdlib upgrade 1.25.11 → 1.26.4)#3685
Security: Fix CVE-2026-27145 and CVE-2026-42504 (Go stdlib upgrade 1.25.11 → 1.26.4)#3685jkhelil wants to merge 2 commits into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
df5c444 to
08a449b
Compare
Upgrade stdlib from 1.25.11 to 1.26.4 to address CVE-2026-27145. Jira: SRVKP-12754 SRVKP-12753 SRVKP-12762 govulncheck scan: GOTOOLCHAIN=go1.26.3 govulncheck@v1.5.0 Test result: passed Co-Assisted-By: CVE Fixer Bot <cve-fixer@redhat.com>
08a449b to
839d2d6
Compare
v2.7.2 was built with Go 1.25 and rejects modules targeting Go 1.26+. v2.12.2 is built with Go 1.26.2, which satisfies the go 1.26.4 directive in go.mod. Signed-off-by: Jawed khelil <jkhelil@redhat.com> Assisted-by: Claude Sonnet 4.6 (via Cursor) Co-authored-by: Cursor <cursoragent@cursor.com>
Merging this branch will not change overall coverage
Coverage by fileChanged files (no unit tests)
Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code. Changed unit test files
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3685 +/- ##
=======================================
Coverage ? 23.48%
=======================================
Files ? 471
Lines ? 26750
Branches ? 0
=======================================
Hits ? 6282
Misses ? 19697
Partials ? 771
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Summary
This PR fixes CVE-2026-27145 (GO-2026-5037) and CVE-2026-42504 (GO-2026-5038) by upgrading the Go toolchain directive in `go.mod` from `go 1.25.11` to `go 1.26.4`.
CVE Details
Context: The ACS/GovCloud image scan flagged these because the container image binary was compiled with a Go version before the patch. Bumping the
godirective ensures the next image build uses a patched toolchain.Fix Summary
go.mod:go 1.25.11→go 1.26.4go mod tidy && go mod verify && go mod vendor— all passedTest Results
Status: ✅ All tests passed
Summary: 39 packages passed —
pkg/reconciler/...andpkg/apis/operator/...all OKJira Issues
SRVKP-12754, SRVKP-12753, SRVKP-12762
Verification Steps
go.modshowsgo 1.26.3Risk Assessment
Low — Go toolchain bump within same major minor series. No API changes. All unit tests pass.
🤖 Generated by CVE Fixer Workflow