Skip to content

fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto [release-v0.42.2]#2924

Open
divyansh42 wants to merge 1 commit into
release-v0.42.2from
fix/SRVKP-12559-SRVKP-12569-cve-2026-33811-cve-2026-39833-release-v0.42.2-attempt-1
Open

fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto [release-v0.42.2]#2924
divyansh42 wants to merge 1 commit into
release-v0.42.2from
fix/SRVKP-12559-SRVKP-12569-cve-2026-33811-cve-2026-39833-release-v0.42.2-attempt-1

Conversation

@divyansh42

Copy link
Copy Markdown
Member

CVE Details

CVE Severity Description Fix
CVE-2026-33811 Undefined Go net package: Denial of Service via long CNAME response in LookupCNAME Go stdlib 1.25.9 → 1.25.11
CVE-2026-39833 Undefined golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation x/crypto v0.47.0 → v0.52.0

Fix Summary

  • Updated Go stdlib directive in go.mod: go 1.25.9go 1.25.11
  • Updated golang.org/x/crypto: v0.47.0v0.52.0 (minimum safe patch per advisory)
  • Ran go mod tidy && go mod verify && go mod vendor — all passed ✅
  • Transitive upgrades: x/net v0.49.0→v0.54.0, x/sync v0.19.0→v0.20.0, x/sys v0.40.0→v0.45.0, x/term v0.39.0→v0.43.0, x/text v0.33.0→v0.37.0

Test Results

Tests PASSEDgo test -mod=vendor ./...

All packages passed. Full suite including pkg/cmd/pipelinerun and pkg/cmd/taskrun.

Breaking Changes

None expected. This is a pure dependency version bump. The x/crypto update stays within the same major version (v0). stdlib bump is patch-level only.

Risk Assessment

Low — Patch-level updates only. All unit tests pass. No API surface changes in updated packages relevant to tkn CLI usage.

Jira References

SRVKP-12559, SRVKP-12569

Verification Steps

  • govulncheck scan shows CVE-2026-33811 and CVE-2026-39833 resolved
  • go test -mod=vendor ./... passes
  • go mod verify shows all modules verified
  • No regressions in CLI behavior

🤖 Generated with Claude Code

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jun 24, 2026
@tekton-robot tekton-robot requested a review from chmouel June 24, 2026 09:27
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign vdemeester after the PR has been reviewed.
You can assign the PR to them by writing /assign @vdemeester in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jun 24, 2026
@divyansh42 divyansh42 changed the title fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto [pipelines-1.20] fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto [release-v0.42.2] Jul 2, 2026
@divyansh42

Copy link
Copy Markdown
Member Author

/release-note-none

@tekton-robot tekton-robot added release-note-none Denotes a PR that doesnt merit a release note. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 2, 2026
- Update Go stdlib from 1.25.9 to 1.25.11
  Addresses CVE-2026-33811 (DoS via long CNAME response in net.LookupCNAME)
- Update golang.org/x/crypto from v0.47.0 to v0.52.0
  Addresses CVE-2026-39833 (security bypass in ssh/agent key confirmation)
- Also upgrades transitive deps: x/net, x/sync, x/sys, x/term, x/text

Resolves: SRVKP-12559, SRVKP-12569

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Divyanshu Agrawal <diagrawa@redhat.com>
@divyansh42 divyansh42 force-pushed the fix/SRVKP-12559-SRVKP-12569-cve-2026-33811-cve-2026-39833-release-v0.42.2-attempt-1 branch from b9087d4 to 521b598 Compare July 2, 2026 17:42
@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 2, 2026
@divyansh42

Copy link
Copy Markdown
Member Author

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

release-note-none Denotes a PR that doesnt merit a release note. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants