Skip to content

chore(core): cve mitigation#2169

Closed
LopatinDmitr wants to merge 1 commit intomainfrom
chore/core/cve-mitigation
Closed

chore(core): cve mitigation#2169
LopatinDmitr wants to merge 1 commit intomainfrom
chore/core/cve-mitigation

Conversation

@LopatinDmitr
Copy link
Copy Markdown
Contributor

@LopatinDmitr LopatinDmitr commented Mar 30, 2026
edited
Loading

Description

  • Fix CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url
  • Fix CVE-2026-27142 html/template: URLs in meta content attribute actions are not escaped in html/template...
  • Fix CVE-2026-27139 os: FileInfo can escape from a Root in golang os module
  • Fix CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path

Also:

  • Bump go to 1.25.8

Why do we need it, and what problem does it solve?

What is the expected result?

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: fix
summary: Fixed vulnerabilities CVE-2026-25679, CVE-2026-27142, CVE-2026-27139, CVE-2026-33186.

@LopatinDmitr LopatinDmitr self-assigned this Mar 30, 2026
@LopatinDmitr LopatinDmitr force-pushed the chore/core/cve-mitigation branch from 2dbb97c to b78a850 Compare March 30, 2026 17:23
@LopatinDmitr LopatinDmitr added this to the v1.8.0 milestone Mar 30, 2026
@LopatinDmitr LopatinDmitr force-pushed the chore/core/cve-mitigation branch 11 times, most recently from e08c865 to 856efa1 Compare March 31, 2026 09:03
@LopatinDmitr
chore(core): cve mitigation
500c3e0 
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the chore/core/cve-mitigation branch from 856efa1 to 500c3e0 Compare March 31, 2026 12:37
@LopatinDmitr LopatinDmitr deleted the chore/core/cve-mitigation branch April 1, 2026 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@universal-itengineer universal-itengineer Awaiting requested review from universal-itengineer universal-itengineer will be requested when the pull request is marked ready for review universal-itengineer is a code owner

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine will be requested when the pull request is marked ready for review nevermarine is a code owner

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k will be requested when the pull request is marked ready for review Isteb4k is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat will be requested when the pull request is marked ready for review yaroslavborbat is a code owner

@diafour diafour Awaiting requested review from diafour diafour will be requested when the pull request is marked ready for review diafour is a code owner

Assignees

@LopatinDmitr LopatinDmitr

Labels

None yet

Projects

None yet

Milestone

v1.8.0

Development

Successfully merging this pull request may close these issues.

1 participant

@LopatinDmitr