Skip to content

chore(core): cve mitigation 17-03-26#2175

Open
LopatinDmitr wants to merge 3 commits intomainfrom
chore/core/fix-new-cve
Open

chore(core): cve mitigation 17-03-26#2175
LopatinDmitr wants to merge 3 commits intomainfrom
chore/core/fix-new-cve

Conversation

@LopatinDmitr
Copy link
Copy Markdown
Contributor

@LopatinDmitr LopatinDmitr commented Mar 31, 2026
edited
Loading

Description

  • Fix CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url
  • Fix CVE-2026-27142 html/template: URLs in meta content attribute actions are not escaped in html/template...
  • Fix CVE-2026-27139 os: FileInfo can escape from a Root in golang os module
  • Fix CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path
  • Fix CVE-2026-34040 Moby has AuthZ plugin bypass when provided oversized request bodies
  • Fix CVE-2026-33997 Moby has an Off-by-one error in its plugin privilege validation

Also:

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: fix
summary: Fixed vulnerabilities CVE-2026-25679, CVE-2026-27142, CVE-2026-27139, CVE-2026-33186, CVE-2026-34040, CVE-2026-33997.

@LopatinDmitr
chore(core): cve mitigation
500c3e0 
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr
chore(core): cve mitigation
ae25ebf 
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the chore/core/fix-new-cve branch from d75cb2c to 90c7c7e Compare April 1, 2026 08:51
@LopatinDmitr LopatinDmitr added this to the v1.8.0 milestone Apr 1, 2026
@LopatinDmitr LopatinDmitr changed the title Chore/core/fix new CVE chore(core): cve mitigation 17-03-26 Apr 1, 2026
@LopatinDmitr LopatinDmitr marked this pull request as ready for review April 1, 2026 09:01
diafour
diafour previously approved these changes Apr 1, 2026
View reviewed changes
@LopatinDmitr
chore(core): cve mitigation
4dc8a5e 
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the chore/core/fix-new-cve branch from 90c7c7e to 4dc8a5e Compare April 1, 2026 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@diafour diafour diafour left review comments

@universal-itengineer universal-itengineer Awaiting requested review from universal-itengineer universal-itengineer is a code owner

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine is a code owner

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@LopatinDmitr LopatinDmitr

Labels

None yet

Projects

None yet

Milestone

v1.8.0

Development

Successfully merging this pull request may close these issues.

2 participants

@LopatinDmitr @diafour