From 307b195d9d9a1aa95eef85af040be014114210a8 Mon Sep 17 00:00:00 2001 From: Mauro Antonio Sanz Date: Wed, 6 May 2026 10:23:15 -0300 Subject: [PATCH 1/4] bump versions --- docker/Dockerfile.proxy | 4 ++-- docker/Dockerfile.synchronizer | 4 ++-- go.mod | 12 ++++++------ go.sum | 10 ++++++++++ 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/docker/Dockerfile.proxy b/docker/Dockerfile.proxy index 24941446..6b7df0a3 100644 --- a/docker/Dockerfile.proxy +++ b/docker/Dockerfile.proxy @@ -1,5 +1,5 @@ # Build stage -FROM golang:1.26.1-trixie AS builder +FROM golang:1.26.2-trixie AS builder ARG EXTRA_BUILD_ARGS ARG FIPS_MODE @@ -17,7 +17,7 @@ RUN bash -c 'if [[ "${FIPS_MODE}" = "enabled" ]]; \ fi' # Runner stage -FROM debian:13.3 AS runner +FROM debian:13.4 AS runner RUN apt update -y RUN apt upgrade -y diff --git a/docker/Dockerfile.synchronizer b/docker/Dockerfile.synchronizer index 6c043737..f7b3ca48 100644 --- a/docker/Dockerfile.synchronizer +++ b/docker/Dockerfile.synchronizer @@ -1,5 +1,5 @@ # Build stage -FROM golang:1.26.1-trixie AS builder +FROM golang:1.26.2-trixie AS builder ARG EXTRA_BUILD_ARGS ARG FIPS_MODE @@ -18,7 +18,7 @@ RUN bash -c 'if [[ "${FIPS_MODE}" = "enabled" ]]; \ fi' # Runner stage -FROM debian:13.3 AS runner +FROM debian:13.4 AS runner RUN apt update -y RUN apt upgrade -y diff --git a/go.mod b/go.mod index c0d537e9..8187c021 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/splitio/split-synchronizer/v5 -go 1.26.1 +go 1.26.2 require ( github.com/gin-contrib/cors v1.6.0 @@ -44,12 +44,12 @@ require ( github.com/stretchr/objx v0.5.2 // indirect github.com/twitchyliquid64/golang-asm v0.15.1 // indirect github.com/ugorji/go/codec v1.3.0 // indirect - golang.org/x/arch v0.25.0 // indirect - golang.org/x/crypto v0.49.0 // indirect - golang.org/x/net v0.52.0 // indirect + golang.org/x/arch v0.26.0 // indirect + golang.org/x/crypto v0.50.0 // indirect + golang.org/x/net v0.53.0 // indirect golang.org/x/sync v0.20.0 // indirect - golang.org/x/sys v0.42.0 // indirect - golang.org/x/text v0.35.0 // indirect + golang.org/x/sys v0.43.0 // indirect + golang.org/x/text v0.36.0 // indirect google.golang.org/protobuf v1.36.8 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 8bef6719..50807875 100644 --- a/go.sum +++ b/go.sum @@ -99,22 +99,32 @@ go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= golang.org/x/arch v0.25.0 h1:qnk6Ksugpi5Bz32947rkUgDt9/s5qvqDPl/gBKdMJLE= golang.org/x/arch v0.25.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8= +golang.org/x/arch v0.26.0 h1:jZ6dpec5haP/fUv1kLCbuJy6dnRrfX6iVK08lZBFpk4= +golang.org/x/arch v0.26.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8= golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= +golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI= +golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q= golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI= golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo= golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= +golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA= +golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs= golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI= +golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= +golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc= google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From f573954dd46509957a6396ebd2a6e5c4f28d281c Mon Sep 17 00:00:00 2001 From: Mauro Antonio Sanz Date: Wed, 6 May 2026 10:33:15 -0300 Subject: [PATCH 2/4] update CHANGES.txt --- CHANGES.txt | 6 ++++++ splitio/version.go | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGES.txt b/CHANGES.txt index 343e473a..b87eb93f 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,3 +1,9 @@ + +5.12.2 (May 7, 2026) +- Fixed vulnerabilities: + - H: CVE-2026-33810, CVE-2026-32283, CVE-2026-32281, CVE-2026-32280 + - M: CVE-2026-32282, CVE-2026-32289, CVE-2026-32288 + 5.12.2 (Apr 7, 2026) - Updated golang image to 1.26.1 - Updated golang.org/x/arch to v0.25.0 diff --git a/splitio/version.go b/splitio/version.go index 65621a53..3dec35e7 100644 --- a/splitio/version.go +++ b/splitio/version.go @@ -2,4 +2,4 @@ package splitio // Version is the version of this Agent -const Version = "5.12.2" +const Version = "5.12.3-rc.1" From fecae55c08fabd52c0acc04ee942445f1627c409 Mon Sep 17 00:00:00 2001 From: Mauro Antonio Sanz Date: Wed, 6 May 2026 11:30:10 -0300 Subject: [PATCH 3/4] update changes.txt --- CHANGES.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.txt b/CHANGES.txt index b87eb93f..f7aac509 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,5 +1,5 @@ -5.12.2 (May 7, 2026) +5.12.3 (May 7, 2026) - Fixed vulnerabilities: - H: CVE-2026-33810, CVE-2026-32283, CVE-2026-32281, CVE-2026-32280 - M: CVE-2026-32282, CVE-2026-32289, CVE-2026-32288 From 9d74b984c9180155bc3d5a51344b4edceb15ef7d Mon Sep 17 00:00:00 2001 From: Mauro Antonio Sanz Date: Wed, 6 May 2026 11:37:21 -0300 Subject: [PATCH 4/4] update go version --- .github/workflows/s3.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/s3.yml b/.github/workflows/s3.yml index 7ab88e59..b831fcb7 100644 --- a/.github/workflows/s3.yml +++ b/.github/workflows/s3.yml @@ -25,7 +25,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v6 with: - go-version: '1.26.1' + go-version: '1.26.2' - name: Create build folder run: mkdir -p build diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c47e97b0..d6894f61 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,7 +29,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v6 with: - go-version: '1.26.1' + go-version: '1.26.2' - name: Get version run: echo "VERSION=$(awk '/^const Version/{gsub(/"/, "", $4); print $4}' splitio/version.go)" >> $GITHUB_ENV