Skip to content

Fix 14 CVEs (CVE-2026-25681, CVE-2026-27136, CVE-2026-33814, ...)#41

Closed
oadp-rebasebot-app[bot] wants to merge 1 commit into
migtools:oadp-1.5from
oadp-rebasebot:cve-fix/oadp-1.5/20260713-1
Closed

Fix 14 CVEs (CVE-2026-25681, CVE-2026-27136, CVE-2026-33814, ...)#41
oadp-rebasebot-app[bot] wants to merge 1 commit into
migtools:oadp-1.5from
oadp-rebasebot:cve-fix/oadp-1.5/20260713-1

Conversation

@oadp-rebasebot-app

Copy link
Copy Markdown

CVE Fixes

Automated scan found 14 fixable Go dependency CVE(s) in migtools/kopia on branch oadp-1.5.

CVE Severity Package Fixed Version Description
CVE-2026-25681 HIGH golang.org/x/net 0.55.0 golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting
CVE-2026-27136 HIGH golang.org/x/net 0.55.0 golang.org/x/net/html: golang: golang.org/x/net/html: Cross-Site Scripting via HTML parsing bypass
CVE-2026-33814 HIGH golang.org/x/net 0.53.0 net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
CVE-2026-34986 HIGH github.com/go-jose/go-jose/v4 4.1.4 github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object
CVE-2026-39821 HIGH golang.org/x/net 0.55.0 golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
CVE-2026-39828 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
CVE-2026-39829 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
CVE-2026-39830 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
CVE-2026-39831 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security key bypass due to missing user presence check
CVE-2026-39832 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
CVE-2026-39835 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate
CVE-2026-42508 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey
CVE-2026-46595 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
CVE-2026-46597 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted AES-GCM packet decoder inputs

How this was fixed

  • go get <package>@<fixed_version> for each vulnerable dependency
  • go mod tidy to clean up

Generated by cve-scan pipeline

- CVE-2026-25681: golang.org/x/net v0.52.0 → 0.55.0
- CVE-2026-27136: golang.org/x/net v0.52.0 → 0.55.0
- CVE-2026-33814: golang.org/x/net v0.52.0 → 0.53.0
- CVE-2026-34986: github.com/go-jose/go-jose/v4 v4.1.3 → 4.1.4
- CVE-2026-39821: golang.org/x/net v0.52.0 → 0.55.0
- CVE-2026-39828: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-39829: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-39830: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-39831: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-39832: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-39835: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-42508: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-46595: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-46597: golang.org/x/crypto v0.49.0 → 0.52.0
@openshift-ci
openshift-ci Bot requested review from sseago and weshayutin July 13, 2026 10:38
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oadp-rebasebot-app[bot]
Once this PR has been reviewed and has the lgtm label, please assign weshayutin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@oadp-snyk

oadp-snyk commented Jul 13, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (oadp-1.5@a89770b). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@             Coverage Diff             @@
##             oadp-1.5      #41   +/-   ##
===========================================
  Coverage            ?   77.51%           
===========================================
  Files               ?      527           
  Lines               ?    30397           
  Branches            ?        0           
===========================================
  Hits                ?    23562           
  Misses              ?     4820           
  Partials            ?     2015           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants