Skip to content

Bump opencontainers/selinux to v1.13.0 (CVE-2025-52881)#1466

Merged
dymurray merged 1 commit into
migtools:masterfrom
midays:fix-dependency-cves-master
Jul 13, 2026
Merged

Bump opencontainers/selinux to v1.13.0 (CVE-2025-52881)#1466
dymurray merged 1 commit into
migtools:masterfrom
midays:fix-dependency-cves-master

Conversation

@midays

@midays midays commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps github.com/opencontainers/selinux from v1.12.0 to v1.13.0 to address CVE-2025-52881 (arbitrary write gadgets and procfs write redirects)
  • Transitively bumps github.com/cyphar/filepath-securejoin v0.4.1 → v0.6.0 and pulls in cyphar.com/go-pathrs v0.2.1
  • The existing containers/storage => v1.54.0 replace directive already anticipated this bump (see comment in go.mod) to avoid a filepath-securejoin conflict, so no further changes were needed there
  • Same fix as Bump opencontainers/selinux to v1.13.0 (CVE-2025-52881) #1465, applied to master

Test plan

  • go build ./... succeeds (pre-existing unrelated failures in tests/test_helper.go and gpgme/pkg-config confirmed present on master before this change too)
  • CI build/SBOM confirms opencontainers/selinux v1.13.0 present in mig-controller image

Summary by CodeRabbit

  • Chores
    • Updated supporting components used for secure path handling and SELinux integration.
    • No user-facing features or behavior changes were introduced.

Fixes CVE-2025-52881 (arbitrary write gadgets and procfs write
redirects). The containers/storage replace directive already pinned
v1.54.0 in anticipation of this bump to avoid a filepath-securejoin
version conflict.
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1efe2487-c539-42c2-9882-36e772058f9c

📥 Commits

Reviewing files that changed from the base of the PR and between 4ce4d3c and 6215d63.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod

📝 Walkthrough

Walkthrough

The pull request updates indirect Go module requirements in go.mod, adding cyphar.com/go-pathrs and upgrading github.com/cyphar/filepath-securejoin and github.com/opencontainers/selinux.

Changes

Dependency updates

Layer / File(s) Summary
Update indirect module requirements
go.mod
Adds cyphar.com/go-pathrs at v0.2.1 and upgrades github.com/cyphar/filepath-securejoin to v0.6.0 and github.com/opencontainers/selinux to v1.13.0.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the main change: bumping opencontainers/selinux to v1.13.0 to address the CVE.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@dymurray
dymurray merged commit c2e8dc5 into migtools:master Jul 13, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants