[release-4.18] OCPBUGS-80219: Fix CVE-2026-33186 using openshift-sustaining grpc-go fork#1041
[release-4.18] OCPBUGS-80219: Fix CVE-2026-33186 using openshift-sustaining grpc-go fork#1041katekeiroz-dev wants to merge 1 commit into
Conversation
|
@katekeiroz-dev: This pull request references Jira Issue OCPBUGS-80219, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: katekeiroz-dev The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/ok-to-test |
|
/retest-required |
2 similar comments
|
/retest-required |
|
/retest-required |
|
/jira refresh |
|
@dlom: This pull request references Jira Issue OCPBUGS-80219, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request. The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
…fork Uses openshift-sustaining/grpc-go v1.71.3-sec.1 fork which patches CVE-2026-33186 (gRPC-Go authorization bypass due to improper HTTP/2 path validation) while remaining compatible with Go 1.22. Signed-off-by: Kate Barreiros <kbarreir@redhat.com>
1d6888b to
3dc4cfe
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## release-4.18 #1041 +/- ##
=============================================
Coverage 46.70% 46.70%
=============================================
Files 97 97
Lines 11970 11970
=============================================
Hits 5590 5590
Misses 5763 5763
Partials 617 617 🚀 New features to boost your workflow:
|
|
@katekeiroz-dev: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Summary
Fix CVE-2026-33186 (gRPC-Go authorization bypass due to improper HTTP/2 path validation) on release-4.18.
Uses the openshift-sustaining/grpc-go v1.71.3-sec.1 fork via a
replacedirective in go.mod. This fork patches the CVE while remaining compatible with Go 1.22 (the release-4.18 CI toolchain).Changes
replace google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1to go.modWhy the fork?
Upstream grpc-go v1.79.3 (which fixes the CVE directly) transitively requires Go 1.24+ dependencies (
go-jose/go-jose/v4@v4.1.3,cloud.google.com/go/compute/metadata), which are incompatible with the release-4.18 CI builder image (Go 1.22.9/1.22.12).Related: OCPBUGS-80219