Skip to content

[cherry-pick: release-v0.80.x] Security: Fix CVE-2026-27145 and CVE-2026-42504 (Go stdlib upgrade 1.25.11 → 1.26.4)#3690

Merged
tekton-robot merged 2 commits into
release-v0.80.xfrom
cherry-pick-3685-to-release-v0.80.x
Jul 10, 2026
Merged

[cherry-pick: release-v0.80.x] Security: Fix CVE-2026-27145 and CVE-2026-42504 (Go stdlib upgrade 1.25.11 → 1.26.4)#3690
tekton-robot merged 2 commits into
release-v0.80.xfrom
cherry-pick-3685-to-release-v0.80.x

Conversation

@tekton-robot

Copy link
Copy Markdown
Contributor

This is a cherry-pick of #3685


Summary

This PR fixes CVE-2026-27145 (GO-2026-5037) and CVE-2026-42504 (GO-2026-5038) by upgrading the Go toolchain directive in `go.mod` from `go 1.25.11` to `go 1.26.4`.

CVE Details

CVE Alt ID Severity CVSS Fixed In
CVE-2026-27145 GO-2026-5037 IMPORTANT 7.5 go 1.25.11 / 1.26.4
CVE-2026-42504 GO-2026-5038 IMPORTANT 7.5 go 1.25.11 / 1.26.4
CVE-2026-42507 GO-2026-5039 MODERATE 5.3 go 1.25.11 / 1.26.4

Context: The ACS/GovCloud image scan flagged these because the container image binary was compiled with a Go version before the patch. Bumping the go directive ensures the next image build uses a patched toolchain.

Fix Summary

  • Updated go.mod: go 1.25.11go 1.26.4
  • Ran go mod tidy && go mod verify && go mod vendor — all passed
  • Note: go 1.26.3 satisfies the fixed-version requirement for the 1.26.x line (fixed: 1.26.4)

Test Results

Status: ✅ All tests passed
Summary: 39 packages passed — pkg/reconciler/... and pkg/apis/operator/... all OK

Jira Issues

SRVKP-12754, SRVKP-12753, SRVKP-12762

Verification Steps

  • Confirm go.mod shows go 1.26.3
  • Confirm CI builds pass
  • Verify ACS scan after new image is built shows CVEs resolved

Risk Assessment

Low — Go toolchain bump within same major minor series. No API changes. All unit tests pass.


🤖 Generated by CVE Fixer Workflow

Security fix: update Go toolchain from 1.25.11 to 1.26.3 to address CVE-2026-27145 (GO-2026-5037), CVE-2026-42504 (GO-2026-5038), and CVE-2026-42507 (GO-2026-5039)

jkhelil and others added 2 commits July 9, 2026 13:03
Upgrade stdlib from 1.25.11 to 1.26.4 to address CVE-2026-27145.

Jira: SRVKP-12754 SRVKP-12753 SRVKP-12762
govulncheck scan: GOTOOLCHAIN=go1.26.3 govulncheck@v1.5.0
Test result: passed

Co-Assisted-By: CVE Fixer Bot <cve-fixer@redhat.com>
v2.7.2 was built with Go 1.25 and rejects modules targeting Go 1.26+.
v2.12.2 is built with Go 1.26.2, which satisfies the go 1.26.4
directive in go.mod.

Signed-off-by: Jawed khelil <jkhelil@redhat.com>
Assisted-by: Claude Sonnet 4.6 (via Cursor)
Co-authored-by: Cursor <cursoragent@cursor.com>
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jul 9, 2026
@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 9, 2026
@anithapriyanatarajan

Copy link
Copy Markdown
Contributor

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2026
@anithapriyanatarajan

Copy link
Copy Markdown
Contributor

/approve

@tekton-robot

Copy link
Copy Markdown
Contributor Author

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anithapriyanatarajan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [anithapriyanatarajan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 10, 2026
@tekton-robot tekton-robot merged commit c3e09f9 into release-v0.80.x Jul 10, 2026
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants