Skip to content

chore(core): cve mitigation 08-06-2026#2462

Open
LopatinDmitr wants to merge 3 commits into
mainfrom
chore/core/cve-mitigation-08062026
Open

chore(core): cve mitigation 08-06-2026#2462
LopatinDmitr wants to merge 3 commits into
mainfrom
chore/core/cve-mitigation-08062026

Conversation

@LopatinDmitr

@LopatinDmitr LopatinDmitr commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

Updated the project toolchain and base image set for the CVE mitigation batch from 2026-06-08:

  • bumped Go from 1.25.10 to 1.25.11 in workflows and all module go.mod files;
  • refreshed build/base-images/deckhouse_images.yml from base-images catalog v0.5.77 to v1.0.44;
  • updated GitHub Actions validation/build jobs to use the patched Go version.

Mitigated CVEs mentioned in the commit:

  • CVE-2026-42504 Decoding a maliciously-crafted MIME header containing many invalid enc ...
  • CVE-2026-27145 *x509.Certificate).VerifyHostname previously called matchHostnames in ...
  • CVE-2026-42507 When returning errors, functions in the net/textproto package would in ...

Why do we need it, and what problem does it solve?

The module should be built and tested with patched toolchain and base images to reduce exposure to known vulnerabilities in Go standard library behavior and base image dependencies.

What is the expected result?

CI builds and validation jobs use Go 1.25.11, and module images are built from the refreshed pinned base image digests.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: chore
summary: |
  Fixed vulnerability:
  - CVE-2026-42504 
  - CVE-2026-27145
  - CVE-2026-42507

@LopatinDmitr LopatinDmitr force-pushed the chore/core/cve-mitigation-08062026 branch from 6022ff3 to b5d6490 Compare June 9, 2026 13:38
@LopatinDmitr LopatinDmitr added this to the v1.9.0 milestone Jun 9, 2026
@LopatinDmitr LopatinDmitr force-pushed the chore/core/cve-mitigation-08062026 branch 4 times, most recently from 3083210 to 99c6a02 Compare June 9, 2026 19:10
@LopatinDmitr
chore(core): cve mitigation 08-06-2026
d5157c7 
- CVE-2026-42504 Decoding a maliciously-crafted MIME header containing many invalid enc ...
- CVE-2026-27145 *x509.Certificate).VerifyHostname previously called  matchHostnames in ...
- CVE-2026-42507 When returning errors, functions in the net/textproto package would in ...

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the chore/core/cve-mitigation-08062026 branch from 99c6a02 to d5157c7 Compare June 9, 2026 20:08
@universal-itengineer
refactor override images
1aec3be 
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
@universal-itengineer
fix path for images pi file
8fc4c6a 
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
@Isteb4k Isteb4k removed this from the v1.9.0 milestone Jun 10, 2026
@LopatinDmitr LopatinDmitr added this to the v1.9.1 milestone Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@universal-itengineer universal-itengineer universal-itengineer approved these changes

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

@diafour diafour Awaiting requested review from diafour diafour is a code owner

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine is a code owner

Assignees

@LopatinDmitr LopatinDmitr

Labels

None yet

Projects

None yet

Milestone

v1.9.1

Development

Successfully merging this pull request may close these issues.

3 participants

@LopatinDmitr @universal-itengineer @Isteb4k