Skip to content

NO-JIRA: Bump golang.org/x/net to 0.56.0 to fix CVE#1514

Open
twoGiants wants to merge 1 commit into
openshift:mainfrom
twoGiants:no-jira-bump-net-package-for-cve-fix
Open

NO-JIRA: Bump golang.org/x/net to 0.56.0 to fix CVE#1514
twoGiants wants to merge 1 commit into
openshift:mainfrom
twoGiants:no-jira-bump-net-package-for-cve-fix

Conversation

@twoGiants

@twoGiants twoGiants commented Jul 3, 2026

Copy link
Copy Markdown

Summary

Fixes CVE-2026-25681 which can cause XSS in golang.org/x/net/html. The html package is used indirectly by dependencies.

Additional Info

As for the RIT process documentation the Jira ticket is not attached to this PR, I quote:

In some cases, a symbol level analysis will show that the component is not actually exposed to the vulnerability. In these cases the package should still be updated, but not attached to the bug.

References

Here is the closed issue golang/go#79574 in the go repo.

Summary by CodeRabbit

  • Chores
    • Updated several Go indirect dependencies to newer versions.
    • Brought the tooling module up to a newer Go release and removed an explicit toolchain pin.
    • Added one additional indirect tooling package to keep the development environment aligned and current.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 3, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@twoGiants: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

Fixes CVE-2026-27136 which can cause XSS in golang.org/x/net/html. The html package is used indirectly by dependencies.

Additional Info

As for the RIT process documentation the Jira ticket is not attached to this PR, I quote:

In some cases, a symbol level analysis will show that the component is not actually exposed to the vulnerability. In these cases the package should still be updated, but not attached to the bug.

References

Here is the closed issue golang/go#79575 in the go repo.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Walkthrough

This PR updates indirect golang.org/x/* dependency versions in go.mod and tools/go.mod. Additionally, tools/go.mod raises its go directive from 1.22.0 to 1.25.0, removes an explicit toolchain pin, and adds a new indirect dependency on golang.org/x/tools/go/packages/packagestest.

Changes

Dependency updates

Layer / File(s) Summary
Root go.mod dependency bumps
go.mod
Updates x/net, x/crypto, x/mod, x/sync, x/sys, x/term, x/text, and x/tools indirect dependency versions.
tools/go.mod directive and dependency bumps
tools/go.mod
Raises the go directive to 1.25.0, removes the toolchain go1.22.3 pin, updates x/mod, x/net, x/sync, x/sys, x/text, and x/tools versions, and adds an indirect dependency on golang.org/x/tools/go/packages/packagestest.

Estimated code review effort: 1 (Trivial) | ~5 minutes


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Weak-Crypto ❌ Error Updated vendor/golang.org/x/crypto/ssh/cipher.go imports crypto/des and crypto/rc4 and registers insecure RC4 and 3DES CBC cipher modes. Drop or justify the weak ciphers; if upstream requires them, document the exception and ensure they are not enabled by default.
✅ Passed checks (14 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No test files or Ginkgo title changes were introduced; the PR only updates vendored Go modules and generated code.
Test Structure And Quality ✅ Passed No *_test.go files or Ginkgo test changes are in this PR; it only updates dependencies/vendor, so this check is not applicable.
Microshift Test Compatibility ✅ Passed No new or modified Ginkgo e2e test files are in the diff; changes are dependency/vendor bumps only.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Only go.mod/go.sum and vendored deps changed; no new non-vendored Ginkgo e2e tests were added.
Topology-Aware Scheduling Compatibility ✅ Passed PR only bumps Go deps and vendored libraries (go.mod/go.sum/tools/vendor); no deployment manifests, operators, or controllers were changed.
Ote Binary Stdout Contract ✅ Passed PR only bumps Go module/vendor dependencies; no added lines introduce stdout writes in main/init/TestMain/suite setup.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No test/e2e files were changed; only dependency and vendor updates are present, so no new Ginkgo IPv4 or network assumptions were introduced.
Container-Privileges ✅ Passed Diff only touches Go module/vendor files; no YAML/Docker/K8s manifests changed, so no privilege settings were introduced.
No-Sensitive-Data-In-Logs ✅ Passed No new logs expose secrets/PII; changed logging is generic debug/error output and the header-value log in http2 pre-existed upstream.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately describes the main security-related x/net version bump in the changeset.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from damdo and theobarberbany July 3, 2026 10:26
Fixes CVE-2026-25681 which can cause XSS in golang.org/x/net/html. The
html package is used indirectly by dependencies.

Signed-off-by: Stanislav Jakuschevskij <sjakusch@redhat.com>
@twoGiants twoGiants force-pushed the no-jira-bump-net-package-for-cve-fix branch from a2dc669 to a951c25 Compare July 3, 2026 10:27

@damdo damdo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@twoGiants: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn a951c25 link true /test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants