Skip to content

fix(cve): bump golang.org/x/net to v0.55.0 [release-v0.42.2]#2913

Merged
vdemeester merged 1 commit into
release-v0.42.2from
fix/go-stdlib-1.25.11-xnet-0.55.0-release-v0.42.2-attempt-1
Jul 3, 2026
Merged

fix(cve): bump golang.org/x/net to v0.55.0 [release-v0.42.2]#2913
vdemeester merged 1 commit into
release-v0.42.2from
fix/go-stdlib-1.25.11-xnet-0.55.0-release-v0.42.2-attempt-1

Conversation

@divyansh42

Copy link
Copy Markdown
Member

CVE Fix Summary — pipelines-1.20 (release-v0.42.2)

Bumps Go stdlib from 1.25.9 → 1.25.11 and golang.org/x/net from v0.49.0 → v0.55.0 to remediate multiple confirmed vulnerabilities.

CVE Details

Go Standard Library — fixed in go1.25.11

ID Package Description
GO-2026-5039 net/textproto Arbitrary inputs included in errors without escaping
GO-2026-5038 mime Quadratic complexity in WordDecoder.DecodeHeader
GO-2026-5037 crypto/x509 Inefficient candidate hostname parsing
GO-2026-4986 net/mail Quadratic string concatenation in consumeComment
GO-2026-4982 html/template Bypass of meta content URL escaping — XSS
GO-2026-4981 net Crash when handling long CNAME response
GO-2026-4980 html/template Escaper bypass leads to XSS
GO-2026-4977 net/mail Quadratic string concatenation in consumePhrase
GO-2026-4976 net/http/httputil ReverseProxy forwards excess query parameters
GO-2026-4971 net Panic on NUL byte in Dial/LookupPort on Windows
GO-2026-4947 crypto/x509 Unexpected work during chain building
GO-2026-4946 crypto/x509 Inefficient policy validation
GO-2026-4870 crypto/tls Unauthenticated TLS 1.3 KeyUpdate causes DoS
GO-2026-4869 archive/tar Unbounded allocation for old GNU sparse
GO-2026-4865 html/template JsBraceDepth context tracking XSS
GO-2026-4864 internal/syscall/unix TOCTOU root escape on Linux via Root.Chmod
GO-2026-4918 net/http HTTP/2 infinite loop on bad SETTINGS_MAX_FRAME_SIZE

golang.org/x/net — fixed in v0.55.0

ID Description
GO-2026-5026 ASCII-only Punycode label bypass in IDNA validation
GO-2026-4918 HTTP/2 infinite loop via bad SETTINGS_MAX_FRAME_SIZE

Fix Summary

  • go 1.25.9go 1.25.11 in go.mod
  • golang.org/x/net v0.49.0v0.55.0
  • go mod tidy && go mod verify && go mod vendor

Test Results

All unit tests passed (exit code 0)

Risk Assessment

Low — patch-level stdlib bump with no API changes. All unit tests pass.

Jira References

No active Jira CVE tickets for Tekton CLI component at time of fix. Vulnerabilities discovered via govulncheck direct scan of tektoncd/cli main.

Component: Tekton CLI (pipelines-cli-tkn-rhel9)
Product Version: pipelines-1.20
Lead: Divyanshu Agrawal (diagrawa@redhat.com)

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jun 20, 2026
@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jun 20, 2026
@pratap0007

Copy link
Copy Markdown
Contributor

/retest

vdemeester
vdemeester previously approved these changes Jun 22, 2026

@vdemeester vdemeester left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jun 22, 2026
@divyansh42

Copy link
Copy Markdown
Member Author

/hold

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 22, 2026
@divyansh42 divyansh42 changed the title fix(cve): bump Go stdlib to 1.25.11 and golang.org/x/net to v0.55.0 [pipelines-1.20] fix(cve): bump Go stdlib to 1.25.11 and golang.org/x/net to v0.55.0 [release-v0.42.2] Jul 2, 2026
@divyansh42 divyansh42 added the release-note-none Denotes a PR that doesnt merit a release note. label Jul 2, 2026
@tekton-robot tekton-robot removed the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jul 2, 2026
@divyansh42 divyansh42 dismissed vdemeester’s stale review July 2, 2026 16:47

The merge-base changed after approval.

@divyansh42 divyansh42 force-pushed the fix/go-stdlib-1.25.11-xnet-0.55.0-release-v0.42.2-attempt-1 branch from 79f3771 to a972970 Compare July 2, 2026 16:47
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@divyansh42

Copy link
Copy Markdown
Member Author

/hold cancel

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 2, 2026
vdemeester
vdemeester previously approved these changes Jul 3, 2026

@vdemeester vdemeester left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jul 3, 2026
@divyansh42 divyansh42 force-pushed the fix/go-stdlib-1.25.11-xnet-0.55.0-release-v0.42.2-attempt-1 branch from a972970 to 86fe8e9 Compare July 3, 2026 08:20
@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 3, 2026
- Update golang.org/x/net from v0.54.0 to v0.55.0
- Resolves GO-2026-5026 (IDNA ASCII-only Punycode bypass)
- Resolves GO-2026-4918 (HTTP/2 infinite loop)
- Run go mod tidy, go mod verify, go mod vendor
- All unit tests pass

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Divyanshu Agrawal <diagrawa@redhat.com>
@divyansh42 divyansh42 force-pushed the fix/go-stdlib-1.25.11-xnet-0.55.0-release-v0.42.2-attempt-1 branch from 86fe8e9 to 4798198 Compare July 3, 2026 08:34
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pramodbindal, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@divyansh42 divyansh42 changed the title fix(cve): bump Go stdlib to 1.25.11 and golang.org/x/net to v0.55.0 [release-v0.42.2] fix(cve): bump golang.org/x/net to v0.55.0 [release-v0.42.2] Jul 3, 2026
@waveywaves

Copy link
Copy Markdown
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2026
@vdemeester vdemeester merged commit 029b19f into release-v0.42.2 Jul 3, 2026
12 checks passed
@vdemeester vdemeester deleted the fix/go-stdlib-1.25.11-xnet-0.55.0-release-v0.42.2-attempt-1 branch July 3, 2026 09:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants