Skip to content

fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto [pipelines-1.15]#2923

Open
divyansh42 wants to merge 1 commit into
release-v0.37.6from
fix/SRVKP-12558-SRVKP-12570-cve-2026-33811-cve-2026-39833-release-v0.37.6-attempt-1
Open

fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto [pipelines-1.15]#2923
divyansh42 wants to merge 1 commit into
release-v0.37.6from
fix/SRVKP-12558-SRVKP-12570-cve-2026-33811-cve-2026-39833-release-v0.37.6-attempt-1

Conversation

@divyansh42

@divyansh42 divyansh42 commented Jun 24, 2026

Copy link
Copy Markdown
Member

CVE Details

CVE Severity Description Fix
CVE-2026-33811 Undefined Go net package: Denial of Service via long CNAME response in LookupCNAME Go stdlib 1.25.9 → 1.25.11
CVE-2026-39833 Undefined golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation x/crypto v0.46.0 → v0.52.0

Fix Summary

  • Updated Go stdlib directive in go.mod: go 1.25.9go 1.25.11
  • Updated golang.org/x/crypto: v0.46.0v0.52.0 (minimum safe patch in same minor line per advisory)
  • Ran go mod tidy && go mod verify && go mod vendor — all passed ✅
  • Transitive upgrades: x/net v0.48.0→v0.54.0, x/sync v0.19.0→v0.20.0, x/sys v0.42.0→v0.45.0, x/term v0.41.0→v0.43.0, x/text v0.32.0→v0.37.0

Test Results

Tests PASSEDgo test -mod=vendor ./...

All packages passed. Full suite including pkg/cmd/pipelinerun and pkg/cmd/taskrun.

Breaking Changes

None expected. This is a pure dependency version bump. The x/crypto update stays within the same major version (v0). stdlib bump is patch-level only.

Risk Assessment

Low — Patch-level updates only. All unit tests pass. No API surface changes in updated packages relevant to tkn CLI usage.

Jira References

SRVKP-12558, SRVKP-12570

Verification Steps

  • govulncheck scan shows CVE-2026-33811 and CVE-2026-39833 resolved
  • go test -mod=vendor ./... passes
  • go mod verify shows all modules verified
  • No regressions in CLI behavior

🤖 Generated with Claude Code

@divyansh42
fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto
2776328 
- Update Go stdlib from 1.25.9 to 1.25.11
  Addresses CVE-2026-33811 (DoS via long CNAME response in net.LookupCNAME)
- Update golang.org/x/crypto from v0.46.0 to v0.52.0
  Addresses CVE-2026-39833 (security bypass in ssh/agent key confirmation)
- Also upgrades transitive deps: x/net, x/sync, x/sys, x/term, x/text

Resolves: SRVKP-12558, SRVKP-12570

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot

tekton-robot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

@divyansh42: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jun 24, 2026
@tekton-robot

tekton-robot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from divyansh42 after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pradeepitm12 pradeepitm12 Awaiting requested review from pradeepitm12
@pratap0007 pratap0007 Awaiting requested review from pratap0007

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@divyansh42 @tekton-robot