Skip to content

fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto [release-v0.42.2]#2924

Merged
tekton-robot merged 1 commit into
release-v0.42.2from
fix/SRVKP-12559-SRVKP-12569-cve-2026-33811-cve-2026-39833-release-v0.42.2-attempt-1
Jul 3, 2026
Merged

fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto [release-v0.42.2]#2924
tekton-robot merged 1 commit into
release-v0.42.2from
fix/SRVKP-12559-SRVKP-12569-cve-2026-33811-cve-2026-39833-release-v0.42.2-attempt-1

Conversation

@divyansh42

Copy link
Copy Markdown
Member

CVE Details

CVE Severity Description Fix
CVE-2026-33811 Undefined Go net package: Denial of Service via long CNAME response in LookupCNAME Go stdlib 1.25.9 → 1.25.11
CVE-2026-39833 Undefined golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation x/crypto v0.47.0 → v0.52.0

Fix Summary

  • Updated Go stdlib directive in go.mod: go 1.25.9go 1.25.11
  • Updated golang.org/x/crypto: v0.47.0v0.52.0 (minimum safe patch per advisory)
  • Ran go mod tidy && go mod verify && go mod vendor — all passed ✅
  • Transitive upgrades: x/net v0.49.0→v0.54.0, x/sync v0.19.0→v0.20.0, x/sys v0.40.0→v0.45.0, x/term v0.39.0→v0.43.0, x/text v0.33.0→v0.37.0

Test Results

Tests PASSEDgo test -mod=vendor ./...

All packages passed. Full suite including pkg/cmd/pipelinerun and pkg/cmd/taskrun.

Breaking Changes

None expected. This is a pure dependency version bump. The x/crypto update stays within the same major version (v0). stdlib bump is patch-level only.

Risk Assessment

Low — Patch-level updates only. All unit tests pass. No API surface changes in updated packages relevant to tkn CLI usage.

Jira References

SRVKP-12559, SRVKP-12569

Verification Steps

  • govulncheck scan shows CVE-2026-33811 and CVE-2026-39833 resolved
  • go test -mod=vendor ./... passes
  • go mod verify shows all modules verified
  • No regressions in CLI behavior

🤖 Generated with Claude Code

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jun 24, 2026
@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jun 24, 2026
@divyansh42 divyansh42 changed the title fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto [pipelines-1.20] fix(cve): CVE-2026-33811, CVE-2026-39833 - update Go stdlib and x/crypto [release-v0.42.2] Jul 2, 2026
@divyansh42

Copy link
Copy Markdown
Member Author

/release-note-none

@tekton-robot tekton-robot added release-note-none Denotes a PR that doesnt merit a release note. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 2, 2026
- Update Go stdlib from 1.25.9 to 1.25.11
  Addresses CVE-2026-33811 (DoS via long CNAME response in net.LookupCNAME)
- Update golang.org/x/crypto from v0.47.0 to v0.52.0
  Addresses CVE-2026-39833 (security bypass in ssh/agent key confirmation)
- Also upgrades transitive deps: x/net, x/sync, x/sys, x/term, x/text

Resolves: SRVKP-12559, SRVKP-12569

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Divyanshu Agrawal <diagrawa@redhat.com>
@divyansh42 divyansh42 force-pushed the fix/SRVKP-12559-SRVKP-12569-cve-2026-33811-cve-2026-39833-release-v0.42.2-attempt-1 branch from b9087d4 to 521b598 Compare July 2, 2026 17:42
@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 2, 2026
@divyansh42

Copy link
Copy Markdown
Member Author

/retest

@vdemeester vdemeester left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2026
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 3, 2026
@tekton-robot tekton-robot merged commit e20e72d into release-v0.42.2 Jul 3, 2026
17 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants