chore: update go to 1.24.11 #1904
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
|
@rollandf I wonder if we should bump to 1.25.x already to fix other CVEs found on 1.24? |
Member
Author
1.24 is a supported versions and have all the fixes |
Member
Author
|
See $ govulncheck ./...
No vulnerabilities found. |
Member
Author
|
Before the change: $ govulncheck ./...
=== Symbol Results ===
Vulnerability #1: GO-2025-4175
Improper application of excluded DNS name constraints when verifying
wildcard names in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4175
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: hack/release.go:258:14: hack.renderTemplates calls fmt.Printf, which eventually calls x509.Certificate.Verify
Vulnerability #2: GO-2025-4155
Excessive resource consumption when printing error string for host
certificate validation in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4155
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: hack/release.go:258:14: hack.renderTemplates calls fmt.Printf, which eventually calls x509.Certificate.Verify
#2: hack/release.go:258:14: hack.renderTemplates calls fmt.Printf, which eventually calls x509.Certificate.VerifyHostname
Vulnerability #3: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4013
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: hack/release.go:258:14: hack.renderTemplates calls fmt.Printf, which eventually calls x509.Certificate.Verify
Vulnerability #4: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
More info: https://pkg.go.dev/vuln/GO-2025-4012
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Example traces found:
#1: controllers/nicclusterpolicy_controller.go:174:15: controllers.NicClusterPolicyReconciler.Reconcile calls client.client.List, which eventually calls http.Client.Do
#2: api/v1alpha1/validator/nicclusterpolicy_webhook.go:763:35: validator.InitSchemaValidator calls gojsonschema.NewSchema, which eventually calls http.Get
Vulnerability #5: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
More info: https://pkg.go.dev/vuln/GO-2025-4011
Standard library
Found in: encoding/[email protected]
Fixed in: encoding/[email protected]
Example traces found:
#1: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls asn1.Unmarshal
Vulnerability #6: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
More info: https://pkg.go.dev/vuln/GO-2025-4010
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Example traces found:
#1: pkg/docadriverimages/doca_drivers.go:132:39: docadriverimages.provider.retrieveTags calls kubernetes.NewFromPullSecrets, which calls url.Parse
#2: cmd/keep-ncp/main.go:44:31: keep.main calls config.GetConfig, which eventually calls url.ParseRequestURI
#3: controllers/nicclusterpolicy_controller.go:174:15: controllers.NicClusterPolicyReconciler.Reconcile calls client.client.List, which eventually calls url.URL.Parse
Vulnerability #7: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
More info: https://pkg.go.dev/vuln/GO-2025-4009
Standard library
Found in: encoding/[email protected]
Fixed in: encoding/[email protected]
Example traces found:
#1: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls pem.Decode
Vulnerability #8: GO-2025-4008
ALPN negotiation error contains attacker controlled information in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2025-4008
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls tls.Conn.HandshakeContext
#2: pkg/render/render.go:162:27: render.textTemplateRenderer.renderFile calls yaml.YAMLOrJSONDecoder.Decode, which eventually calls tls.Conn.Read
#3: hack/release.go:258:14: hack.renderTemplates calls fmt.Printf, which eventually calls tls.Conn.Write
#4: controllers/nicclusterpolicy_controller.go:174:15: controllers.NicClusterPolicyReconciler.Reconcile calls client.client.List, which eventually calls tls.Dialer.DialContext
Vulnerability #9: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-4007
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls x509.CertPool.AppendCertsFromPEM
#2: hack/release.go:258:14: hack.renderTemplates calls fmt.Printf, which eventually calls x509.Certificate.Verify
#3: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls x509.CreateCertificate
#4: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls x509.MarshalPKCS1PrivateKey
#5: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls x509.ParseCertificate
#6: pkg/drain/drain_requestor.go:195:41: drain.NewDrainRequestor calls kubernetes.NewForConfig, which eventually calls x509.ParseECPrivateKey
#7: pkg/drain/drain_requestor.go:195:41: drain.NewDrainRequestor calls kubernetes.NewForConfig, which eventually calls x509.ParsePKCS1PrivateKey
#8: pkg/drain/drain_requestor.go:195:41: drain.NewDrainRequestor calls kubernetes.NewForConfig, which eventually calls x509.ParsePKCS8PrivateKey
Vulnerability #10: GO-2025-4006
Excessive CPU consumption in ParseAddress in net/mail
More info: https://pkg.go.dev/vuln/GO-2025-4006
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Example traces found:
#1: api/v1alpha1/validator/nicclusterpolicy_webhook.go:263:56: validator.devicePluginSpecWrapper.validateSriovNetworkDevicePlugin calls gojsonschema.Schema.Validate, which eventually calls mail.ParseAddress
Vulnerability #11: GO-2025-3956
Unexpected paths returned from LookPath in os/exec
More info: https://pkg.go.dev/vuln/GO-2025-3956
Standard library
Found in: os/[email protected]
Fixed in: os/[email protected]
Example traces found:
#1: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls exec.LookPath
Vulnerability #12: GO-2025-3751
Sensitive headers not cleared on cross-origin redirect in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3751
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Example traces found:
#1: controllers/nicclusterpolicy_controller.go:174:15: controllers.NicClusterPolicyReconciler.Reconcile calls client.client.List, which eventually calls http.Client.Do
#2: api/v1alpha1/validator/nicclusterpolicy_webhook.go:763:35: validator.InitSchemaValidator calls gojsonschema.NewSchema, which eventually calls http.Get
Vulnerability #13: GO-2025-3750
Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in
syscall
More info: https://pkg.go.dev/vuln/GO-2025-3750
Standard library
Found in: [email protected]
Fixed in: [email protected]
Platforms: windows
Example traces found:
#1: hack/release.go:305:22: hack.renderTemplates calls os.Create
#2: pkg/render/render.go:162:27: render.textTemplateRenderer.renderFile calls yaml.YAMLOrJSONDecoder.Decode, which eventually calls os.CreateTemp
#3: pkg/utils/utils.go:38:22: utils.GetFilesWithSuffix calls filepath.Walk, which eventually calls os.File.Readdirnames
#4: cmd/keep-ncp/main.go:44:31: keep.main calls config.GetConfig, which eventually calls os.Getwd
#5: pkg/utils/utils.go:38:22: utils.GetFilesWithSuffix calls filepath.Walk, which calls os.Lstat
#6: pkg/render/render.go:162:27: render.textTemplateRenderer.renderFile calls yaml.YAMLOrJSONDecoder.Decode, which eventually calls os.MkdirAll
#7: pkg/utils/utils.go:22:2: utils.init calls os.init, which calls os.NewFile
#8: pkg/utils/utils.go:38:22: utils.GetFilesWithSuffix calls filepath.Walk, which eventually calls os.Open
#9: hack/release.go:258:14: hack.renderTemplates calls fmt.Printf, which eventually calls os.OpenFile
#10: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls os.Pipe
#11: api/v1alpha1/validator/nicclusterpolicy_webhook.go:757:26: validator.InitSchemaValidator calls os.ReadDir
#12: hack/release.go:175:23: hack.docaDriverTagsCheck calls os.ReadFile
#13: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls os.Remove
#14: pkg/render/render.go:162:27: render.textTemplateRenderer.renderFile calls yaml.YAMLOrJSONDecoder.Decode, which eventually calls os.Rename
#15: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls os.StartProcess
#16: cmd/apply-crds/main.go:26:23: apply.main calls crdutil.EnsureCRDsCmd, which eventually calls os.Stat
#17: hack/release.go:258:14: hack.renderTemplates calls fmt.Printf, which eventually calls os.Symlink
#18: pkg/config/config.go:64:9: config.FromEnv calls sync.Once.Do, which eventually calls os.WriteFile
#19: api/v1alpha1/validator/nicclusterpolicy_webhook.go:757:26: validator.InitSchemaValidator calls os.ReadDir, which eventually calls syscall.Open
Vulnerability #14: GO-2025-3749
Usage of ExtKeyUsageAny disables policy validation in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-3749
Standard library
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
Example traces found:
#1: hack/release.go:258:14: hack.renderTemplates calls fmt.Printf, which eventually calls x509.Certificate.Verify
Vulnerability #15: GO-2025-3563
Request smuggling due to acceptance of invalid chunked data in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3563
Standard library
Found in: net/http/[email protected]
Fixed in: net/http/[email protected]
Example traces found:
#1: pkg/render/render.go:162:27: render.textTemplateRenderer.renderFile calls yaml.YAMLOrJSONDecoder.Decode, which eventually calls internal.chunkedReader.Read
Vulnerability #16: GO-2022-0451
Ignition config accessible to unprivileged software on VMware in
github.com/coreos/ignition
More info: https://pkg.go.dev/vuln/GO-2022-0451
Module: github.com/coreos/ignition
Found in: github.com/coreos/[email protected]
Fixed in: N/A
Example traces found:
#1: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls astjson.init
#2: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls astnode.init
#3: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls config.init
#4: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls errors.init
#5: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls report.init
#6: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls types.init
#7: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls types.init
#8: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls types.init
#9: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls types.init
#10: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls types.init
#11: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls types.init
#12: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls util.init
#13: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls v2_0.init
#14: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls v2_1.init
#15: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls v2_2.init
#16: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls v2_3.init
#17: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls validate.init
#18: controllers/drain_controller.go:25:2: controllers.init calls api.init, which eventually calls validations.init
Your code is affected by 16 vulnerabilities from 1 module and the Go standard library.
This scan also found 3 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details. |
Collaborator
|
/retest-nic_operator_kind |
1 similar comment
Collaborator
|
/retest-nic_operator_kind |
Collaborator
|
/retest-nic_operator_helm |
Fix several CVEs Signed-off-by: Fred Rolland <[email protected]>
heyvister1
approved these changes
Jan 1, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix several CVEs