OADP-7565,OADP-7570,OADP-7573: Bump Go toolchain to 1.25.8 and fix x/* CVEs#2121
OADP-7565,OADP-7570,OADP-7573: Bump Go toolchain to 1.25.8 and fix x/* CVEs#2121kaovilai wants to merge 1 commit intoopenshift:oadp-1.5from
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@kaovilai: This pull request references OADP-7565 which is a valid jira issue. This pull request references OADP-7570 which is a valid jira issue. This pull request references OADP-7573 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Review skipped — only excluded labels are configured. (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
openshift-ci
bot
added
the
approved
There was a problem hiding this comment.
Pull request overview
Updates the project’s Go toolchain and several golang.org/x/* dependencies to address security CVEs, and aligns container build images with the newer Go major/minor release.
Changes:
- Bump root module
go.modtogo 1.25.0andtoolchain go1.25.8. - Update
golang.org/x/*dependency versions (and correspondinggo.sumentries). - Update builder base images in
konflux.Dockerfileandmust-gather/Dockerfile.oadptorhel_9_golang_1.25.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
must-gather/Dockerfile.oadp |
Switches must-gather build stage to Go 1.25 builder image. |
konflux.Dockerfile |
Switches Konflux build stage to Go 1.25 builder image. |
go.mod |
Bumps Go language/toolchain version and updates indirect golang.org/x/* deps. |
go.sum |
Updates checksums to match the bumped module versions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| #@follow_tag(registry-proxy.engineering.redhat.com/rh-osbs/openshift-golang-builder:rhel_9_golang_1.23) | ||
| FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.23 AS builder | ||
| #@follow_tag(registry-proxy.engineering.redhat.com/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25) | ||
| FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25 AS builder |
|
/hold something is off here with the tests |
openshift-ci
bot
added
the
do-not-merge/hold
kaovilai
force-pushed
the
cve-fix-oadp-1.5
branch
from
4d6acb0 to
52bd654
Compare
…* CVEs - Update go directive from 1.23.0 to 1.25.0, toolchain go1.23.6 -> go1.25.8 (Go 1.24 is EOL; 1.25 and 1.26 are the supported releases) - Bump golang.org/x/crypto v0.39.0 -> v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x ssh DoS, GHSA-f6x5-jh6r-wrfv ssh/agent panic) - Bump golang.org/x/net v0.41.0 -> v0.52.0 (fixes GHSA-vvgc-356p-c3xw XSS in HTML tokenizer) - Transitive bumps: x/sys v0.42.0, x/text v0.35.0, x/term v0.41.0, x/sync v0.20.0, x/tools v0.42.0 - Update konflux.Dockerfile: rhel_9_golang_1.24 -> rhel_9_golang_1.25 - Update must-gather/Dockerfile.oadp: rhel_9_golang_1.23 -> rhel_9_golang_1.25 Go toolchain CVEs fixed: - GO-2026-4337, GO-2026-4340 (crypto/tls) - GO-2026-4341 (net/url) - GO-2026-4342 (archive/zip) - CVE-2026-25679 (net/url IPv6 host parsing) - CVE-2026-27137 (crypto/x509 email constraints) Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
kaovilai
force-pushed
the
cve-fix-oadp-1.5
branch
from
52bd654 to
0418f91
Compare
|
/retest |
1 similar comment
|
/retest |
|
@kaovilai: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kaovilai, weshayutin The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@mpryc 0/ |
Why the changes were made
Fix multiple CVEs in the Go toolchain and golang.org/x/* dependencies. Go 1.24 is EOL; 1.25 and 1.26 are the supported releases.
Go toolchain CVEs fixed (Go 1.25.8):
golang.org/x/ CVEs fixed:*
Changes:
go 1.23.0/toolchain go1.23.6→go 1.25.0/toolchain go1.25.8rhel_9_golang_1.24→rhel_9_golang_1.25rhel_9_golang_1.23→rhel_9_golang_1.25Jira: OADP-7565, OADP-7570, OADP-7573
How to test the changes made
go build ./...— verifies compilation with new toolchaingo test ./...— verifies unit tests passgo versionin built binary confirms Go 1.25.8 toolchainNote
Responses generated with Claude