Skip to content

Bump golang 1.25.6 to resolve CVEs#437

Merged
devacts merged 3 commits intocarvel-dev:developfrom
CodesbyUnnati:bump-golang-1.25.5
Jan 29, 2026
Merged

Bump golang 1.25.6 to resolve CVEs#437
devacts merged 3 commits intocarvel-dev:developfrom
CodesbyUnnati:bump-golang-1.25.5

Conversation

@CodesbyUnnati
Copy link
Copy Markdown
Member

@CodesbyUnnati CodesbyUnnati commented Jan 17, 2026
edited
Loading

Bumping golang +crypto versions to resolve the below CVEs and bump imgpkg to v0.47.1:


┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2025-47914 │ MEDIUM   │ fixed  │ v0.39.0           │ 0.45.0          │ golang.org/x/crypto/ssh/agent: in                           │
│                     │                │          │        │                   │                 │ golang.org/x/crypto/ssh/agent                               │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47914                  │
│                     ├────────────────┤          │        │                   │                 ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-58181 │          │        │                   │                 │ golang.org/x/crypto/ssh: in golang.org/x/crypto/ssh         │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-58181                  │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2025-61729 │ HIGH     │        │ v1.25.4           │ 1.24.11, 1.25.5 │ crypto/x509: golang: Denial of Service due to excessive     │
│                     │                │          │        │                   │                 │ resource consumption via crafted...                         │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-61729                  │
│                     ├────────────────┼──────────┤        │                   │                 ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-61727 │ MEDIUM   │        │                   │                 │ golang: crypto/x509: excluded subdomain constraint does not │
│                     │                │          │        │                   │                 │ restrict wildcard SANs                                      │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-61727                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

Bump golang + golangci-lint
a0e979a 
Signed-off-by: Unnati Mishra <[email protected]>
Unnati Mishra added 2 commits January 27, 2026 21:38
Remove typecheck
e5dc684 
Signed-off-by: Unnati Mishra <[email protected]>
Bump imgpkg to v0.47.1 + golang 1.25.6
14bfbd3 
Signed-off-by: Unnati Mishra <[email protected]>

Add vendor files

Signed-off-by: Unnati Mishra <[email protected]>
@CodesbyUnnati
Copy link
Copy Markdown
Member Author

CodesbyUnnati commented Jan 27, 2026

Manual Snyk Validation:
image

@CodesbyUnnati CodesbyUnnati changed the title Bump golang 1.25.5 to resolve CVEs Bump golang 1.25.6 to resolve CVEs Jan 27, 2026
@CodesbyUnnati CodesbyUnnati requested a review from devacts January 27, 2026 16:29
@github-project-automation github-project-automation Bot moved this to Closed in Carvel Jan 28, 2026
@CodesbyUnnati CodesbyUnnati reopened this Jan 28, 2026
@github-project-automation github-project-automation Bot moved this from Closed to In Progress in Carvel Jan 28, 2026
@PushkarJ
Copy link
Copy Markdown

PushkarJ commented Jan 28, 2026

Snyk seems to be stuck with original state since 500 error: https://docs.snyk.io/scan-with-snyk/error-catalog?_gl=1*mdputv*_ga*NTMwMzMzMTM3LjE3Njk1NjI3Nzc.*_ga_X9SH3KP7B4*czE3Njk2MjQ0ODYkbzIkZzEkdDE3Njk2MjY4NzQkajYwJGwwJGgw#snyk-9999 even after it should have recovered from the issue: https://status.snyk.io/history

In these cases, there are two options, open and close PR OR mark the status as successful: https://docs.snyk.io/scan-with-snyk/pull-requests/pull-request-checks/troubleshoot-pr-checks#mark-as-successful

Open and closing PR as seen above did not fix the issue neither did request for retesting it manually from snyk dashboard. So after verifying that the code fixes the claimed vulnerabilities by two different scanners in addition to this comment #437 (comment), I marked the status as successful in SCM as the inherent reason to make this a blocking job has been resolved.

Evidence of before and after PR fix:

pj900915@GJ0FQY17FY vendir % govulncheck ./...       
=== Symbol Results ===

Vulnerability #1: GO-2026-4341
    Memory exhaustion in query parameter parsing in net/url
  More info: https://pkg.go.dev/vuln/GO-2026-4341
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
      #1: pkg/vendir/fetch/githubrelease/sync.go:351:36: githubrelease.Sync.downloadFile calls http.Client.Do, which eventually calls url.ParseQuery
      #2: pkg/vendir/fetch/git/verification.go:58:32: git.Verification.Verify calls transport.Error.Error, which eventually calls url.URL.Query

Vulnerability #2: GO-2026-4340
    Handshake messages may be processed at the incorrect encryption level in
    crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2026-4340
  Standard library
    Found in: crypto/[email protected]
    Fixed in: crypto/[email protected]
    Example traces found:
      #1: pkg/vendir/fetch/githubrelease/sync.go:351:36: githubrelease.Sync.downloadFile calls http.Client.Do, which eventually calls tls.Conn.HandshakeContext
      #2: pkg/vendir/fetch/githubrelease/sync.go:401:18: githubrelease.Sync.checkFileChecksum calls io.Copy, which eventually calls tls.Conn.Read
      #3: test/e2e/e2e.go:18:12: e2e.Logger.Debugf calls fmt.Printf, which eventually calls tls.Conn.Write
      #4: pkg/vendir/fetch/githubrelease/sync.go:351:36: githubrelease.Sync.downloadFile calls http.Client.Do, which eventually calls tls.Dialer.DialContext

Your code is affected by 2 vulnerabilities from the Go standard library.
This scan also found 1 vulnerability in packages you import and 3
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
pj900915@GJ0FQY17FY vendir % cd ..                                              
pj900915@GJ0FQY17FY oss-k8s % trivy repo vendir
2026-01-28T13:56:35-08:00	INFO	[vuln] Vulnerability scanning is enabled
2026-01-28T13:56:35-08:00	INFO	[secret] Secret scanning is enabled
2026-01-28T13:56:35-08:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-28T13:56:35-08:00	INFO	[secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-01-28T13:56:36-08:00	INFO	Number of language-specific files	num=1
2026-01-28T13:56:36-08:00	INFO	[gomod] Detecting vulnerabilities...

Report Summary

┌────────┬───────┬─────────────────┬─────────┐
│ Target │ Type  │ Vulnerabilities │ Secrets │
├────────┼───────┼─────────────────┼─────────┤
│ go.mod │ gomod │        2        │    -    │
└────────┴───────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


go.mod (gomod)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2025-47914 │ MEDIUM   │ fixed  │ v0.39.0           │ 0.45.0        │ golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of │
│                     │                │          │        │                   │               │ Service due to malformed messages                           │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-47914                  │
│                     ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-58181 │          │        │                   │               │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of │
│                     │                │          │        │                   │               │ Service via unbounded memory consumption in GSSAPI          │
│                     │                │          │        │                   │               │ authentication...                                           │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-58181                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

pj900915@GJ0FQY17FY oss-k8s % cd vendir 
pj900915@GJ0FQY17FY vendir % git checkout 
pj900915@GJ0FQY17FY vendir % git checkout  bump-golang-1.25.5
Switched to branch 'bump-golang-1.25.5'
Your branch is up to date with 'CodesbyUnnati/bump-golang-1.25.5'.


pj900915@GJ0FQY17FY vendir % govulncheck ./...               
No vulnerabilities found.
pj900915@GJ0FQY17FY vendir % cd ..
pj900915@GJ0FQY17FY oss-k8s % trivy repo vendir               
2026-01-28T13:57:26-08:00	INFO	[vuln] Vulnerability scanning is enabled
2026-01-28T13:57:26-08:00	INFO	[secret] Secret scanning is enabled
2026-01-28T13:57:26-08:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-28T13:57:26-08:00	INFO	[secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-01-28T13:57:28-08:00	INFO	Number of language-specific files	num=1
2026-01-28T13:57:28-08:00	INFO	[gomod] Detecting vulnerabilities...

Report Summary

┌────────┬───────┬─────────────────┬─────────┐
│ Target │ Type  │ Vulnerabilities │ Secrets │
├────────┼───────┼─────────────────┼─────────┤
│ go.mod │ gomod │        0        │    -    │
└────────┴───────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

@devacts devacts merged commit f7d4c13 into carvel-dev:develop Jan 29, 2026
8 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Closed in Carvel Jan 29, 2026
This was referenced Jan 30, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devacts devacts devacts approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Carvel
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@CodesbyUnnati @PushkarJ @devacts @carvel-bot