Skip to content

chore(core): cve mitigation 08-06-2026 for release 1.8#2465

Open
LopatinDmitr wants to merge 3 commits into
release-1.8from
chore/core/cve-mitigation-11052026-v1.8
Open

chore(core): cve mitigation 08-06-2026 for release 1.8#2465
LopatinDmitr wants to merge 3 commits into
release-1.8from
chore/core/cve-mitigation-11052026-v1.8

Conversation

@LopatinDmitr

@LopatinDmitr LopatinDmitr commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Description

Updated the project toolchain and base image set for the CVE mitigation batch from 2026-06-08:

  • bumped Go from 1.25.10 to 1.25.11 in workflows and all module go.mod files;
  • refreshed build/base-images/deckhouse_images.yml from base-images catalog v0.5.77 to v1.0.44;
  • updated GitHub Actions validation/build jobs to use the patched Go version.

Mitigated CVEs mentioned in the commit:

  • CVE-2026-42504 Decoding a maliciously-crafted MIME header containing many invalid enc ...
  • CVE-2026-27145 *x509.Certificate).VerifyHostname previously called matchHostnames in ...
  • CVE-2026-42507 When returning errors, functions in the net/textproto package would in ...

Why do we need it, and what problem does it solve?

The module should be built and tested with patched toolchain and base images to reduce exposure to known vulnerabilities in Go standard library behavior and base image dependencies.

What is the expected result?

CI builds and validation jobs use Go 1.25.11, and module images are built from the refreshed pinned base image digests.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: chore
summary: |
  Fixed vulnerability:
  - CVE-2026-42504 
  - CVE-2026-27145
  - CVE-2026-42507

@LopatinDmitr
chore(core): cve mitigation 08-06-2026 for release 1.8
88ddd0a 
- CVE-2026-42504 Decoding a maliciously-crafted MIME header containing many invalid enc ...
- CVE-2026-27145 *x509.Certificate).VerifyHostname previously called  matchHostnames in ...
- CVE-2026-42507 When returning errors, functions in the net/textproto package would in ...

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr self-assigned this Jun 10, 2026
@universal-itengineer @LopatinDmitr
refactor override images
34876bc 
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
@universal-itengineer @LopatinDmitr
fix path for images pi file
cafdbae 
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@universal-itengineer universal-itengineer universal-itengineer approved these changes

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine is a code owner

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

@diafour diafour Awaiting requested review from diafour diafour is a code owner

Assignees

@LopatinDmitr LopatinDmitr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LopatinDmitr @universal-itengineer