Skip to content

Fix 15 CVEs (CVE-2026-25681, CVE-2026-27136, CVE-2026-33186, ...)#2294

Closed
oadp-rebasebot-app[bot] wants to merge 1 commit into
openshift:oadp-1.4from
oadp-rebasebot:cve-fix/oadp-1.4/20260713-1
Closed

Fix 15 CVEs (CVE-2026-25681, CVE-2026-27136, CVE-2026-33186, ...)#2294
oadp-rebasebot-app[bot] wants to merge 1 commit into
openshift:oadp-1.4from
oadp-rebasebot:cve-fix/oadp-1.4/20260713-1

Conversation

@oadp-rebasebot-app

Copy link
Copy Markdown
Contributor

CVE Fixes

Automated scan found 15 fixable Go dependency CVE(s) in openshift/oadp-operator on branch oadp-1.4.

CVE Severity Package Fixed Version Description
CVE-2026-25681 HIGH golang.org/x/net 0.55.0 golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting
CVE-2026-27136 HIGH golang.org/x/net 0.55.0 golang.org/x/net/html: golang: golang.org/x/net/html: Cross-Site Scripting via HTML parsing bypass
CVE-2026-33186 CRITICAL google.golang.org/grpc 1.79.3 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
CVE-2026-33814 HIGH golang.org/x/net 0.53.0 net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
CVE-2026-35469 HIGH github.com/moby/spdystream 0.5.1 Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code
CVE-2026-39821 HIGH golang.org/x/net 0.55.0 golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
CVE-2026-39828 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
CVE-2026-39829 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
CVE-2026-39830 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
CVE-2026-39831 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security key bypass due to missing user presence check
CVE-2026-39832 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
CVE-2026-39835 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate
CVE-2026-42508 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey
CVE-2026-46595 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation
CVE-2026-46597 HIGH golang.org/x/crypto 0.52.0 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted AES-GCM packet decoder inputs

How this was fixed

  • go get <package>@<fixed_version> for each vulnerable dependency
  • go mod tidy to clean up

Generated by cve-scan pipeline

- CVE-2026-25681: golang.org/x/net v0.52.0 → 0.55.0
- CVE-2026-27136: golang.org/x/net v0.52.0 → 0.55.0
- CVE-2026-33186: google.golang.org/grpc v1.63.2 → 1.79.3
- CVE-2026-33814: golang.org/x/net v0.52.0 → 0.53.0
- CVE-2026-35469: github.com/moby/spdystream v0.2.0 → 0.5.1
- CVE-2026-39821: golang.org/x/net v0.52.0 → 0.55.0
- CVE-2026-39828: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-39829: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-39830: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-39831: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-39832: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-39835: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-42508: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-46595: golang.org/x/crypto v0.49.0 → 0.52.0
- CVE-2026-46597: golang.org/x/crypto v0.49.0 → 0.52.0
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4ec15e0b-6ff6-4414-96bd-2e9874875cb9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from Joeavaikath and kaovilai July 13, 2026 10:39
@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 13, 2026
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

Hi @oadp-rebasebot-app[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oadp-rebasebot-app[bot]
Once this PR has been reviewed and has the lgtm label, please assign shawn-hurley for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 32.62%. Comparing base (c695230) to head (581f93e).
⚠️ Report is 2 commits behind head on oadp-1.4.

⚠️ Current head 581f93e differs from pull request most recent head defffd9

Please upload reports for the commit defffd9 to get more accurate results.

Additional details and impacted files
@@            Coverage Diff            @@
##           oadp-1.4    #2294   +/-   ##
=========================================
  Coverage     32.62%   32.62%           
=========================================
  Files            30       30           
  Lines          4861     4861           
=========================================
  Hits           1586     1586           
  Misses         3100     3100           
  Partials        175      175           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants