[eno][cherry-pick] Update CVE fixes#593
Merged
ruinan-liu merged 4 commits intoofficial/v20260316from Apr 20, 2026
Merged
Conversation
…03-helm-shim (#573) Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.36.0 to 1.40.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md">go.opentelemetry.io/otel/sdk's changelog</a>.</em></p> <blockquote> <h2>[1.40.0/0.62.0/0.16.0] 2026-02-02</h2> <h3>Added</h3> <ul> <li>Add <code>AlwaysRecord</code> sampler in <code>go.opentelemetry.io/otel/sdk/trace</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7724">#7724</a>)</li> <li>Add <code>Enabled</code> method to all synchronous instrument interfaces (<code>Float64Counter</code>, <code>Float64UpDownCounter</code>, <code>Float64Histogram</code>, <code>Float64Gauge</code>, <code>Int64Counter</code>, <code>Int64UpDownCounter</code>, <code>Int64Histogram</code>, <code>Int64Gauge</code>,) in <code>go.opentelemetry.io/otel/metric</code>. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7763">#7763</a>)</li> <li>Add <code>go.opentelemetry.io/otel/semconv/v1.39.0</code> package. The package contains semantic conventions from the <code>v1.39.0</code> version of the OpenTelemetry Semantic Conventions. See the <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/semconv/v1.39.0/MIGRATION.md">migration documentation</a> for information on how to upgrade from <code>go.opentelemetry.io/otel/semconv/v1.38.0.</code> (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7783">#7783</a>, <a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7789">#7789</a>)</li> </ul> <h3>Changed</h3> <ul> <li>Improve the concurrent performance of <code>HistogramReservoir</code> in <code>go.opentelemetry.io/otel/sdk/metric/exemplar</code> by 4x. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7443">#7443</a>)</li> <li>Improve the concurrent performance of <code>FixedSizeReservoir</code> in <code>go.opentelemetry.io/otel/sdk/metric/exemplar</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7447">#7447</a>)</li> <li>Improve performance of concurrent histogram measurements in <code>go.opentelemetry.io/otel/sdk/metric</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7474">#7474</a>)</li> <li>Improve performance of concurrent synchronous gauge measurements in <code>go.opentelemetry.io/otel/sdk/metric</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7478">#7478</a>)</li> <li>Add experimental observability metrics in <code>go.opentelemetry.io/otel/exporters/stdout/stdoutmetric</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7492">#7492</a>)</li> <li><code>Exporter</code> in <code>go.opentelemetry.io/otel/exporters/prometheus</code> ignores metrics with the scope <code>go.opentelemetry.io/contrib/bridges/prometheus</code>. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7688">#7688</a>)</li> <li>Improve performance of concurrent exponential histogram measurements in <code>go.opentelemetry.io/otel/sdk/metric</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7702">#7702</a>)</li> <li>The <code>rpc.grpc.status_code</code> attribute in the experimental metrics emitted from <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc</code> is replaced with the <code>rpc.response.status_code</code> attribute to align with the semantic conventions. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7854">#7854</a>)</li> <li>The <code>rpc.grpc.status_code</code> attribute in the experimental metrics emitted from <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc</code> is replaced with the <code>rpc.response.status_code</code> attribute to align with the semantic conventions. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7854">#7854</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Fix bad log message when key-value pairs are dropped because of key duplication in <code>go.opentelemetry.io/otel/sdk/log</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7662">#7662</a>)</li> <li>Fix <code>DroppedAttributes</code> on <code>Record</code> in <code>go.opentelemetry.io/otel/sdk/log</code> to not count the non-attribute key-value pairs dropped because of key duplication. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7662">#7662</a>)</li> <li>Fix <code>SetAttributes</code> on <code>Record</code> in <code>go.opentelemetry.io/otel/sdk/log</code> to not log that attributes are dropped when they are actually not dropped. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7662">#7662</a>)</li> <li>Fix missing <code>request.GetBody</code> in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp</code> to correctly handle HTTP/2 <code>GOAWAY</code> frame. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7794">#7794</a>)</li> <li><code>WithHostID</code> detector in <code>go.opentelemetry.io/otel/sdk/resource</code> to use full path for <code>ioreg</code> command on Darwin (macOS). (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7818">#7818</a>)</li> </ul> <h3>Deprecated</h3> <ul> <li>Deprecate <code>go.opentelemetry.io/otel/exporters/zipkin</code>. For more information, see the <a href="https://opentelemetry.io/blog/2025/deprecating-zipkin-exporters/">OTel blog post deprecating the Zipkin exporter</a>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7670">#7670</a>)</li> </ul> <h2>[1.39.0/0.61.0/0.15.0/0.0.14] 2025-12-05</h2> <h3>Added</h3> <ul> <li>Greatly reduce the cost of recording metrics in <code>go.opentelemetry.io/otel/sdk/metric</code> using hashing for map keys. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7175">#7175</a>)</li> <li>Add <code>WithInstrumentationAttributeSet</code> option to <code>go.opentelemetry.io/otel/log</code>, <code>go.opentelemetry.io/otel/metric</code>, and <code>go.opentelemetry.io/otel/trace</code> packages. This provides a concurrent-safe and performant alternative to <code>WithInstrumentationAttributes</code> by accepting a pre-constructed <code>attribute.Set</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7287">#7287</a>)</li> <li>Add experimental observability for the Prometheus exporter in <code>go.opentelemetry.io/otel/exporters/prometheus</code>. Check the <code>go.opentelemetry.io/otel/exporters/prometheus/internal/x</code> package documentation for more information. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7345">#7345</a>)</li> <li>Add experimental observability metrics in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7353">#7353</a>)</li> <li>Add temporality selector functions <code>DeltaTemporalitySelector</code>, <code>CumulativeTemporalitySelector</code>, <code>LowMemoryTemporalitySelector</code> to <code>go.opentelemetry.io/otel/sdk/metric</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7434">#7434</a>)</li> <li>Add experimental observability metrics for simple log processor in <code>go.opentelemetry.io/otel/sdk/log</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7548">#7548</a>)</li> <li>Add experimental observability metrics in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7459">#7459</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/a3a5317c5caed1656fb5b301b66dfeb3c4c944e0"><code>a3a5317</code></a> Release v1.40.0 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7859">#7859</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/77785da545d67b38774891cbdd334368bfacdfd8"><code>77785da</code></a> chore(deps): update github/codeql-action action to v4.32.1 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7858">#7858</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/56fa1c297bf71f0ada3dbf4574a45d0607812cc0"><code>56fa1c2</code></a> chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.5.0 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7857">#7857</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/298cbedf256b7a9ab3c21e41fc5e3e6d6e4e94aa"><code>298cbed</code></a> Upgrade semconv use to v1.39.0 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7854">#7854</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/3264bf171b1e6cd70f6be4a483f2bcb84eda6ccf"><code>3264bf1</code></a> refactor: modernize code (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7850">#7850</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/fd5d030c0aa8b5bfe786299047bc914b5714d642"><code>fd5d030</code></a> chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/8d3b4cb2501dec9f1c5373123e425f109c43b8d2"><code>8d3b4cb</code></a> chore(deps): update actions/cache action to v5.0.3 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7847">#7847</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/91f7cadfcac363d67030f6913687c6dbbe086823"><code>91f7cad</code></a> chore(deps): update github.com/timakin/bodyclose digest to 73d1f95 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7845">#7845</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/fdad1eb7f350ee1f5fdb3d9a0c6855cc88ee9d75"><code>fdad1eb</code></a> chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/c46d3bac181ddaaa83286e9ccf2cd9f7705fd3d9"><code>c46d3ba</code></a> chore(deps): update golang.org/x/telemetry digest to fcf36f6 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7843">#7843</a>)</li> <li>Additional commits viewable in <a href="https://github.com/open-telemetry/opentelemetry-go/compare/v1.36.0...v1.40.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Azure/eno/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.72.0 to 1.79.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's releases</a>.</em></p> <blockquote> <h2>Release 1.79.3</h2> <h1>Security</h1> <ul> <li>server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like <code>grpc/authz</code>. Any request with a non-canonical path is now immediately rejected with an <code>Unimplemented</code> error. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8981">#8981</a>)</li> </ul> <h2>Release 1.79.2</h2> <h1>Bug Fixes</h1> <ul> <li>stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (<a href="https://redirect.github.com/grpc/grpc-go/pull/8874">grpc/grpc-go#8874</a>)</li> </ul> <h2>Release 1.79.1</h2> <h1>Bug Fixes</h1> <ul> <li>grpc: Remove the <code>-dev</code> suffix from the User-Agent header. (<a href="https://redirect.github.com/grpc/grpc-go/pull/8902">grpc/grpc-go#8902</a>)</li> </ul> <h2>Release 1.79.0</h2> <h1>API Changes</h1> <ul> <li>mem: Add experimental API <code>SetDefaultBufferPool</code> to change the default buffer pool. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8806">#8806</a>) <ul> <li>Special Thanks: <a href="https://github.com/vanja-p"><code>@vanja-p</code></a></li> </ul> </li> <li>experimental/stats: Update <code>MetricsRecorder</code> to require embedding the new <code>UnimplementedMetricsRecorder</code> (a no-op struct) in all implementations for forward compatibility. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8780">#8780</a>)</li> </ul> <h1>Behavior Changes</h1> <ul> <li>balancer/weightedtarget: Remove handling of <code>Addresses</code> and only handle <code>Endpoints</code> in resolver updates. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8841">#8841</a>)</li> </ul> <h1>New Features</h1> <ul> <li>experimental/stats: Add support for asynchronous gauge metrics through the new <code>AsyncMetricReporter</code> and <code>RegisterAsyncReporter</code> APIs. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8780">#8780</a>)</li> <li>pickfirst: Add support for weighted random shuffling of endpoints, as described in <a href="https://redirect.github.com/grpc/proposal/pull/535">gRFC A113</a>. <ul> <li>This is enabled by default, and can be turned off using the environment variable <code>GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING</code>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8864">#8864</a>)</li> </ul> </li> <li>xds: Implement <code>:authority</code> rewriting, as specified in <a href="https://github.com/grpc/proposal/blob/master/A81-xds-authority-rewriting.md">gRFC A81</a>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8779">#8779</a>)</li> <li>balancer/randomsubsetting: Implement the <code>random_subsetting</code> LB policy, as specified in <a href="https://github.com/grpc/proposal/blob/master/A68-random-subsetting.md">gRFC A68</a>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8650">#8650</a>) <ul> <li>Special Thanks: <a href="https://github.com/marek-szews"><code>@marek-szews</code></a></li> </ul> </li> </ul> <h1>Bug Fixes</h1> <ul> <li>credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8726">#8726</a>) <ul> <li>Special Thanks: <a href="https://github.com/Atul1710"><code>@Atul1710</code></a></li> </ul> </li> <li>xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in <code>CONNECTING</code> state. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8813">#8813</a>)</li> <li>health: Fix a bug where health checks failed for clients using legacy compression options (<code>WithDecompressor</code> or <code>RPCDecompressor</code>). (<a href="https://redirect.github.com/grpc/grpc-go/issues/8765">#8765</a>) <ul> <li>Special Thanks: <a href="https://github.com/sanki92"><code>@sanki92</code></a></li> </ul> </li> <li>transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8769">#8769</a>) <ul> <li>Special Thanks: <a href="https://github.com/joybestourous"><code>@joybestourous</code></a></li> </ul> </li> <li>server: Propagate status detail headers, if available, when terminating a stream during request header processing. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8754">#8754</a>) <ul> <li>Special Thanks: <a href="https://github.com/joybestourous"><code>@joybestourous</code></a></li> </ul> </li> </ul> <h1>Performance Improvements</h1> <ul> <li>credentials/alts: Optimize read buffer alignment to reduce copies. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8791">#8791</a>)</li> <li>mem: Optimize pooling and creation of <code>buffer</code> objects. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8784">#8784</a>)</li> <li>transport: Reduce slice re-allocations by reserving slice capacity. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8797">#8797</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/grpc/grpc-go/commit/dda86dbd9cecb8b35b58c73d507d81d67761205f"><code>dda86db</code></a> Change version to 1.79.3 (<a href="https://redirect.github.com/grpc/grpc-go/issues/8983">#8983</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5"><code>72186f1</code></a> grpc: enforce strict path checking for incoming requests on the server (<a href="https://redirect.github.com/grpc/grpc-go/issues/8981">#8981</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/97ca3522b239edf6813e2b1106924e9d55e89d43"><code>97ca352</code></a> Changing version to 1.79.3-dev (<a href="https://redirect.github.com/grpc/grpc-go/issues/8954">#8954</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/8902ab6efea590f5b3861126559eaa26fa9783b2"><code>8902ab6</code></a> Change the version to release 1.79.2 (<a href="https://redirect.github.com/grpc/grpc-go/issues/8947">#8947</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/a9286705aa689bee321ec674323b6896284f3e02"><code>a928670</code></a> Cherry-pick <a href="https://redirect.github.com/grpc/grpc-go/issues/8874">#8874</a> to v1.79.x (<a href="https://redirect.github.com/grpc/grpc-go/issues/8904">#8904</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/06df3638c0bcee88197b1033b3ba83e1eb8bc010"><code>06df363</code></a> Change version to 1.79.2-dev (<a href="https://redirect.github.com/grpc/grpc-go/issues/8903">#8903</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/782f2de44f597af18a120527e7682a6670d84289"><code>782f2de</code></a> Change version to 1.79.1 (<a href="https://redirect.github.com/grpc/grpc-go/issues/8902">#8902</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/850eccbb2257bd2de6ac28ee88a7172ab6175629"><code>850eccb</code></a> Change version to 1.79.1-dev (<a href="https://redirect.github.com/grpc/grpc-go/issues/8851">#8851</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/765ff056b6890f6c8341894df4e9668e9bfc18ef"><code>765ff05</code></a> Change version to 1.79.0 (<a href="https://redirect.github.com/grpc/grpc-go/issues/8850">#8850</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/68804be0e78ed0365bb5a576dedc12e2168ed63e"><code>68804be</code></a> Cherry pick <a href="https://redirect.github.com/grpc/grpc-go/issues/8864">#8864</a> to v1.79.x (<a href="https://redirect.github.com/grpc/grpc-go/issues/8896">#8896</a>)</li> <li>Additional commits viewable in <a href="https://github.com/grpc/grpc-go/compare/v1.72.0...v1.79.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Azure/eno/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
```bash trivy image mcr.microsoft.com/aks/eno/eno-reconciler:v20260316.20260316.1 --detection-priority comprehensive 2026-04-08T18:57:02Z INFO [vuln] Vulnerability scanning is enabled 2026-04-08T18:57:02Z INFO [secret] Secret scanning is enabled 2026-04-08T18:57:02Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2026-04-08T18:57:02Z INFO [secret] Please see https://trivy.dev/docs/v0.69/guide/scanner/secret#recommendation for faster secret detection 2026-04-08T18:57:03Z INFO Detected OS family="debian" version="13.4" 2026-04-08T18:57:03Z INFO [debian] Detecting vulnerabilities... os_version="13" pkg_num=5 2026-04-08T18:57:03Z INFO Number of language-specific files num=1 2026-04-08T18:57:03Z INFO [gobinary] Detecting vulnerabilities... 2026-04-08T18:57:03Z WARN Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/docs/v0.69/guide/scanner/vulnerability#severity-selection for details. Report Summary ┌─────────────────────────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐ │ Target │ Type │ Vulnerabilities │ Secrets │ ├─────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤ │ mcr.microsoft.com/aks/eno/eno-reconciler:v20260316.20260316.1 (debian 13.4) │ debian │ 0 │ - │ ├─────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤ │ eno-reconciler │ gobinary │ 9 │ - │ └─────────────────────────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘ Legend: - '-': Not scanned - '0': Clean (no security findings detected) eno-reconciler (gobinary) Total: 9 (UNKNOWN: 6, LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0) ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2026-25679 │ HIGH │ fixed │ v1.24.13 │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-25679 │ │ ├────────────────┼──────────┤ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2026-27142 │ MEDIUM │ │ │ │ html/template: URLs in meta content attribute actions are │ │ │ │ │ │ │ │ not escaped in html/template... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-27142 │ │ ├────────────────┼──────────┤ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2026-27139 │ LOW │ │ │ │ os: FileInfo can escape from a Root in golang os module │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-27139 │ │ ├────────────────┼──────────┤ │ ├────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2026-32280 │ UNKNOWN │ │ │ 1.25.9, 1.26.2 │ Unexpected work during chain building in crypto/x509 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32280 │ │ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2026-32281 │ │ │ │ │ Inefficient policy validation in crypto/x509 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32281 │ │ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2026-32282 │ │ │ │ │ TOCTOU permits root escape on Linux via Root.Chmod in os in │ │ │ │ │ │ │ │ internal/syscall/unix... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32282 │ │ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2026-32283 │ │ │ │ │ Unauthenticated TLS 1.3 KeyUpdate record can cause │ │ │ │ │ │ │ │ persistent connection retention and DoS... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32283 │ │ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2026-32288 │ │ │ │ │ Unbounded allocation for old GNU sparse in archive/tar │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32288 │ │ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2026-32289 │ │ │ │ │ JsBraceDepth Context Tracking Bugs (XSS) in html/template │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32289 │ └─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘ ``` https://portal.microsofticm.com/imp/v5/incidents/details/771147211/summary
tilnl
approved these changes
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update cve fixes