Skip to content

chore(core): cve mitigation 15-04-2026 for release 1.6.3#2218

Merged
LopatinDmitr merged 4 commits intorelease-1.6from
fix-cve-for-release-1-6
Apr 16, 2026
Merged

chore(core): cve mitigation 15-04-2026 for release 1.6.3#2218
LopatinDmitr merged 4 commits intorelease-1.6from
fix-cve-for-release-1-6

Conversation

@LopatinDmitr
Copy link
Copy Markdown
Contributor

@LopatinDmitr LopatinDmitr commented Apr 15, 2026
edited by nevermarine
Loading

Description

  • CRITICAL https://github.com/advisories/GHSA-p77j-4mvh-x3m3 — google.golang.org/grpc/grpc-go: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation.
  • HIGH https://github.com/advisories/GHSA-hfvc-g4fc-pqhx — opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking.
  • HIGH https://github.com/advisories/GHSA-78h2-9frx-2jm8 — Go JOSE: Denial of Service via crafted JSON Web Encryption.
  • HIGH https://github.com/advisories/GHSA-x744-4wpc-v9h2 — Moby: Authorization bypass vulnerability.
  • HIGH https://github.com/advisories/GHSA-j3gx-2473-5fp8 — net/url: Incorrect parsing of IPv6 host literals in net/url.
  • HIGH https://github.com/advisories/GHSA-m4pr-4j3g-9v7v — During chain building, the amount of work that is done is not properly limited.
  • HIGH https://github.com/advisories/GHSA-xj38-jxc5-rppx — golang internal/syscall/unix: Root.Chmod can follow symlinks out of the root.
  • MEDIUM https://github.com/advisories/GHSA-hxv8-4j4r-cqgv — Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic.
  • MEDIUM https://github.com/advisories/GHSA-pxq6-2prw-chj9 — Moby: Privilege validation bypass during plugin installation.
  • MEDIUM https://github.com/advisories/GHSA-j4j7-vw47-rhfqhtml/template: URLs in meta content attribute actions are not escaped.
  • MEDIUM https://github.com/advisories/GHSA-gjvh-7jh8-7xhm — Go crypto/x509: Denial of Service via inefficient certificate chain validation.
  • MEDIUM https://github.com/advisories/GHSA-x4jj-h2v8-hqqv — Go archive/tar package: Denial of Service via maliciously-crafted archive.
  • MEDIUM https://github.com/advisories/GHSA-7mr4-xjxg-34g6html/template: Cross-Site Scripting (XSS) via improper context and brace depth handling.
  • LOW https://github.com/advisories/GHSA-rv83-g57w-fr8jos: FileInfo can escape from a Root in golang os module.
  • UNKNOWN https://github.com/advisories/GHSA-jrg3-gfjw-hm96 — If one side of the TLS connection sends multiple key update messages, connection handling may be unsafe.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: chore
summary: |
  Fixed vulnerabilities:
  - CVE-2026-32283
  - CVE-2026-27139
  - CVE-2026-32289
  - CVE-2026-32288
  - CVE-2026-32281
  - CVE-2026-27142
  - CVE-2026-33997
  - CVE-2026-33726
  - CVE-2026-32282
  - CVE-2026-32280
  - CVE-2026-25679
  - CVE-2026-34040
  - CVE-2026-34986
  - CVE-2026-39883
  - CVE-2026-33186

@LopatinDmitr LopatinDmitr self-assigned this Apr 15, 2026
@LopatinDmitr LopatinDmitr force-pushed the fix-cve-for-release-1-6 branch from 73ec511 to 22694b8 Compare April 15, 2026 15:56
@LopatinDmitr
chore(core): cve mitigation
858ce5c 
- **CRITICAL** `CVE-2026-33186` — google.golang.org/grpc/grpc-go: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation.
- **HIGH** `CVE-2026-39883` — opentelemetry-go: BSD `kenv` command not using absolute path enables PATH hijacking.
- **HIGH** `CVE-2026-34986` — Go JOSE: Denial of Service via crafted JSON Web Encryption.
- **HIGH** `CVE-2026-34040` — Moby: Authorization bypass vulnerability.
- **HIGH** `CVE-2026-25679` — net/url: Incorrect parsing of IPv6 host literals in `net/url`.
- **HIGH** `CVE-2026-32280` — During chain building, the amount of work that is done is not properly limited.
- **HIGH** `CVE-2026-32282` — golang `internal/syscall/unix`: `Root.Chmod` can follow symlinks out of the root.
- **MEDIUM** `CVE-2026-33726` — Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic.
- **MEDIUM** `CVE-2026-33997` — Moby: Privilege validation bypass during plugin installation.
- **MEDIUM** `CVE-2026-27142` — `html/template`: URLs in meta content attribute actions are not escaped.
- **MEDIUM** `CVE-2026-32281` — Go `crypto/x509`: Denial of Service via inefficient certificate chain validation.
- **MEDIUM** `CVE-2026-32288` — Go `archive/tar` package: Denial of Service via maliciously-crafted archive.
- **MEDIUM** `CVE-2026-32289` — `html/template`: Cross-Site Scripting (XSS) via improper context and brace depth handling.
- **LOW** `CVE-2026-27139` — `os`: `FileInfo` can escape from a Root in golang `os` module.
- **UNKNOWN** `CVE-2026-32283` — If one side of the TLS connection sends multiple key update messages, connection handling may be unsafe.

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the fix-cve-for-release-1-6 branch 3 times, most recently from 4f15788 to beb1111 Compare April 16, 2026 08:07
@LopatinDmitr
chore(core): fix linter errors
f4b6b8d 
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the fix-cve-for-release-1-6 branch from beb1111 to f4b6b8d Compare April 16, 2026 11:23
@LopatinDmitr
chore(ci): fix golangci-lint issues in images/hooks, shatal and addli…
d40af7f 
…cense

- rename module from 'hooks' to 'github.com/deckhouse/virtualization/hooks' in go.mod
- fix gci import grouping: move hooks/pkg/settings to external packages group
- add .golangci.yaml v2 config to images/hooks
- update shatal and addlicense .golangci.yaml to version: "2" format

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr added this to the v1.6.3 milestone Apr 16, 2026
@LopatinDmitr LopatinDmitr force-pushed the fix-cve-for-release-1-6 branch 2 times, most recently from 8686c42 to 402d6e2 Compare April 16, 2026 12:45
@LopatinDmitr
wip
1855ed8 
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the fix-cve-for-release-1-6 branch from 402d6e2 to 1855ed8 Compare April 16, 2026 12:52
@LopatinDmitr LopatinDmitr marked this pull request as ready for review April 16, 2026 13:16
@LopatinDmitr LopatinDmitr merged commit bc32202 into release-1.6 Apr 16, 2026
28 of 29 checks passed
@LopatinDmitr LopatinDmitr deleted the fix-cve-for-release-1-6 branch April 16, 2026 14:22
This was referenced Apr 20, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@diafour diafour diafour approved these changes

@universal-itengineer universal-itengineer universal-itengineer approved these changes

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine is a code owner

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

Assignees

@LopatinDmitr LopatinDmitr

Labels

None yet

Projects

None yet

Milestone

v1.6.3

Development

Successfully merging this pull request may close these issues.

3 participants

@LopatinDmitr @diafour @universal-itengineer