Skip to content

chore(core): CVE mitigation 20-05-2026 in CSE#2380

Merged
LopatinDmitr merged 3 commits into
release-1.0-csefrom
cve-mitigation-20-05-2026-cse
May 22, 2026
Merged

chore(core): CVE mitigation 20-05-2026 in CSE#2380
LopatinDmitr merged 3 commits into
release-1.0-csefrom
cve-mitigation-20-05-2026-cse

Conversation

@LopatinDmitr
Copy link
Copy Markdown
Contributor

@LopatinDmitr LopatinDmitr commented May 20, 2026
edited
Loading

Description

  • Fix CVE-2026-29181: OpenTelemetry-Go: multi-value baggage header extraction causes excessive
    allocations (remote dos amplification)
  • Fix CVE-2026-33811: When using LookupCNAME with the cgo DNS resolver, a very long CNAME...
  • Fix CVE-2026-33814: When processing HTTP/2 SETTINGS frames, transport will enter an infini ...
  • Fix CVE-2026-39820: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ...
  • Fix CVE-2026-39823: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ...
  • Fix CVE-2026-39825: ReverseProxy can forward queries containing parameters not visible to ...
  • Fix CVE-2026-39826: If a trusted template author were to write a <script> tag containing...
  • Fix CVE-2026-39836: Panic in Dial and LookupPort when handling NUL byte on Windows in...
  • Fix CVE-2026-41520: Cillium exposes sensitive information included in the cilium-bugtool debug
    archive
  • Fix CVE-2026-42499: Pathological inputs could cause DoS through consumePhrase when parsing ...

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

Changelog entries

section: core
type: chore
summary: |
  Fixed vulnerability:
  - CVE-2026-29181
  - CVE-2026-33811
  - CVE-2026-33814
  - CVE-2026-39820
  - CVE-2026-39823
  - CVE-2026-39825
  - CVE-2026-39826
  - CVE-2026-39836
  - CVE-2026-41520
  - CVE-2026-42499

@LopatinDmitr LopatinDmitr marked this pull request as draft May 20, 2026 16:45
@LopatinDmitr LopatinDmitr changed the title wip chore(core): CVE mitigation 20-05-2026 in CSE May 20, 2026
@LopatinDmitr LopatinDmitr force-pushed the cve-mitigation-20-05-2026-cse branch 2 times, most recently from 4334db8 to d313c61 Compare May 21, 2026 20:10
@LopatinDmitr
wip
6f842af 
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr
wip
d51cd7c 
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr
wip
3d12041 
Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the cve-mitigation-20-05-2026-cse branch from 2147c3b to 3d12041 Compare May 22, 2026 15:58
@universal-itengineer universal-itengineer marked this pull request as ready for review May 22, 2026 16:07
@LopatinDmitr LopatinDmitr merged commit 3d244c8 into release-1.0-cse May 22, 2026
27 of 29 checks passed
@LopatinDmitr LopatinDmitr deleted the cve-mitigation-20-05-2026-cse branch May 22, 2026 19:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nevermarine nevermarine nevermarine approved these changes

@universal-itengineer universal-itengineer universal-itengineer approved these changes

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

@diafour diafour Awaiting requested review from diafour diafour is a code owner

@hardcoretime hardcoretime Awaiting requested review from hardcoretime hardcoretime is a code owner

@danilrwx danilrwx Awaiting requested review from danilrwx danilrwx is a code owner

@fl64 fl64 Awaiting requested review from fl64 fl64 is a code owner

Assignees

@LopatinDmitr LopatinDmitr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LopatinDmitr @nevermarine @universal-itengineer