fix multiple cves in oadp-1.3#37
Conversation
Update go.opentelemetry.io/otel/sdk v1.17.0 -> v1.43.0: - CVE-2026-39883: Arbitrary code execution via PATH hijacking on BSD/Solaris Update golang.org/x/crypto v0.35.0 -> v0.53.0: - CVE-2025-47913: SSH client panic due to unexpected SSH_AGENT_SUCCESS - CVE-2026-39827: Resource exhaustion via repeated channel opens - CVE-2026-39828: Unauthorized command execution via discarded SSH permissions - CVE-2026-39829: DoS via crafted public key with excessive parameters - CVE-2026-39830: DoS via resource leak from unsolicited SSH responses - CVE-2026-39832: Security bypass due to improper handling of key restrictions - CVE-2026-39835: DoS via crafted SSH certificate - CVE-2026-42508: Revocation bypass via unchecked SignatureKey - CVE-2026-46595: Authorization bypass due to skipped source-address validation - CVE-2026-46597: Server-side panic due to incorrect cast from bytes to int Update golang.org/x/net v0.36.0 -> v0.56.0: - CVE-2026-25681: Arbitrary code execution via Cross-Site Scripting in html pkg - CVE-2026-27136: XSS via Render of arbitrary HTML - CVE-2026-33814: DoS via malformed SETTINGS_MAX_FRAME_SIZE frame (HTTP/2) - CVE-2026-39821: Privilege escalation via incorrect Punycode label processing - CVE-2026-42502: XSS via Render of arbitrary HTML Update google.golang.org/grpc v1.57.0 -> v1.81.1: - CVE-2026-33186 (CRITICAL): Authorization bypass due to improper HTTP/2 path validation - GHSA-m425-mq94-257g: gRPC-Go HTTP/2 Rapid Reset vulnerability Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
/test Check PR Title / Check PR Title (pull_request) |
|
@weshayutin: No presubmit jobs available for migtools/kopia@oadp-1.3 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Joeavaikath, sseago, weshayutin The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Update go.opentelemetry.io/otel/sdk v1.17.0 -> v1.43.0:
GHSA-hfvc-g4fc-pqhx: Arbitrary code execution via PATH hijacking on BSD/Solaris
Update golang.org/x/crypto v0.35.0 -> v0.53.0:
GHSA-56w8-48fp-6mgv: SSH client panic due to unexpected SSH_AGENT_SUCCESS
GHSA-qpw4-5x99-6vjp: Resource exhaustion via repeated channel opens
GHSA-45gg-vh54-h5m9: Unauthorized command execution via discarded SSH permissions
GHSA-w879-237q-wc7r: DoS via crafted public key with excessive parameters
GHSA-vgwf-h737-ff37: DoS via resource leak from unsolicited SSH responses
GHSA-f5wc-c3c7-36mc: Security bypass due to improper handling of key restrictions
GHSA-78mq-xcr3-xm33: DoS via crafted SSH certificate
GHSA-5cgq-3rg8-m6cv: Revocation bypass via unchecked SignatureKey
GHSA-x527-x647-q7gg: Authorization bypass due to skipped source-address validation
GHSA-q4h4-gmj2-qvw2: Server-side panic due to incorrect cast from bytes to int
Update golang.org/x/net v0.36.0 -> v0.56.0:
GHSA-w9p8-pvxh-rxpj: Arbitrary code execution via Cross-Site Scripting in html pkg
GHSA-m9x8-m34x-fj9q: XSS via Render of arbitrary HTML
CVE-2026-33814: DoS via malformed SETTINGS_MAX_FRAME_SIZE frame (HTTP/2)
GHSA-w2q5-6q6x-x959: Privilege escalation via incorrect Punycode label processing
GHSA-wrh2-89vg-4j9g: XSS via Render of arbitrary HTML
Update google.golang.org/grpc v1.57.0 -> v1.81.1:
GHSA-p77j-4mvh-x3m3 (CRITICAL): Authorization bypass due to improper HTTP/2 path validation
GHSA-m425-mq94-257g: gRPC-Go HTTP/2 Rapid Reset vulnerability
Otel CVE:
Open this link in a new tab
CVE-2026-41178