[openshift-5.0] OCPBUGS-92008: bumping quic-go to v0.59.1#196
[openshift-5.0] OCPBUGS-92008: bumping quic-go to v0.59.1#196AkashMore08 wants to merge 1 commit into
Conversation
|
@AkashMore08: No Jira issue with key CVE-2026 exists in the tracker at https://redhat.atlassian.net. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughThis change updates the go.mod file to bump the direct dependency github.com/quic-go/quic-go from version v0.55.0 to v0.59.1. No other changes are included. ChangesDependency Version Bump
Estimated code review effort: 1 (Trivial) | ~2 minutes 🚥 Pre-merge checks | ✅ 5 | ❌ 10❌ Failed checks (10 inconclusive)
✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@AkashMore08: No Jira issue with key CVE-2026 exists in the tracker at https://redhat.atlassian.net. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@AkashMore08: No Jira issue is referenced in the title of this pull request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@AkashMore08: This pull request references Jira Issue OCPBUGS-92008, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@AkashMore08: This pull request references Jira Issue OCPBUGS-92008, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@AkashMore08: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
1. Why is this pull request needed and what does it do?
This PR bumps github.com/quic-go/quic-go from v0.55.0 to v0.59.1 to remediate CVE-2026-40898 (GO-2026-5676).
CVE-2026-40898 is a denial-of-service vulnerability in quic-go's HTTP/3 implementation where a malicious peer can cause excessive memory allocation via crafted QPACK-encoded trailer fields. While CoreDNS only uses quic-go for DNS-over-QUIC (DoQ) and does not import the vulnerable http3 sub-package, this bump clears the module-level vulnerability finding. (For best practice)
Advisory: GHSA-vvgj-x9jq-8cj9
2. Which issues (if any) are related?
CVE-2026-40898
GO-2026-5676
GHSA-vvgj-x9jq-8cj9
3. Which documentation changes (if any) need to be made?
None.
4. Does this introduce a backward incompatible change or deprecation?
No. The quic-go public API used by CoreDNS (quic.Connection, quic.Config, quic.Transport) is unchanged between v0.55.0 and v0.59.1. The Go version in go.mod remains at 1.25.0.
Summary by CodeRabbit