OCPBUGS-78658: Update Go to 1.25.8 for CVE-2026-25679 (release-1.2) by Thealisyed · Pull Request #134 · openshift/external-dns

Thealisyed · 2026-03-25T16:39:51Z

Summary

Bump Go from 1.25.7 to 1.25.8 in Konflux Containerfile to fix CVE-2026-25679

CVE Details

CVE: CVE-2026-25679
Go Vuln: GO-2026-4601
Severity: Moderate
Affected: net/url.Parse — accepted malformed IPv6 host literals
Fixed in: Go 1.25.8 / Go 1.26.1

Changes

File	Change
`Containerfile.externaldns`	`go-toolset:1.25.7` → `go-toolset:1.25.8`

openshift-ci-robot · 2026-03-25T16:40:00Z

@Thealisyed: This pull request references Jira Issue OCPBUGS-78658, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
expected Jira Issue OCPBUGS-78658 to depend on a bug in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Description:

Summary

Bump Go from 1.18 to 1.25.8 to fix CVE-2026-25679 (incorrect parsing of IPv6 host literals in net/url)

Update all builder and CI images to Go 1.25

Fix Go 1.25 compatibility issues (format strings, sort stability, test context types)

CVE Details

CVE: CVE-2026-25679

Go Vuln: GO-2026-4601

Severity: Moderate

Affected: net/url.Parse — accepted malformed IPv6 host literals

Fixed in: Go 1.25.8 / Go 1.26.1

Changes

File Change

go.mod go 1.18 → go 1.25

Containerfile.externaldns ubi8/go-toolset:1.18.10 → 1.25.8

Dockerfile.openshift rhel-8-golang-1.18-openshift-4.12 → rhel-9-golang-1.25-openshift-4.21

drift-cache/Dockerfile Synced with Dockerfile.openshift

.ci-operator.yaml rhel-8-release-golang-1.18-openshift-4.12 → rhel-9-release-golang-1.25-openshift-4.21

Provider/test files Go 1.25 compatibility fixes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Thealisyed · 2026-04-01T14:36:57Z

/jira refresh

openshift-ci-robot · 2026-04-01T14:37:02Z

@Thealisyed: This pull request references Jira Issue OCPBUGS-78658, which is invalid:

expected Jira Issue OCPBUGS-78658 to depend on a bug in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

alebedev87 · 2026-04-11T07:20:31Z

I keep following up on ExtDNS work. Especially 1-2 and 1-1 releases which we never did before. I'm going to have a look at this one until it's released.

/assign

alebedev87

Please squash/fixup the commits as the only change you need is in Konflux Contrainerfile. Also, can you please change the PR description to reflect the changes. The PR changes golang from 1.25.7 to 1.25.8, not from 1.18.z.

alebedev87 · 2026-04-11T07:21:11Z

Why this change? We keep using rhel8 on 1.2 release. 4.22 was the right OCP version.

alebedev87 · 2026-04-11T07:21:21Z

Same comment.

alebedev87 · 2026-04-11T07:21:30Z

And the same comment.

Bump go-toolset from 1.25.7 to 1.25.8 in Konflux Containerfile to fix CVE-2026-25679 (incorrect parsing of IPv6 host literals in net/url). Co-assisted-by: Claude

openshift-ci · 2026-04-13T10:03:02Z

@Thealisyed: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

alebedev87 · 2026-04-15T23:36:33Z

/lgtm
/approve

openshift-ci · 2026-04-15T23:36:55Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~DOWNSTREAM_OWNERS~~ [alebedev87]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2026-04-15T23:38:37Z

@Thealisyed: Jira Issue OCPBUGS-78658: All pull requests linked via external trackers have merged:

openshift/external-dns#134

Jira Issue OCPBUGS-78658 has been moved to the MODIFIED state.

Details

In response to this:

Summary

Bump Go from 1.25.7 to 1.25.8 in Konflux Containerfile to fix CVE-2026-25679

CVE Details

CVE: CVE-2026-25679

Go Vuln: GO-2026-4601

Severity: Moderate

Affected: net/url.Parse — accepted malformed IPv6 host literals

Fixed in: Go 1.25.8 / Go 1.26.1

Changes

File Change

Containerfile.externaldns go-toolset:1.25.7 → go-toolset:1.25.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci bot requested review from gcs278 and grzpiotrowski March 25, 2026 16:40

openshift-ci bot assigned alebedev87 Apr 11, 2026

alebedev87 reviewed Apr 11, 2026

View reviewed changes

UPSTREAM: <carry>: Update Go to 1.25.8 for CVE-2026-25679

fa42d4d

Bump go-toolset from 1.25.7 to 1.25.8 in Konflux Containerfile to fix CVE-2026-25679 (incorrect parsing of IPv6 host literals in net/url). Co-assisted-by: Claude

Thealisyed force-pushed the cve-fix-25679 branch from 9a1f0d4 to fa42d4d Compare April 13, 2026 09:56

Thealisyed changed the title ~~OCPBUGS-78658: Update Go to 1.25.8 for CVE-2026-25679 (release-1.2)~~ OCPBUGS-78658: Update Go to 1.25.8 for CVE-2026-25679 (release-1.2) Apr 13, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 15, 2026

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 15, 2026

alebedev87 merged commit 1d5358e into openshift:release-1.2 Apr 15, 2026
3 of 4 checks passed

Conversation

Thealisyed commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

CVE Details

Changes

Uh oh!

openshift-ci-robot commented Mar 25, 2026

Summary

CVE Details

Changes

Uh oh!

Thealisyed commented Apr 1, 2026

Uh oh!

openshift-ci-robot commented Apr 1, 2026

Uh oh!

alebedev87 commented Apr 11, 2026

Uh oh!

alebedev87 left a comment

Choose a reason for hiding this comment

Uh oh!

alebedev87 Apr 11, 2026

Choose a reason for hiding this comment

Uh oh!

alebedev87 Apr 11, 2026

Choose a reason for hiding this comment

Uh oh!

alebedev87 Apr 11, 2026

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Apr 13, 2026

Uh oh!

alebedev87 commented Apr 15, 2026

Uh oh!

openshift-ci bot commented Apr 15, 2026

Uh oh!

Uh oh!

openshift-ci-robot commented Apr 15, 2026

Summary

CVE Details

Changes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Thealisyed commented Mar 25, 2026 •

edited

Loading