Skip to content

*: bump go.opentelemetry.io/otel/sdk to v1.43.0 to fix CVE-2026-24051 (#4884)#4943

Open
ti-chi-bot wants to merge 1 commit intopingcap:release-8.5from
ti-chi-bot:cherry-pick-4884-to-release-8.5
Open

*: bump go.opentelemetry.io/otel/sdk to v1.43.0 to fix CVE-2026-24051 (#4884)#4943
ti-chi-bot wants to merge 1 commit intopingcap:release-8.5from
ti-chi-bot:cherry-pick-4884-to-release-8.5

Conversation

@ti-chi-bot
Copy link
Copy Markdown
Member

@ti-chi-bot ti-chi-bot commented Apr 28, 2026

This is an automated cherry-pick of #4884

What problem does this PR solve?

Issue Number: close #4889

This PR upgrades go.opentelemetry.io/otel/sdk from v1.24.0 to v1.43.0 to address upstream OpenTelemetry SDK PATH hijacking vulnerabilities:

What is changed and how it works?

This PR updates the OpenTelemetry SDK and matching OpenTelemetry modules used by the Go module graph:

  • go.opentelemetry.io/otel/sdk: v1.24.0 -> v1.43.0
  • go.opentelemetry.io/otel: v1.24.0 -> v1.43.0
  • go.opentelemetry.io/otel/metric: v1.24.0 -> v1.43.0
  • go.opentelemetry.io/otel/trace: v1.24.0 -> v1.43.0
  • golang.org/x/sys: v0.35.0 -> v0.42.0
  • github.com/go-logr/logr: v1.4.1 -> v1.4.3

go mod tidy also adds go.opentelemetry.io/auto/sdk v1.2.1 as an indirect dependency.

Check List

Tests

  • Manual test
  • No code

Manual test reported by the author:

make cdc build

Questions

Will it cause performance regression or break compatibility?

No performance regression is expected. This is a dependency-only change with no TiCDC source-code changes.

Do you need to update user documentation, design documentation or monitoring documentation?

No.

Release note

None

@diegeeker @ti-chi-bot
This is an automated cherry-pick of pingcap#4884
d843ddb 
Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>
@ti-chi-bot ti-chi-bot added contribution This PR is from a community contributor. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. first-time-contributor Indicates that the PR was contributed by an external member and is a first-time contributor. lgtm needs-ok-to-test Indicates a PR created by contributors and need ORG member send '/ok-to-test' to start testing. release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. type/cherry-pick-for-release-8.5 This PR is cherry-picked to release-8.5 from a source PR. labels Apr 28, 2026
@ti-chi-bot ti-chi-bot mentioned this pull request Apr 28, 2026
Merged
@ti-chi-bot
Copy link
Copy Markdown

ti-chi-bot Bot commented Apr 28, 2026

This cherry pick PR is for a release branch and has not yet been approved by triage owners.
Adding the do-not-merge/cherry-pick-not-approved label.

To merge this cherry pick:

  1. It must be LGTMed and approved by the reviewers firstly.
  2. For pull requests to TiDB-x branches, it must have no failed tests.
  3. AFTER it has lgtm and approved labels, please wait for the cherry-pick merging approval from triage owners.
Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ti-chi-bot
Copy link
Copy Markdown

ti-chi-bot Bot commented Apr 28, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign asddongmen for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 28, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b5193349-b109-4bbc-9f6f-a630b2e282aa

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ti-chi-bot ti-chi-bot Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 28, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates go.opentelemetry.io/otel/sdk to version 1.43.0 to address CVE-2026-24051 and includes several other dependency adjustments, such as pinning grpc to version 1.65.0 via replace directives. However, the changes currently include unresolved merge conflict markers in both go.mod and go.sum that must be addressed before merging.

Comment thread go.sum
Comment on lines +1185 to +1190
<<<<<<< HEAD
github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
=======
github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
>>>>>>> dd501c84b (*: bump go.opentelemetry.io/otel/sdk to v1.43.0 to fix CVE-2026-24051 (#4884))
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This file contains merge conflict markers (<<<<<<<, =======, >>>>>>>). These must be resolved before the pull request can be merged. Please resolve the conflicts and commit the corrected file. It's likely that running go mod tidy after resolving conflicts in go.mod will fix this file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

contribution This PR is from a community contributor. do-not-merge/cherry-pick-not-approved do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. first-time-contributor Indicates that the PR was contributed by an external member and is a first-time contributor. lgtm needs-ok-to-test Indicates a PR created by contributors and need ORG member send '/ok-to-test' to start testing. release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. type/cherry-pick-for-release-8.5 This PR is cherry-picked to release-8.5 from a source PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ti-chi-bot @diegeeker