fix: resolve April 2026 docker-ptf security vulnerabilities#26676
Merged
yejianquan merged 1 commit intosonic-net:masterfrom Apr 16, 2026
Merged
Conversation
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the docker-ptf container build to remediate newly reported April 2026 security findings by upgrading the Go toolchain and several Go module dependencies used to build included utilities.
Changes:
- Bump Go toolchain used during image build from 1.25.8 to 1.25.9.
- Add/update Go module dependencies for grpcurl/gnoic/gnmic builds (notably
go-jose/v4andotel/sdk). - Add an additional OS package upgrade step and pull in AWS SDK modules for gnmic.
auspham
force-pushed
the
austinpham/36979761-resolve-april-docker-ptf-vulnerability
branch
from
13f390b to
86d2223
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-resolve-april-docker-ptf-vulnerability
branch
from
86d2223 to
cf7438e
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-resolve-april-docker-ptf-vulnerability
branch
from
cf7438e to
2ca0308
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-resolve-april-docker-ptf-vulnerability
branch
from
2ca0308 to
6c3af36
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-resolve-april-docker-ptf-vulnerability
branch
from
6c3af36 to
cddd862
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-resolve-april-docker-ptf-vulnerability
branch
from
cddd862 to
c4d2f46
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
Contributor
Author
Contributor
Author
|
Discussed with @Janetxxx, Janet will raise a PR to migrate influxdb to 3.x |
auspham
force-pushed
the
austinpham/36979761-resolve-april-docker-ptf-vulnerability
branch
from
5dfdbb9 to
950ccb1
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-resolve-april-docker-ptf-vulnerability
branch
from
950ccb1 to
7b452c3
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
- Upgrade Go toolchain 1.25.8 → 1.25.9 (fixes CVE-2026-32280 through CVE-2026-32289: stdlib crypto/tls, archive/tar, html/template, os) - Bump go.opentelemetry.io/otel/sdk v1.40.0 → v1.43.0 in gnmic (CVE-2026-39883: PATH hijacking via BSD kenv) - Add github.com/go-jose/go-jose/v4@v4.1.4 to gnmic, gnoic, grpcurl (CVE-2026-34986: DoS via crafted JSON Web Encryption) - Bump github.com/docker/docker to latest in gnmic (CVE-2026-34040: authorization bypass, CVE-2026-33997: privilege validation bypass during plugin installation) - Add aws-sdk-go-v2 eventstream/s3 latest to gnmic (GHSA-xmrv-pmrh-hhx2: DoS via panic in AWS SDK for Go v2) - Existing apt-get upgrade covers libpng16-16 fix (CVE-2026-33416: use-after-free, CVE-2026-33636: OOB read/write) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Ubuntu <austinpham@austinpham-dev-vm-2.d4y3nv5wwgfelhhopdxv1tqjld.dx.internal.cloudapp.net> Signed-off-by: Austin Pham (agent) <austinpham@microsoft.com>
auspham
force-pushed
the
austinpham/36979761-resolve-april-docker-ptf-vulnerability
branch
from
7b452c3 to
e60cdf2
Compare
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
wangxin
approved these changes
Apr 15, 2026
auspham
added a commit
to auspham/sonic-buildimage
that referenced
this pull request
Apr 16, 2026
Cherry-pick e60cdf2 to bring Go 1.25.9, go-jose/v4, otel/sdk, aws-sdk-go-v2/s3 upgrades and gocloud-patches to 202411 branch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Austin Pham (agent) <austinpham@microsoft.com>
auspham
added a commit
to auspham/sonic-buildimage
that referenced
this pull request
Apr 16, 2026
Cherry-pick e60cdf2 to bring Go 1.25.9, go-jose/v4, otel/sdk, aws-sdk-go-v2/s3 upgrades and gocloud-patches to 202411 branch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Austin Pham (agent) <austinpham@microsoft.com>
8 tasks
8 tasks
Collaborator
|
Cherry-pick PR to 202511: #26866 |
auspham
added a commit
to auspham/sonic-buildimage
that referenced
this pull request
Apr 20, 2026
Cherry-pick e60cdf2 to bring Go 1.25.9, go-jose/v4, otel/sdk, aws-sdk-go-v2/s3 upgrades and gocloud-patches to 202411 branch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Austin Pham (agent) <austinpham@microsoft.com>
mssonicbld
added
Included in 202511 Branch
and removed
Created PR to 202511 Branch
labels
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why I did it
Attempt to fix new docker-ptf security vulnerability as of 04/2026
This pull request updates the
dockers/docker-ptf/Dockerfile.j2to incorporate several dependency upgrades and security improvements. The main focus is on updating Go and related dependencies to address vulnerabilities and ensure compatibility with the latest features and fixes.Dependency and version updates:
1.25.8to1.25.9for improved stability and security.go.opentelemetry.io/otel/sdkdependency from versionv1.40.0tov1.43.0for thegnmicbuild process.github.com/go-jose/go-jose/v4dependency to versionv4.1.4in the build steps forgrpcurl,gnoic, andgnmicto ensure consistent cryptography support. [1] [2] [3]github.com/aws/aws-sdk-go-v2/aws/protocol/eventstreamandgithub.com/aws/aws-sdk-go-v2/service/s3as dependencies for thegnmicbuild.Security improvements:
libpng16-16), among others.Work item tracking
How I did it
How to verify it
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)