Skip to content

[Release-v0.25.x] fix: CVE-2026-34986, CVE-2026-33211, CVE-2025-66506, & CVE-2026-33186#1631

Merged
tekton-robot merged 1 commit intotektoncd:release-v0.25.xfrom
infernus01:CVE-fix-v0.25.x
Apr 21, 2026
Merged

[Release-v0.25.x] fix: CVE-2026-34986, CVE-2026-33211, CVE-2025-66506, & CVE-2026-33186#1631
tekton-robot merged 1 commit intotektoncd:release-v0.25.xfrom
infernus01:CVE-fix-v0.25.x

Conversation

@infernus01
Copy link
Copy Markdown
Member

@infernus01 infernus01 commented Apr 15, 2026
edited
Loading

Changes

  • Bump dependencies to fix CVE-2026-34986, CVE-2026-33211, CVE-2025-66506, & CVE-2026-33186
  • Fix CI categorize changes job skipping build/test/e2e on large diffs (grep -q + pipefail SIGPIPE)
  • Backport HS256 → RS256 test token fix (required for cosign v2.6.0+)
  • Fix missing third arg in cosign.LoadPrivateKey call in test/clients.go

Dependency bumps

CVE Package Old New Description
CVE-2026-34986 github.com/go-jose/go-jose/v4 v4.0.5 v4.1.4 JWE decryption panic (DoS)
CVE-2026-33211 github.com/tektoncd/pipeline v1.0.0 v1.0.1 Git resolver path traversal
CVE-2025-66506 github.com/sigstore/cosign/v2 v2.5.0 v2.6.2 Excessive memory allocation during token parsing
CVE-2026-33186 google.golang.org/grpc v1.71.1 v1.80.0 Authorization bypass via missing leading slash in :path

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Apr 15, 2026
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented Apr 20, 2026

/kind misc

@tekton-robot tekton-robot added the kind/misc Categorizes issue or PR as a miscellaneuous one. label Apr 20, 2026
@anithapriyanatarajan anithapriyanatarajan mentioned this pull request Apr 20, 2026
Merged
6 tasks
@infernus01 infernus01 force-pushed the CVE-fix-v0.25.x branch 2 times, most recently from 02ae087 to b12a237 Compare April 20, 2026 11:27
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented Apr 20, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 20, 2026
@infernus01 infernus01 closed this Apr 20, 2026
@infernus01 infernus01 reopened this Apr 20, 2026
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Apr 20, 2026
@infernus01 infernus01 force-pushed the CVE-fix-v0.25.x branch 4 times, most recently from 57c8358 to cce6e67 Compare April 21, 2026 07:38
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented Apr 21, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 21, 2026
@anithapriyanatarajan anithapriyanatarajan added the kind/security Categorizes issue or PR as related to a security issue label Apr 21, 2026
@vdemeester
Copy link
Copy Markdown
Member

vdemeester commented Apr 21, 2026

@infernus01 can you add the dependency bumps in the commit message at least ?

@infernus01
fix: CVE-2026-34986, CVE-2026-33211, CVE-2025-66506, & CVE-2026-33186
31689b0 
  Dependency bumps:
  - github.com/go-jose/go-jose/v4: v4.0.5 → v4.1.4 (CVE-2026-34986, JWE decryption panic)
  - github.com/tektoncd/pipeline: v1.0.0 → v1.0.1 (CVE-2026-33211, git resolver path traversal)
  - github.com/sigstore/cosign/v2: v2.5.0 → v2.6.2 (CVE-2025-66506, excessive memory allocation)
  - google.golang.org/grpc: v1.71.1 → v1.80.0 (CVE-2026-33186, authz bypass via missing leading slash)

Signed-off-by: Shubham Bhardwaj <shubbhar@redhat.com>
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Apr 21, 2026
@jkhelil
Copy link
Copy Markdown
Member

jkhelil commented Apr 21, 2026

/approve

@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented Apr 21, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 21, 2026
@vdemeester vdemeester added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 21, 2026
@tekton-robot
Copy link
Copy Markdown

tekton-robot commented Apr 21, 2026

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: jkhelil, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot merged commit d45ad41 into tektoncd:release-v0.25.x Apr 21, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vdemeester vdemeester vdemeester approved these changes

@chitrangpatel chitrangpatel Awaiting requested review from chitrangpatel

@wlynch wlynch Awaiting requested review from wlynch

Assignees

@anithapriyanatarajan anithapriyanatarajan

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. kind/security Categorizes issue or PR as related to a security issue lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@infernus01 @anithapriyanatarajan @vdemeester @jkhelil @tekton-robot