Skip to content

security: Go 1.25.12 + cilium/xz patch bumps (4 of 10 fixable CVEs)#295

Merged
blue4209211 merged 1 commit into
mainfrom
security/go-1.25.12-dep-bumps
Jul 17, 2026
Merged

security: Go 1.25.12 + cilium/xz patch bumps (4 of 10 fixable CVEs)#295
blue4209211 merged 1 commit into
mainfrom
security/go-1.25.12-dep-bumps

Conversation

@mayankpande88

@mayankpande88 mayankpande88 commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Description

Trivy on ghcr.io/nudgebee/node-agent:0.1.3 (CI scan run nudgebee/nudgebee 29551177314) shows 0/4/6 fixable in the agent binary. This PR clears the bump-safe set:

Fix CVEs cleared
GO_VERSION 1.25.11 → 1.25.12 CVE-2026-39822 (HIGH, os.Root symlink traversal), CVE-2026-42505
cilium/ciliumv1.17.16 (a listed fixed version on the 1.17 line) 1 MEDIUM
ulikunitz/xzv0.5.15 1 MEDIUM

Not cleared — each is a migration, not a bump (verified, not assumed)

  • prometheus/prometheus (4 CVEs; fixes ≥0.305.2/0.311.3): those releases require client-go ≥0.35, which cilium 1.17 cannot compile against (RetryOnError removed from cache.Config) — and cilium 1.18/1.19 removed pkg/maps/lbmap, which containers/cilium.go uses to parse the host's cilium BPF maps. Bumping the lib types risks misreading maps of older deployed ciliums, so this needs a deliberate lbmap-parsing migration with host-version compatibility analysis. (Attempted the full cascade: prometheus 0.311 + apiextensions 0.35 + cilium 1.19 → pkg/maps/lbmap import breaks; details reproducible from the attempt logs.)
  • docker/docker (CVE-2026-34040 HIGH / CVE-2026-33997): fix is 29.3.1, but moby has no v29 tags on the github.com/docker/docker import path — v29 ships as the split github.com/moby/moby/* modules; needs an import-path migration.

Residual image posture after this: the prometheus 4 + docker 2 (migrations above) + the UBI9 NOFIX floor (0/16/85, no upstream fix; shrinks via the existing microdnf update layer).

How Has This Been Tested?

  • go build ./... + go vet ./... clean in the Dockerfile's exact builder environment (debian:bullseye, libsystemd-dev, CGO_ENABLED=1, Go 1.25.12)
  • go.sum tidied on linux — the previous CI failure was a darwin-side tidy pruning linux-only entries

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Go builder version in the Dockerfile from 1.25.11 to 1.25.12 and upgrades several direct and indirect dependencies in go.mod and go.sum, including packages from Cilium, Docker, Prometheus, and Kubernetes. I have no feedback to provide as there are no review comments to assess.

Trivy on ghcr.io/nudgebee/node-agent:0.1.3 shows 0/4/6 fixable in the agent
binary. This clears the bump-safe set:
- GO_VERSION 1.25.11 -> 1.25.12: CVE-2026-39822 (HIGH, os.Root symlink
  traversal) + CVE-2026-42505 (crypto/tls ECH)
- github.com/cilium/cilium v1.17.15 -> v1.17.16 (1 MEDIUM; a listed fixed
  version on the 1.17 line)
- github.com/ulikunitz/xz v0.5.14 -> v0.5.15 (1 MEDIUM)

NOT cleared — each needs a migration, not a bump:
- prometheus/prometheus (4 CVEs, fix >=0.305/0.311): those releases require
  client-go >=0.35, which cilium 1.17 cannot compile against (RetryOnError
  removed from cache.Config), and cilium 1.18/1.19 removed pkg/maps/lbmap that
  containers/cilium.go uses to parse the HOST's cilium BPF maps — bumping the
  lib types risks misreading maps of older deployed ciliums. Needs a deliberate
  lbmap-parsing migration with host-version compat analysis.
- docker/docker (CVE-2026-34040 HIGH / CVE-2026-33997): fix is 29.3.1, but moby
  has no v29 tags on the github.com/docker/docker import path — v29 ships as
  the split github.com/moby/moby/* modules; needs an import migration.

Verified in the Dockerfile's exact builder environment (debian:bullseye +
libsystemd-dev, CGO_ENABLED=1, Go 1.25.12): go build ./... and go vet ./...
clean (go.sum tidied on linux — a darwin tidy prunes linux-only entries and
breaks CI).
@mayankpande88
mayankpande88 force-pushed the security/go-1.25.12-dep-bumps branch from 27f3400 to f2b520e Compare July 17, 2026 04:40
@mayankpande88 mayankpande88 changed the title security: Go 1.25.12 + prometheus/cilium/xz bumps (8 of 10 fixable CVEs) security: Go 1.25.12 + cilium/xz patch bumps (4 of 10 fixable CVEs) Jul 17, 2026
@blue4209211
blue4209211 merged commit 829a43f into main Jul 17, 2026
7 checks passed
@blue4209211
blue4209211 deleted the security/go-1.25.12-dep-bumps branch July 17, 2026 04:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants