Skip to content

fix multiple cve's#35

Open
weshayutin wants to merge 1 commit into
oadp-1.5from
oadp15cve
Open

fix multiple cve's#35
weshayutin wants to merge 1 commit into
oadp-1.5from
oadp15cve

Conversation

@weshayutin

Copy link
Copy Markdown

Update the following dependencies to remediate security vulnerabilities:

  • github.com/go-jose/go-jose/v4: v4.1.3 → v4.1.4
  • github.com/golang-jwt/jwt/v4: v4.5.1 → v4.5.2
  • github.com/golang-jwt/jwt/v5: v5.2.1 → v5.2.2
  • go.opentelemetry.io/otel/sdk: v1.42.0 → v1.43.0
    • CVE-2026-39883: Arbitrary code execution via PATH hijacking on BSD/Solaris
  • golang.org/x/crypto: v0.49.0 → v0.52.0
  • golang.org/x/net: v0.52.0 → v0.55.0
    • CVE-2026-25681: Arbitrary code execution via Cross-Site Scripting in html
    • CVE-2026-27136: XSS via html Render
    • CVE-2026-33814: DoS via malformed SETTINGS_MAX_FRAME_SIZE frame (HTTP/2)
    • CVE-2026-39821: Privilege escalation via incorrect Punycode label processing
    • CVE-2026-42502: XSS via html Render

Update the following dependencies to remediate security vulnerabilities:
- github.com/go-jose/go-jose/v4: v4.1.3 → v4.1.4
  - CVE-2026-34986: Denial of Service via crafted JSON Web Encryption
- github.com/golang-jwt/jwt/v4: v4.5.1 → v4.5.2
- github.com/golang-jwt/jwt/v5: v5.2.1 → v5.2.2
  - CVE-2025-30204: Excessive memory allocation during header parsing
- go.opentelemetry.io/otel/sdk: v1.42.0 → v1.43.0
  - CVE-2026-39883: Arbitrary code execution via PATH hijacking on BSD/Solaris
- golang.org/x/crypto: v0.49.0 → v0.52.0
  - CVE-2026-39827: SSH channel resource exhaustion
  - CVE-2026-39828: Unauthorized command execution via discarded SSH permissions
  - CVE-2026-39829: DoS via crafted public key with excessive parameters
  - CVE-2026-39830: DoS via resource leak from unsolicited SSH responses
  - CVE-2026-39832: Security bypass due to improper handling of key restrictions
  - CVE-2026-39835: DoS via crafted SSH certificate
  - CVE-2026-42508: Revocation bypass via unchecked SignatureKey
  - CVE-2026-46595: Authorization bypass due to skipped source-address validation
  - CVE-2026-46597: Server-side panic via incorrectly placed cast
- golang.org/x/net: v0.52.0 → v0.55.0
  - CVE-2026-25681: Arbitrary code execution via Cross-Site Scripting in html
  - CVE-2026-27136: XSS via html Render
  - CVE-2026-33814: DoS via malformed SETTINGS_MAX_FRAME_SIZE frame (HTTP/2)
  - CVE-2026-39821: Privilege escalation via incorrect Punycode label processing
  - CVE-2026-42502: XSS via html Render

Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>
@openshift-ci openshift-ci Bot requested review from kaovilai and sseago July 3, 2026 00:10
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9160b173-36fd-4bbb-b111-348d9c69e1fc

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch oadp15cve

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label Jul 3, 2026
@oadp-snyk

oadp-snyk commented Jul 3, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants