[release-1.34] Fix CVEs: debian-base bookworm-v1.0.8 and prometheus/prometheus v0.311.3#1309
Open
hakman wants to merge 2 commits into
Open
[release-1.34] Fix CVEs: debian-base bookworm-v1.0.8 and prometheus/prometheus v0.311.3#1309hakman wants to merge 2 commits into
hakman wants to merge 2 commits into
Conversation
Bumps build-image/debian-base from bookworm-v1.0.7 to bookworm-v1.0.8. --- updated-dependencies: - dependency-name: build-image/debian-base dependency-version: bookworm-v1.0.8 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 1d01ffa)
Member
Author
Member
Author
|
/retest |
1 similar comment
Member
Author
|
/retest |
upodroid
approved these changes
Jul 11, 2026
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman, upodroid The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Contributor
|
New changes are detected. LGTM label has been removed. |
Member
Author
|
prometheus/prometheus v0.311.3 requires k8s.io/client-go v0.35.x, so the k8s.io modules are pinned back to v0.34.1 via |
1a6a21f to
da25db2
Compare
The bump to v0.311.3 from commit 98e831b ("Fix Grype CVEs: update logrus and prometheus/prometheus") was unintentionally reverted to v0.35.0 by the go.mod conflict resolution in commit f844870 ("Run go mod tidy and adapt to prometheus/common v0.67 API"). Re-apply it to fix CVE-2026-42154 (High), CVE-2026-40179 and CVE-2026-44903 (Medium). prometheus/prometheus v0.311.3 requires k8s.io/client-go v0.35.x, which would drag the k8s.io modules past the v0.34 line this branch must stay on. Pin k8s.io/api, k8s.io/apimachinery and k8s.io/client-go back to v0.34.1 with replace directives in both the root and test modules, so the built binaries keep using v0.34.1 (the replacement is also what gets recorded in the binary build info). The only prometheus/prometheus package linked into the NPD binaries is model/value, so none of the k8s-facing prometheus code is compiled.
da25db2 to
6097eab
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the actionable CVEs found by Trivy / Docker Scout scans of the
release-1.34post-submit image (gcr.io/k8s-staging-npd/node-problem-detector:release-1.34).1. Cherry-pick the debian-base bump to bookworm-v1.0.8 from master — all fixable OS-level CRITICAL/HIGH findings come from
bookworm-v1.0.7:2. Re-bump github.com/prometheus/prometheus to v0.311.3 — the bump from 98e831b ("Fix Grype CVEs") was unintentionally reverted back to v0.35.0 by the go.mod conflict resolution in f844870, reintroducing CVE-2026-42154 (High), CVE-2026-40179 and CVE-2026-44903 (Medium). release-1.35 and master already ship v0.311.3.
prometheus/prometheus v0.311.3 requires k8s.io/client-go v0.35.x, so the k8s.io modules are pinned back to v0.34.1 via
replacedirectives (allow-listed for the gomoddirectives linter). The pinned versions are what the binaries are built with and what gets recorded in their build info.