Skip to content

[release-0.8] Bump Go to 1.26.5, golang.org/x modules, prometheus/prometheus and debian-base to fix CVEs#1310

Closed
hakman wants to merge 5 commits into
kubernetes:release-0.8from
hakman:security-fixes-release-0.8
Closed

[release-0.8] Bump Go to 1.26.5, golang.org/x modules, prometheus/prometheus and debian-base to fix CVEs#1310
hakman wants to merge 5 commits into
kubernetes:release-0.8from
hakman:security-fixes-release-0.8

Conversation

@hakman

@hakman hakman commented Jul 11, 2026

Copy link
Copy Markdown
Member

Fixes the actionable CVEs found by Trivy / Docker Scout scans of the release-0.8 post-submit image (gcr.io/k8s-staging-npd/node-problem-detector:release-0.8), which currently flags 9 CRITICAL / 25 HIGH findings. This brings release-0.8 in line with what release-1.34/release-1.35 received via #1300 / #1301 and master via #1299.

1. Cherry-picks of the e2e test fixes (test: pull node e2e image from the community staging registry, test: deploy NPD for cluster e2e) — needed for the cluster e2e presubmits to pass on this branch, same as included in #1300 / #1301.

2. Bump Go to 1.26.5 and golang.org/x modules (mirror of #1299):

3. Bump github.com/prometheus/prometheus v0.35.0 → v0.311.3: CVE-2026-42154 (High), CVE-2026-40179, CVE-2026-44903 (Medium). release-1.35 and master already ship v0.311.3.

4. Cherry-pick the debian-base bump to bookworm-v1.0.8 from master (dependabot): fixes gnutls CVE-2026-33845 / CVE-2026-42010 (CRITICAL) + 6 HIGH, glibc CVE-2026-0861 / CVE-2026-4046 / CVE-2026-0915 / CVE-2025-15281 (HIGH) and libcap2 CVE-2026-4878 (HIGH).

go build, go vet and unit tests pass for both the root and test/ modules.

Update Go to 1.26.5, golang.org/x modules, github.com/prometheus/prometheus to v0.311.3 and base image to debian-base:bookworm-v1.0.8 to fix CVEs

hakman and others added 5 commits July 11, 2026 10:25
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
(cherry picked from commit d17860d)
Fixes CVE-2026-42154 (High), CVE-2026-40179 and CVE-2026-44903
(Medium). release-1.35 and master already ship v0.311.3.
Bumps build-image/debian-base from bookworm-v1.0.7 to bookworm-v1.0.8.

---
updated-dependencies:
- dependency-name: build-image/debian-base
  dependency-version: bookworm-v1.0.8
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 1d01ffa)
@kubernetes-prow kubernetes-prow Bot added this to the v0.8 milestone Jul 11, 2026
@kubernetes-prow kubernetes-prow Bot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 11, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow kubernetes-prow Bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 11, 2026
@hakman

hakman commented Jul 11, 2026

Copy link
Copy Markdown
Member Author

/retest

@kubernetes-prow

Copy link
Copy Markdown
Contributor

@hakman: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-npd-e2e-test a339766 link true /test pull-npd-e2e-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@hakman

hakman commented Jul 11, 2026

Copy link
Copy Markdown
Member Author

/close

@kubernetes-prow kubernetes-prow Bot closed this Jul 11, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

@hakman: Closed this PR.

Details

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@hakman hakman deleted the security-fixes-release-0.8 branch July 11, 2026 09:50
@hakman

hakman commented Jul 11, 2026

Copy link
Copy Markdown
Member Author

Follow-up pushed: prometheus/prometheus v0.311.3 requires k8s.io/client-go v0.35.x, which dragged the k8s.io modules past the v0.33 line this branch must stay on. The k8s.io/{api,apimachinery,client-go} modules are now pinned back to v0.33.3 via replace directives (root and test modules); kube-openapi and gnostic-models are pinned to their previous versions as well since the newer ones are incompatible with apimachinery v0.33.3 (structured-merge-diff v4 vs v6, gopkg.in/yaml.v3 vs go.yaml.in/yaml/v3). The replacement versions are what gets recorded in the binary build info, i.e. what image scanners see.

The only prometheus/prometheus package linked into the NPD binaries is model/value (via the OpenCensus Stackdriver exporter), so none of the k8s-facing prometheus code is compiled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant