[release-0.8] Bump Go to 1.26.5, golang.org/x modules, prometheus/prometheus and debian-base to fix CVEs#1310
Conversation
(cherry picked from commit 966ba02)
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev> (cherry picked from commit d17860d)
Fixes CVE-2026-42154 (High), CVE-2026-40179 and CVE-2026-44903 (Medium). release-1.35 and master already ship v0.311.3.
Bumps build-image/debian-base from bookworm-v1.0.7 to bookworm-v1.0.8. --- updated-dependencies: - dependency-name: build-image/debian-base dependency-version: bookworm-v1.0.8 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 1d01ffa)
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
@hakman: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/close |
|
@hakman: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Follow-up pushed: prometheus/prometheus v0.311.3 requires k8s.io/client-go v0.35.x, which dragged the k8s.io modules past the v0.33 line this branch must stay on. The k8s.io/{api,apimachinery,client-go} modules are now pinned back to v0.33.3 via The only prometheus/prometheus package linked into the NPD binaries is |
Fixes the actionable CVEs found by Trivy / Docker Scout scans of the
release-0.8post-submit image (gcr.io/k8s-staging-npd/node-problem-detector:release-0.8), which currently flags 9 CRITICAL / 25 HIGH findings. This brings release-0.8 in line with what release-1.34/release-1.35 received via #1300 / #1301 and master via #1299.1. Cherry-picks of the e2e test fixes (
test: pull node e2e image from the community staging registry,test: deploy NPD for cluster e2e) — needed for the cluster e2e presubmits to pass on this branch, same as included in #1300 / #1301.2. Bump Go to 1.26.5 and golang.org/x modules (mirror of #1299):
3. Bump github.com/prometheus/prometheus v0.35.0 → v0.311.3: CVE-2026-42154 (High), CVE-2026-40179, CVE-2026-44903 (Medium). release-1.35 and master already ship v0.311.3.
4. Cherry-pick the debian-base bump to bookworm-v1.0.8 from master (dependabot): fixes gnutls CVE-2026-33845 / CVE-2026-42010 (CRITICAL) + 6 HIGH, glibc CVE-2026-0861 / CVE-2026-4046 / CVE-2026-0915 / CVE-2025-15281 (HIGH) and libcap2 CVE-2026-4878 (HIGH).
go build,go vetand unit tests pass for both the root andtest/modules.