Skip to content

fix: CVE-2025-61726 - upgrade go version to >1.25.5#2745

Open
infernus01 wants to merge 1 commit intotektoncd:release-v0.37.3from
infernus01:CVE-2025-61726-v0.37.3
Open

fix: CVE-2025-61726 - upgrade go version to >1.25.5#2745
infernus01 wants to merge 1 commit intotektoncd:release-v0.37.3from
infernus01:CVE-2025-61726-v0.37.3

Conversation

@infernus01
Copy link
Member

@infernus01 infernus01 commented Feb 25, 2026

Changes

Scope of this fix is to address CVE-2025-61726 by upgrading go version above 1.25.5

/kind bug

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes tests (if functionality changed/added)
  • Run the code checkers with make check
  • Regenerate the manpages, docs and go formatting with make generated
  • Commit messages follow commit message best practices

See the contribution guide
for more details.

Release Notes

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. labels Feb 25, 2026
@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 25, 2026
@chmouel
Copy link
Member

chmouel commented Feb 25, 2026

there is no make vendor or something to be done here as well?

@infernus01
Copy link
Member Author

infernus01 commented Feb 25, 2026

I did that - go mod tidy , then go mod vendor, but got nothing from them.

@chmouel
Copy link
Member

chmouel commented Feb 25, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 25, 2026
@chmouel
Copy link
Member

chmouel commented Feb 25, 2026

/ok-to-test

@infernus01 infernus01 force-pushed the CVE-2025-61726-v0.37.3 branch from 4de15ec to 764ee41 Compare February 26, 2026 07:03
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Feb 26, 2026
@infernus01 infernus01 force-pushed the CVE-2025-61726-v0.37.3 branch from 764ee41 to 76f8604 Compare February 26, 2026 07:05
@tekton-robot tekton-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 26, 2026
@infernus01 infernus01 force-pushed the CVE-2025-61726-v0.37.3 branch from 76f8604 to 9e24aca Compare February 26, 2026 07:08
@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 26, 2026
@infernus01 infernus01 force-pushed the CVE-2025-61726-v0.37.3 branch 8 times, most recently from 72ccd68 to 27b4793 Compare February 26, 2026 07:54
@tekton-robot tekton-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 26, 2026
@infernus01 infernus01 force-pushed the CVE-2025-61726-v0.37.3 branch from 27b4793 to 072c676 Compare February 26, 2026 08:01
@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 26, 2026
@pratap0007
Copy link
Contributor

pratap0007 commented Feb 26, 2026

/lgtm
/approve

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 26, 2026
@tekton-robot
Copy link
Contributor

tekton-robot commented Feb 26, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pratap0007
To complete the pull request process, please ask for approval from chmouel after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@aThorp96
Copy link
Member

aThorp96 commented Mar 2, 2026

Instead of removing the ci.yaml file entirely, can we remove or fix it in a separate PR?

The lint job failed because the new go version is incompatible with the golangci-lint version we use. I believe we should be able to fix this by setting the golangci-version to v2.9.0

The test job failed because the Make target doesn't exist. It looks like if we just add this change to the makefile it may work as intended: e1f53b9#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52

@infernus01 infernus01 force-pushed the CVE-2025-61726-v0.37.3 branch from 072c676 to 76432c7 Compare March 3, 2026 05:06
@tekton-robot
Copy link
Contributor

tekton-robot commented Mar 3, 2026

New changes are detected. LGTM label has been removed.

@tekton-robot tekton-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 3, 2026
@infernus01 infernus01 force-pushed the CVE-2025-61726-v0.37.3 branch 2 times, most recently from 73d0632 to 98608c1 Compare March 3, 2026 05:25
@infernus01
Copy link
Member Author

infernus01 commented Mar 3, 2026

Also, the ci.yaml on the branch release-v0.37.3 references ./.github/workflows/e2e-matrix.yml as a reusable workflow, but that file was never backported from main to this release branch. And when GitHub Actions can't resolve a reusable workflow reference, it fails the entire workflow at the setup phase, so none of the jobs (build, lint, test) even start.

@infernus01 infernus01 force-pushed the CVE-2025-61726-v0.37.3 branch from 98608c1 to eb1eda2 Compare March 3, 2026 05:31
@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 3, 2026
@infernus01 infernus01 force-pushed the CVE-2025-61726-v0.37.3 branch 2 times, most recently from 5c5a9c2 to f715f50 Compare March 3, 2026 05:53
@tekton-robot tekton-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 3, 2026
@infernus01
fix: CVE-2025-61726 - upgrade go version to >1.25.5
222de96 
Signed-off-by: Shubham Bhardwaj <shubbhar@redhat.com>
@infernus01 infernus01 force-pushed the CVE-2025-61726-v0.37.3 branch from f715f50 to 222de96 Compare March 3, 2026 05:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chmouel chmouel Awaiting requested review from chmouel

@vdemeester vdemeester Awaiting requested review from vdemeester

At least 1 approving review is required to merge this pull request.

Assignees

@chmouel chmouel

@pratap0007 pratap0007

Labels

kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@infernus01 @chmouel @pratap0007 @tekton-robot @aThorp96