Skip to content

[CP 1599] fix(security): bump Go 1.26.4 → 1.26.5 for CVE-2026-39822#602

Merged
spraveenio merged 3 commits into
ROCm:mainfrom
ci-penbot-01:CP.O2O.pensando.gpu-operator.1599.rocm.gpu-operator.main
Jul 14, 2026
Merged

[CP 1599] fix(security): bump Go 1.26.4 → 1.26.5 for CVE-2026-39822#602
spraveenio merged 3 commits into
ROCm:mainfrom
ci-penbot-01:CP.O2O.pensando.gpu-operator.1599.rocm.gpu-operator.main

Conversation

@ci-penbot-01

Copy link
Copy Markdown
Contributor

cp of pensando/gpu-operator#1599


Source PR Description (pensando/gpu-operator#1599):

Summary

  • Bump Go from 1.26.4 to 1.26.5 across all build files to fix CVE-2026-39822 (HIGH — os.Root symlink following vulnerability allows directory traversal)
  • Updated: go.mod, Dockerfile, Dockerfile.build, Makefile, dev.env
  • Build container bumped from v1.6v1.7 and pushed to registry.test.pensando.io:5000/gpu-operator-build:v1.7

CVE Details

CVE Severity Package Fixed In
CVE-2026-39822 HIGH Go stdlib (os package) Go 1.26.5

Test plan

  • Verify go build ./... compiles cleanly
  • Verify gpu-operator-build:v1.7 image exists in pensando registry with Go 1.26.5
  • Run trivy scan on rebuilt operator image to confirm CVE-2026-39822 is resolved
  • Sanity tests pass with new build container

Cherrypick triggered by: ACP-Automation

* fix(security): bump Go 1.26.4 → 1.26.5 for CVE-2026-39822

Go 1.26.5 fixes CVE-2026-39822 (HIGH) — os.Root symlink following
vulnerability allows directory traversal.

Updated in: go.mod, Dockerfile, Dockerfile.build, Makefile, dev.env.
Build container bumped from v1.6 → v1.7 and pushed to pensando registry.

* docs: add plan file for Go 1.26.5 CVE remediation PR

(cherry picked from commit 618db42d66085a36f839398eb96d54a01064dd58)
@ci-penbot-01

Copy link
Copy Markdown
Contributor Author

AI-Assisted Cherry-Pick

Source PR: #1599
Target Branch: main

The cherry-pick operation encountered merge conflicts which were resolved automatically using AI assistance.

Files with conflicts (resolved by AI):

  • dev.env:1-29
Original conflict in dev.env
<<<<<<< HEAD (deleted)
=======
GOFLAGS = "-mod=mod"
DOCKER_REGISTRY ?= registry.test.pensando.io:5000
BUILD_BASE_IMG = registry.test.pensando.io:5000/ubuntu:22.04
GOLANG_BASE_IMG = registry.test.pensando.io:5000/golang:1.26.5
INSECURE_REGISTRY = registry.test.pensando.io:5000

E2E_INIT_CONTAINER_IMAGE = registry.test.pensando.io:5000/busybox:1.36
E2E_KUBE_RBAC_PROXY_CURL_IMAGE = registry.test.pensando.io:5000/curl:7.78.0
E2E_UBUNTU_BASE_IMAGE = registry.test.pensando.io:5000/ubuntu
E2E_MINIO_IMAGE = registry.test.pensando.io:5000/minio/minio:latest
E2E_EXPORTER_MOCK_IMAGE = registry.test.pensando.io:5000/device-metrics-exporter/exporter-mock:v1
E2E_EXPORTER_MOCK_IMAGE_2 = registry.test.pensando.io:5000/device-metrics-exporter/exporter-mock:v2
E2E_EXPORTER_IMAGE = registry.test.pensando.io:5000/device-metrics-exporter:latest
E2E_DEVICE_PLUGIN_IMAGE = registry.test.pensando.io:5000/device-plugin-partition:v8
E2E_NODE_LABELLER_IMAGE = registry.test.pensando.io:5000/node-labeller-partition:v8
E2E_DEVICE_PLUGIN_IMAGE_2 = registry.test.pensando.io:5000/device-plugin-partition:v7
E2E_NODE_LABELLER_IMAGE_2 = registry.test.pensando.io:5000/node-labeller-partition:v7
E2E_TEST_RUNNER_IMAGE = registry.test.pensando.io:5000/test-runner/test-runner:latest
E2E_AGFHC_TEST_RUNNER_IMAGE = registry.test.pensando.io:5000/test-runner:collab-agfhc
E2E_DCM_IMAGE = registry.test.pensando.io:5000/device-config-manager:v1
E2E_KUBEVIRT_DEVICE_PLUGIN_IMAGE ?= registry.test.pensando.io:5000/k8s-device-plugin:kubevirt
E2E_KUBEVIRT_NODE_LABELLER_IMAGE ?= registry.test.pensando.io:5000/k8s-node-labeller:kubevirt

E2E_KMM_TAG ?= e2e-gpuop-main
E2E_DRIVER_IMAGE_REPO ?= registry.test.pensando.io:5000/e2e
E2E_NODEAPP_IMG ?= registry.test.pensando.io:5000/nodeapp:dev
E2E_NODE_DIAG_IMAGE ?= registry.test.pensando.io:5000/busybox:1.36
E2E_UTILS_CONTAINER_IMAGE ?= registry.test.pensando.io:5000/gpu-operator-utils:latest
E2E_ANR_CONFIGMAP_IMAGE ?= registry.test.pensando.io:5000/amd-gpu-operator-remediation-config-utils:latest
>>>>>>> 618db42d (fix(security): bump Go 1.26.4 → 1.26.5 for CVE-2026-39822 (#1599))

Cherry-pick triggered by: ACP-Automation

@spraveenio spraveenio left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@spraveenio spraveenio merged commit a3698b8 into ROCm:main Jul 14, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants