[CP 1599] fix(security): bump Go 1.26.4 → 1.26.5 for CVE-2026-39822#602
Merged
spraveenio merged 3 commits intoJul 14, 2026
Conversation
* fix(security): bump Go 1.26.4 → 1.26.5 for CVE-2026-39822 Go 1.26.5 fixes CVE-2026-39822 (HIGH) — os.Root symlink following vulnerability allows directory traversal. Updated in: go.mod, Dockerfile, Dockerfile.build, Makefile, dev.env. Build container bumped from v1.6 → v1.7 and pushed to pensando registry. * docs: add plan file for Go 1.26.5 CVE remediation PR (cherry picked from commit 618db42d66085a36f839398eb96d54a01064dd58)
Contributor
Author
AI-Assisted Cherry-PickSource PR: #1599 The cherry-pick operation encountered merge conflicts which were resolved automatically using AI assistance. Files with conflicts (resolved by AI):
Original conflict in dev.env<<<<<<< HEAD (deleted)
=======
GOFLAGS = "-mod=mod"
DOCKER_REGISTRY ?= registry.test.pensando.io:5000
BUILD_BASE_IMG = registry.test.pensando.io:5000/ubuntu:22.04
GOLANG_BASE_IMG = registry.test.pensando.io:5000/golang:1.26.5
INSECURE_REGISTRY = registry.test.pensando.io:5000
E2E_INIT_CONTAINER_IMAGE = registry.test.pensando.io:5000/busybox:1.36
E2E_KUBE_RBAC_PROXY_CURL_IMAGE = registry.test.pensando.io:5000/curl:7.78.0
E2E_UBUNTU_BASE_IMAGE = registry.test.pensando.io:5000/ubuntu
E2E_MINIO_IMAGE = registry.test.pensando.io:5000/minio/minio:latest
E2E_EXPORTER_MOCK_IMAGE = registry.test.pensando.io:5000/device-metrics-exporter/exporter-mock:v1
E2E_EXPORTER_MOCK_IMAGE_2 = registry.test.pensando.io:5000/device-metrics-exporter/exporter-mock:v2
E2E_EXPORTER_IMAGE = registry.test.pensando.io:5000/device-metrics-exporter:latest
E2E_DEVICE_PLUGIN_IMAGE = registry.test.pensando.io:5000/device-plugin-partition:v8
E2E_NODE_LABELLER_IMAGE = registry.test.pensando.io:5000/node-labeller-partition:v8
E2E_DEVICE_PLUGIN_IMAGE_2 = registry.test.pensando.io:5000/device-plugin-partition:v7
E2E_NODE_LABELLER_IMAGE_2 = registry.test.pensando.io:5000/node-labeller-partition:v7
E2E_TEST_RUNNER_IMAGE = registry.test.pensando.io:5000/test-runner/test-runner:latest
E2E_AGFHC_TEST_RUNNER_IMAGE = registry.test.pensando.io:5000/test-runner:collab-agfhc
E2E_DCM_IMAGE = registry.test.pensando.io:5000/device-config-manager:v1
E2E_KUBEVIRT_DEVICE_PLUGIN_IMAGE ?= registry.test.pensando.io:5000/k8s-device-plugin:kubevirt
E2E_KUBEVIRT_NODE_LABELLER_IMAGE ?= registry.test.pensando.io:5000/k8s-node-labeller:kubevirt
E2E_KMM_TAG ?= e2e-gpuop-main
E2E_DRIVER_IMAGE_REPO ?= registry.test.pensando.io:5000/e2e
E2E_NODEAPP_IMG ?= registry.test.pensando.io:5000/nodeapp:dev
E2E_NODE_DIAG_IMAGE ?= registry.test.pensando.io:5000/busybox:1.36
E2E_UTILS_CONTAINER_IMAGE ?= registry.test.pensando.io:5000/gpu-operator-utils:latest
E2E_ANR_CONFIGMAP_IMAGE ?= registry.test.pensando.io:5000/amd-gpu-operator-remediation-config-utils:latest
>>>>>>> 618db42d (fix(security): bump Go 1.26.4 → 1.26.5 for CVE-2026-39822 (#1599))Cherry-pick triggered by: ACP-Automation |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
cp of pensando/gpu-operator#1599
Source PR Description (pensando/gpu-operator#1599):
Summary
os.Rootsymlink following vulnerability allows directory traversal)go.mod,Dockerfile,Dockerfile.build,Makefile,dev.envv1.6→v1.7and pushed toregistry.test.pensando.io:5000/gpu-operator-build:v1.7CVE Details
ospackage)Test plan
go build ./...compiles cleanlygpu-operator-build:v1.7image exists in pensando registry with Go 1.26.5Cherrypick triggered by: ACP-Automation