OCPBUGS-79906,OCPBUGS-87895: Fix CVE-2026-33186 with openshift-sustaining/grpc-go v1.64.1-sec.1 [release-4.15]#1325
Conversation
openshift-ci-robot
added
jira/severity-important
|
@rissh: This pull request references Jira Issue OCPBUGS-79906, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-87895, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Note on sustaining grpc version (Go 1.20 / v1.64.1-sec.1)
|
|
/retest |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: perdasilva, rissh The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
@rissh: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
PR description
This change addresses CVE-2026-33186 / GHSA-p77j-4mvh-x3m3 / GO-2026-4762 in product Go modules for release-4.15 and refreshes the root
vendor/tree accordingly.release-4.15 builds with Go 1.20 (see
.ci-operator.yaml). Upstreamgoogle.golang.org/grpcv1.79.3 requires Go 1.24, so this PR uses the OpenShift sustaining backport v1.64.1-sec.1. There is no Go 1.20-specific sustaining tag; v1.64.1-sec.1 (Go 1.19 backport) is the approved choice for Go 1.20 product lines per sustaining team guidance.Unlike release-4.17+, this branch had no existing grpc
replace(baseline vendored grpc was v1.60.1). This PR adds:replace google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.64.1-sec.1in the root
go.modandstaging/operator-lifecycle-manager/go.mod, so the effective vendored grpc is patched.Scope matches release-4.16/4.17/4.18/4.19 workflow: product modules +
vendor/only (notests-extensionon this branch). No source changes; existingConn.Connect()mitigation in OLM catalog grpc client remains unchanged.Reference links
Test plan
go list -m google.golang.org/grpc→v1.62.1 => github.com/openshift-sustaining/grpc-go v1.64.1-sec.1v1.60.1invendor/modules.txtgo test ./pkg/controller/registry/grpc/...(OLM)go mod verifygo build -mod=vendorforcmd/olmandcmd/cataloge2e-gcp-olm)