chore(core): cve mitigation 11-05-2026 (#2340)

LopatinDmitr · LopatinDmitr · commit 5650dfdd912d · 2026-05-13T17:03:21.000+03:00
- Fix CVE-2026-29181: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) - Fix CVE-2026-33811: When using LookupCNAME with the cgo DNS resolver, a very long CNAME... - Fix CVE-2026-33814: When processing HTTP/2 SETTINGS frames, transport will enter an infini ... - Fix CVE-2026-39820: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ... - Fix CVE-2026-39823: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ... - Fix CVE-2026-39825: ReverseProxy can forward queries containing parameters not visible to ... - Fix CVE-2026-39826: If a trusted template author were to write a <script> tag containing... - Fix CVE-2026-39836: Panic in Dial and LookupPort when handling NUL byte on Windows in... - Fix CVE-2026-41520: Cillium exposes sensitive information included in the cilium-bugtool debug archive - Fix CVE-2026-42499: Pathological inputs could cause DoS through consumePhrase when parsing ... Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
diff --git a/api/client/examples/cancel-evacuation/go.mod b/api/client/examples/cancel-evacuation/go.mod
@@ -1,6 +1,6 @@
 module github.com/deckhouse/virtualization/api/client/examples/cancel-evacuation
 
-go 1.25.9
+go 1.25.10
 
 require (
 	github.com/deckhouse/virtualization/api v1.6.1
diff --git a/api/client/examples/list-resources/go.mod b/api/client/examples/list-resources/go.mod
@@ -1,6 +1,6 @@
 module github.com/deckhouse/virtualization/api/client/examples/list-resources
 
-go 1.25.9
+go 1.25.10
 
 require (
 	github.com/deckhouse/virtualization/api v1.6.1
diff --git a/api/client/examples/resourceclaim/go.mod b/api/client/examples/resourceclaim/go.mod
@@ -1,6 +1,6 @@
 module github.com/deckhouse/virtualization/api/client/examples/resourceclaim
 
-go 1.25.9
+go 1.25.10
 
 require (
 	github.com/deckhouse/virtualization/api v1.6.1
diff --git a/api/go.mod b/api/go.mod
@@ -1,6 +1,6 @@
 module github.com/deckhouse/virtualization/api
 
-go 1.25.9
+go 1.25.10
 
 tool (
 	k8s.io/code-generator
diff --git a/build/base-images/deckhouse_images.yml b/build/base-images/deckhouse_images.yml
diff --git a/build/components/versions.yml b/build/components/versions.yml
@@ -4,7 +4,7 @@ firmware:
   edk2: stable202411
 core:
   3p-kubevirt: v1.6.2-v12n.25.1
-  3p-containerized-data-importer: v1.60.3-v12n.18
+  3p-containerized-data-importer: v1.60.3-v12n.19
   distribution: 2.8.3
 package:
   acl: v2.3.1
diff --git a/images/dvcr-artifact/go.mod b/images/dvcr-artifact/go.mod
@@ -1,6 +1,6 @@
 module github.com/deckhouse/virtualization-controller/dvcr-importers
 
-go 1.25.9
+go 1.25.10
 
 require (
 	github.com/containers/image/v5 v5.32.0
diff --git a/images/hooks/go.mod b/images/hooks/go.mod
@@ -1,6 +1,6 @@
 module github.com/deckhouse/virtualization/hooks
 
-go 1.25.9
+go 1.25.10
 
 tool github.com/onsi/ginkgo/v2/ginkgo
 
@@ -17,6 +17,7 @@ require (
 	k8s.io/apimachinery v0.34.2
 	k8s.io/client-go v0.34.2
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	sigs.k8s.io/controller-runtime v0.21.0
 )
 
 require (
@@ -109,7 +110,6 @@ require (
 	kubevirt.io/api v1.6.2 // indirect
 	kubevirt.io/containerized-data-importer-api v1.63.1 // indirect
 	kubevirt.io/controller-lifecycle-operator-sdk/api v0.0.0-20220329064328-f3cc58c6ed90 // indirect
-	sigs.k8s.io/controller-runtime v0.21.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
diff --git a/images/kube-api-rewriter/go.mod b/images/kube-api-rewriter/go.mod
@@ -1,6 +1,6 @@
 module github.com/deckhouse/virtualization/kube-api-rewriter
 
-go 1.25.9
+go 1.25.10
 
 require (
 	github.com/deckhouse/kube-api-rewriter v0.2.0
diff --git a/images/pre-delete-hook/go.mod b/images/pre-delete-hook/go.mod
@@ -1,6 +1,6 @@
 module pre-delete-hook
 
-go 1.25.9
+go 1.25.10
 
 require (
 	github.com/ilyakaznacheev/cleanenv v1.5.0
diff --git a/images/virt-launcher/node-labeller/go.mod b/images/virt-launcher/node-labeller/go.mod
@@ -1,6 +1,6 @@
 module node-labeller
 
-go 1.25.9
+go 1.25.10
 
 require (
 	golang.org/x/sys v0.25.0
diff --git a/images/virt-launcher/vlctl/go.mod b/images/virt-launcher/vlctl/go.mod
@@ -1,6 +1,6 @@
 module vlctl
 
-go 1.25.9
+go 1.25.10
 
 require (
 	github.com/spf13/cobra v1.9.1
diff --git a/images/virtualization-artifact/go.mod b/images/virtualization-artifact/go.mod
@@ -1,6 +1,6 @@
 module github.com/deckhouse/virtualization-controller
 
-go 1.25.9
+go 1.25.10
 
 tool (
 	github.com/matryer/moq
diff --git a/images/virtualization-dra/go.mod b/images/virtualization-dra/go.mod
@@ -70,9 +70,9 @@ require (
 	github.com/tetratelabs/wazero v1.9.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/otel v1.41.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.41.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
diff --git a/images/virtualization-dra/go.sum b/images/virtualization-dra/go.sum
@@ -156,16 +156,16 @@ go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6
 go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c=
+go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE=
+go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ=
+go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps=
 go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
 go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
 go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
 go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0=
+go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
diff --git a/images/vm-route-forge/go.mod b/images/vm-route-forge/go.mod
@@ -1,11 +1,11 @@
 module vm-route-forge
 
-go 1.25.9
+go 1.25.10
 
 tool github.com/cilium/ebpf/cmd/bpf2go
 
 require (
-	github.com/cilium/cilium v1.17.14
+	github.com/cilium/cilium v1.17.15
 	github.com/cilium/ebpf v0.17.1
 	github.com/deckhouse/virtualization/api v0.0.0-00010101000000-000000000000
 	github.com/go-logr/logr v1.4.3
@@ -74,7 +74,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
@@ -100,15 +100,15 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
@@ -117,7 +117,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.34.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
+	k8s.io/utils v0.0.0-20260319190234-28399d86e0b5 // indirect
 	kubevirt.io/api v1.6.2 // indirect
 	kubevirt.io/containerized-data-importer-api v1.60.3-0.20241105012228-50fbed985de9 // indirect
 	kubevirt.io/controller-lifecycle-operator-sdk/api v0.0.0-20220329064328-f3cc58c6ed90 // indirect
diff --git a/images/vm-route-forge/go.sum b/images/vm-route-forge/go.sum
diff --git a/src/cli/go.mod b/src/cli/go.mod
diff --git a/test/e2e/go.mod b/test/e2e/go.mod
diff --git a/test/performance/tools/shatal/go.mod b/test/performance/tools/shatal/go.mod
