[release-0.95] CVE-2026-33186: Bump grpc#2718
Conversation
Signed-off-by: Shiwani Biradar <sbiradar@redhat.com>
kubevirt-bot
added
release-note
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the project to Go 1.22.0 and performs a comprehensive upgrade of core dependencies, including OpenTelemetry, logr, and testify, while adding an auto-instrumentable SDK. Notable changes include UUID v6/v7 support, improved slog interoperability for logr, and the promotion of the OpenTelemetry Logs API to beta. Feedback highlights a version discrepancy for the grpc-go replacement directive and a regression in the MemMapFs.RemoveAll implementation that prevents the correct removal of the root directory.
|
|
||
| replace golang.org/x/crypto => github.com/openshift/golang-crypto v0.33.1-0.20250310193910-9003f682e581 | ||
|
|
||
| replace google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.71.3-sec.1 |
There was a problem hiding this comment.
There is a discrepancy between the version of grpc-go specified in the replace directive (v1.71.3-sec.1) and the versions mentioned in the pull request description (1.79.3 and v1.75.1-sec.1). Please verify and use the correct version intended to address the CVE.
|
|
||
| for p := range m.getData() { | ||
| if strings.HasPrefix(p, path) { | ||
| if p == path || strings.HasPrefix(p, path+FilePathSeparator) { |
There was a problem hiding this comment.
The updated logic for RemoveAll using path + FilePathSeparator will fail to match subdirectories when path is the root directory (e.g., /), as it would check for a prefix of //. This is a regression that prevents RemoveAll("/") from working correctly in the memory filesystem.
| if p == path || strings.HasPrefix(p, path+FilePathSeparator) { | |
| if p == path || strings.HasPrefix(p, strings.TrimSuffix(path, FilePathSeparator)+FilePathSeparator) { |
2 participants
What this PR does / why we need it:
Bump grpc to 1.79.3 leads to go lang bump so i used grpc folk to avoid this:
Used below command for replace:
`go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/grpc-go@v1.75.1-sec.1
Release note: