chore(deps): update module golang.org/x/net to v0.55.0 [security]#2728
chore(deps): update module golang.org/x/net to v0.55.0 [security]#2728redhat-renovate-bot wants to merge 1 commit into
Conversation
Signed-off-by: redhat-renovate-bot <redhat-internal-renovate@redhat.com>
redhat-renovate-bot
added
the
release-note-none
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
kubevirt-bot
added
the
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates multiple golang.org/x dependencies and refactors the HTTP/2 implementation to utilize net/http internals for Go 1.27+. Key changes include Unicode 16.0.0 support in the IDNA package, the introduction of dynamic CPU affinity masks in the unix package, and expanded CPU feature detection for Loong64, RISC-V, and Windows ARM64. Reviewers identified a bug in IDNA processing that incorrectly rejects domain names with trailing dots and a potential DoS vulnerability caused by quadratic tree walking during HTML rendering. Additional feedback highlights efficiency improvements, such as replacing redundant allocating functions with existing utilities and adding input validation to prevent panics during CPU set allocation.
| if unicode16 && strings.HasSuffix(s, ".") { | ||
| err = labelError{s, labelCode} | ||
| } |
There was a problem hiding this comment.
This check appears to flag any domain name ending with a dot as an error when unicode16 and verifyDNSLength are enabled. However, fully qualified domain names (FQDNs) ending with a trailing dot are valid in DNS. While the subsequent logic (lines 452-454) correctly handles the trailing dot for length calculations, this new check will have already set err, causing the function to return an error for valid FQDNs. Additionally, using labelCode (which defaults to A4 - "Domain name is too long") for a trailing dot error seems semantically incorrect.
| for p := n.Parent; p != nil; p = p.Parent { | ||
| if p.Namespace != "" { | ||
| if !htmlIntegrationPoint(p) { | ||
| return false | ||
| } | ||
| break | ||
| } | ||
| } |
There was a problem hiding this comment.
This loop walks up the tree to the root for every node being checked in childTextNodesAreLiteral. In a very deep tree, this can lead to quadratic time complexity ($O(N \cdot depth)$) during rendering, which could potentially be exploited for a Denial of Service attack. Since render1 is already traversing the tree recursively, it would be more efficient to pass the "foreign content" or "namespace" state down as a parameter to avoid redundant tree walks.
| // Spec says keep the old label. | ||
| continue | ||
| } | ||
| if unicode16 && err == nil && len(u) > 0 && isASCII(u) { |
There was a problem hiding this comment.
The isASCII function is redundant and less efficient than the existing ascii function (defined at line 857). isASCII performs a slice conversion []byte(s) which causes a memory allocation, whereas ascii iterates over the string directly without allocating.
| if unicode16 && err == nil && len(u) > 0 && isASCII(u) { | |
| if unicode16 && err == nil && len(u) > 0 && ascii(u) { |
| func isASCII(s string) bool { | ||
| for _, c := range []byte(s) { | ||
| if c >= 0x80 { | ||
| return false | ||
| } | ||
| } | ||
| return true | ||
| } |
There was a problem hiding this comment.
This function is redundant. Please remove it and use the more efficient ascii function defined at line 857 instead.
| func NewCPUSet(maxCPU int) CPUSetDynamic { | ||
| numMasks := (maxCPU + _NCPUBITS - 1) / _NCPUBITS | ||
| if numMasks == 0 { | ||
| numMasks = 1 | ||
| } | ||
| return make(CPUSetDynamic, numMasks) | ||
| } |
There was a problem hiding this comment.
NewCPUSet does not validate that maxCPU is non-negative. If maxCPU is a large negative value (e.g., less than -_NCPUBITS), the calculation of numMasks can result in a negative integer due to signed division behavior, which will cause make to panic with a negative size.
func NewCPUSet(maxCPU int) CPUSetDynamic {
if maxCPU < 0 {
maxCPU = 0
}
numMasks := (maxCPU + _NCPUBITS - 1) / _NCPUBITS
if numMasks == 0 {
numMasks = 1
}
return make(CPUSetDynamic, numMasks)
}2 participants
This PR contains the following updates:
v0.53.0→v0.55.0Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
CVE-2026-42502 / GO-2026-5027
More information
Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
CVE-2026-39821 / GO-2026-5026
More information
Details
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.
This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
CVE-2026-25680 / GO-2026-5028
More information
Details
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
CVE-2026-25681 / GO-2026-5029
More information
Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
CVE-2026-27136 / GO-2026-5030
More information
Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
CVE-2026-42506 / GO-2026-5025
More information
Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.