Skip to content

OCPBUGS-96855: Bump golang.org/x/net to v0.55.0#639

Open
jkaurredhat wants to merge 1 commit into
openshift:release-5.0from
jkaurredhat:update-xnet-5.0
Open

OCPBUGS-96855: Bump golang.org/x/net to v0.55.0#639
jkaurredhat wants to merge 1 commit into
openshift:release-5.0from
jkaurredhat:update-xnet-5.0

Conversation

@jkaurredhat

@jkaurredhat jkaurredhat commented Jul 3, 2026

Copy link
Copy Markdown

Summary

This PR addresses CVE-2026-27136 by updating golang.org/x/net from v0.53.0 to v0.55.0, which fixes an XSS vulnerability caused by improper handling of duplicate HTML attributes in the HTML parser.

Changes

  • Updated golang.org/x/net from v0.53.0 to v0.55.0
  • Updated transitive dependencies: golang.org/x/sys, golang.org/x/term, golang.org/x/text
  • Ran go mod tidy and go mod vendor
  • Ran make update to regenerate manifests

CVE Details

CVE-2026-27136: Cross-Site Scripting via duplicate HTML attribute mishandling in golang.org/x/net/html

  • Severity: High (CVSS score to be determined)
  • Affected: golang.org/x/net < v0.55.0
  • Impact: XSS vulnerability in HTML parser when processing malicious HTML with duplicate attributes
  • Fixed in: golang.org/x/net v0.55.0

This PR addresses CVE-2026-27136 (golang.org/x/net/html XSS
vulnerability via duplicate HTML attribute mishandling) by updating
golang.org/x/net from v0.53.0 to v0.55.0.

The local-storage-mustgather component is a must-gather debugging
tool that collects cluster diagnostic data. Analysis confirmed that
the component does not import or use golang.org/x/net/html parser
functions, so the risk is LOW (transitive dependency only).

Update is applied for compliance with security scanning requirements.

Related: OCPBUGS-96855
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 3, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@jkaurredhat: This pull request references Jira Issue OCPBUGS-96855, which is invalid:

  • expected Jira Issue OCPBUGS-96855 to depend on a bug targeting a version in 5.1.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

This PR addresses CVE-2026-27136 by updating golang.org/x/net from v0.53.0 to v0.55.0, which fixes an XSS vulnerability caused by improper handling of duplicate HTML attributes in the HTML parser.

Changes

  • Updated golang.org/x/net from v0.53.0 to v0.55.0
  • Updated transitive dependencies: golang.org/x/sys, golang.org/x/term, golang.org/x/text
  • Ran go mod tidy and go mod vendor
  • Ran make update to regenerate manifests

CVE Details

CVE-2026-27136: Cross-Site Scripting via duplicate HTML attribute mishandling in golang.org/x/net/html

  • Severity: High (CVSS score to be determined)
  • Affected: golang.org/x/net < v0.55.0
  • Impact: XSS vulnerability in HTML parser when processing malicious HTML with duplicate attributes
  • Fixed in: golang.org/x/net v0.55.0

Risk Assessment

Risk Level: LOW ⚠️

Analysis confirmed that the local-storage-mustgather component:

  • Does NOT import golang.org/x/net/html in source code (0 imports found)
  • Does NOT call vulnerable functions (html.Parse, html.ParseFragment)
  • Is a must-gather debugging tool that collects diagnostic data (does not parse HTML)
  • Has vulnerable code in vendor/ as transitive dependency but never executes it

The update is applied for compliance with security scanning requirements, not due to exploitable risk.

Analysis Reference

Full CVE analysis posted to OCPBUGS-96855 with:

  • govulncheck results (Package Results only - not Symbol Results)
  • Vendor directory verification
  • Manual source code analysis
  • Risk classification methodology

Test Plan

  • Go version preserved (go 1.25.0 unchanged)
  • Dependencies updated successfully
  • Vendor directory synchronized
  • make update ran successfully
  • Unit tests pass (CI)
  • Integration tests pass (CI)

Related

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3b981cde-0acf-4c94-9112-0c59346c71f3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from jsafrane and rhrmo July 3, 2026 16:11
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jkaurredhat
Once this PR has been reviewed and has the lgtm label, please assign rhrmo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@jkaurredhat: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jsafrane

jsafrane commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Please don't update release-5.0, update main instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants