[release-1.16] Bump Go Jose to 3.0.5 and 4.1.4, CVE-2026-34986#2864
Conversation
Bump Go Jose to v3.0.5 and v4.1.4 to address CVE-2026-34986 Fixes: https://redhat.atlassian.net/browse/OCPBUGS-81798, https://redhat.atlassian.net/browse/OCPBUGS-81806 Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
|
Ephemeral COPR build failed. @containers/packit-build please check. |
|
@TomSweeneyRedHat what RHEL releases are these OCP based on? I'll run tests manually on testing-farm. |
|
@lsm5 they are based on Podman 5.2 on RHEL 9.5, headed towards OCP 4.18 and 4.17 |
|
So, I dunno if we wanna just merge this and hope for the best. I haven't yet received answers on if golang will be updated and what's the right golang build to fetch for running testing-farm tests. |
|
@lsm5 leave this one for now until I get some time to dig further. I'll ping you when it's ready for the merge button. |
Based on podman-container-tools@5973d14, bump the version of Fedora that cirrus ci will use. Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/release-1.16-cve-2026-34986
branch
from
08e7b70 to
9998de5
Compare
|
@lsm5 I'm going around in loops trying to get the validate test to work here. It seems to be saying the version of Go needs to be higher, but with my fedora bump to v42, that should be at Go 1.24, which should be fine. Do you have any other thoughts? Do we just wait until you can convert to Packit here too? |
|
@TomSweeneyRedHat this is |
|
… alternatively, disabling a linter would not be too bad… |
Bump golangci-lint to 1.64.2, which was the version that first came out with Go 1.24. If that doesn't address the issues we are seeing in the CI, we'll bump it up a bit more. I worry about going too high, as I saw some compatability issues noted in some discussions online. Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/release-1.16-cve-2026-34986
branch
from
9998de5 to
0dc7fe5
Compare
|
@mtrmac I added a commit to tweak the Makefile for golanglint-ci. Tests aren't happy, the first one looked to be a network hiccup. I'll restart in the morning. |
|
I guess backporting some of the commits found by |
dnf erase was removed from dnf5 in f41, AFAIK remove does the same thing and erase was just a removed alias. Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 8d3fb4b) Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
Bump to Skopeo v1.16.2 Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/release-1.16-cve-2026-34986
branch
from
0dc7fe5 to
908552c
Compare
|
Backported the dnf fix, @Luap99 had done one upstream to change erase to remove. That looks to have fixed that. Now this is down to packit issues. |
|
And Happy Green Test Buttons! |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
@TomSweeneyRedHat the CI results that are now visible are only RPM build tests; I can’t tell whether “proper” CI passed and we lost the data, or whether it was never run.
Either way, leaving it to you whether you want to merge+release as is, or to wait for CI to be migrated (and to backport that to this branch).
4 participants
Bump Go Jose to v3.0.5 and v4.1.4 to address CVE-2026-34986 Also Bump Skopeo to v1.16.2
Fixes: https://redhat.atlassian.net/browse/OCPBUGS-81798, https://redhat.atlassian.net/browse/OCPBUGS-81806