Update dependencies to recent versions#1463
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughUpdates Changesgo.mod dependency refresh
Estimated code review effort: 3 (Moderate) | ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 104: The dependency github.com/go-jose/go-jose/v4 is pinned to an
affected version and should be updated to v4.1.4. Modify the go.mod entry for
github.com/go-jose/go-jose/v4 to use v4.1.4, and ensure any corresponding module
metadata or checksums are refreshed if needed so the build resolves the patched
release.
- Around line 175-177: Update the indirect Sigstore dependencies in go.mod so
the module graph uses patched releases: raise github.com/sigstore/fulcio to
v1.8.5 or newer and github.com/sigstore/rekor to v1.5.0 or newer. Keep
github.com/sigstore/protobuf-specs aligned as needed by the resolver, and verify
any go.sum/module graph changes by re-running the dependency tidy/update flow
after adjusting the go.mod entries.
- Line 90: The dependency bump in go.mod for github.com/docker/docker is unsafe
because v28.2.2+incompatible is within the affected CVE range. Update the
github.com/docker/docker requirement to a patched release at or above 29.5.1,
and keep the existing module entry consistent with the rest of the dependency
set.
- Around line 199-201: The OpenTelemetry dependencies are still pinned to
vulnerable versions, so update the module requirements in go.mod to at least
v1.40.0 for both go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk. Keep
the existing go.opentelemetry.io/otel/metric entry aligned with the upgraded
OpenTelemetry set, and make sure the dependency block reflects the new minimum
version consistently.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c48cbfb3-b5d8-4e05-918e-64425ca3e2eb
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
go.mod
| github.com/docker/distribution v2.8.3+incompatible // indirect | ||
| github.com/docker/docker v27.0.3+incompatible // indirect | ||
| github.com/docker/docker-credential-helpers v0.8.1 // indirect | ||
| github.com/docker/docker v28.2.2+incompatible // indirect |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
github.com/docker/docker v28.2.2 advisories host-path redirection docker cp plugin privilege validation bypass PUT /containers/{id}/archive fixed release
💡 Result:
The vulnerability you referenced involves a race condition in the docker cp command (and related API endpoints PUT/HEAD /containers/{id}/archive), which is tracked as CVE-2026-42306 [1][2]. This vulnerability allows a malicious container to exploit a time-of-check to time-of-use (TOCTOU) race condition during the mount setup sequence [3][4]. When an operator performs a docker cp operation (or calls the affected archive API endpoints) against a container, the Docker daemon creates a temporary mountpoint [3][5]. A malicious process inside the container can manipulate the destination path or its components by swapping them with symlinks pointing to arbitrary locations on the host before the mount syscall is completed [3][5]. This causes the daemon to bind-mount volumes onto unintended host paths, potentially allowing file overwrites or denial of service [3][1]. Affected versions include: - Docker Engine versions prior to 29.5.1 [1][2] - github.com/docker/docker/daemon versions up to 28.5.2 [1][6] - Moby Daemon versions prior to 2.0.0-beta.14 [1][2] This issue is patched in Docker Engine 29.5.1 and Moby Daemon 2.0.0-beta.14 [1][2]. If you cannot update immediately, recommended mitigations include: - Restricting access to the archive API endpoints using authorization plugins [3][5]. - Avoiding the use of docker cp with untrusted containers [3][5]. - Running containers with the --read-only flag where possible [2]. Please note that a separate issue related to plugin privilege validation (tracked as GHSA-pxq6-2prw-chj9) was also identified, where a bug in the daemon's privilege comparison logic allows malicious plugins to bypass privilege requirements during installation [7]. This is a distinct issue from the docker cp race condition [7][3].
Citations:
- 1: https://nvd.nist.gov/vuln/detail/CVE-2026-42306
- 2: https://app.opencve.io/cve/CVE-2026-42306
- 3: https://osv.dev/vulnerability/GHSA-rg2x-37c3-w2rh
- 4: https://www.sentinelone.com/vulnerability-database/cve-2026-41568/
- 5: https://scout.docker.com/vulnerabilities/id/CVE-2026-42306
- 6: https://cve.report/CVE-2026-42306
- 7: https://test.osv.dev/vulnerability/GHSA-pxq6-2prw-chj9
🌐 Web query:
OSV GHSA-rg2x-37c3-w2rh github.com/docker/docker fixed version 28.2.2 28.5.3 module
💡 Result:
The vulnerability GHSA-rg2x-37c3-w2rh (also identified as CVE-2026-42306) describes a race condition in the docker cp command that allows a malicious container to redirect a bind mount target to an arbitrary path on the host, which can lead to file overwriting or a denial of service [1][2]. Regarding your query about fixed versions, the vulnerability is patched in Docker Engine version 29.5.1 [2]. Versions of Docker Daemon up to and including 28.5.2 are affected [2]. The specific version numbers 28.2.2 and 28.5.3 mentioned in your query do not appear to be the official patch releases for this issue; the correction is implemented in the 29.5.x release line [2]. For Moby Daemon, the fix is available in versions starting from 2.0.0-beta.14 [2].
Citations:
- 1: https://osv.dev/vulnerability/GHSA-rg2x-37c3-w2rh
- 2: https://nvd.nist.gov/vuln/detail/CVE-2026-42306
Block this Docker bump. github.com/docker/docker v28.2.2+incompatible is in the affected range for GHSA-rg2x-37c3-w2rh / CVE-2026-42306 (docker cp and PUT/HEAD /containers/{id}/archive TOCTOU on host paths). Move to a patched release, starting with 29.5.1.
🧰 Tools
🪛 OSV Scanner (2.4.0)
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby firewalld reload makes published container ports accessible from remote hosts in github.com/docker/docker
(GO-2025-3830)
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker
(GO-2026-4883)
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker
(GO-2026-4887)
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: Race condition in docker cp allows bind mount redirection to host path in github.com/docker/docker
(GO-2026-5617)
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap in github.com/docker/docker
(GO-2026-5668)
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: PUT /containers/{id}/archive executes container binary on the host in github.com/docker/docker
(GO-2026-5746)
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: Race condition in docker cp allows bind mount redirection to host path
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby firewalld reload makes published container ports accessible from remote hosts
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies
[HIGH] 90-90: github.com/docker/docker 28.2.2+incompatible: Docker: PUT /containers/{id}/archive executes container binary on the host
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 90, The dependency bump in go.mod for
github.com/docker/docker is unsafe because v28.2.2+incompatible is within the
affected CVE range. Update the github.com/docker/docker requirement to a patched
release at or above 29.5.1, and keep the existing module entry consistent with
the rest of the dependency set.
Source: Linters/SAST tools
4b13326 to
2798f2f
Compare
A variety of libraries were updated to their recent versions. This includes many indirect libraries. Signed-off-by: Alexander Wels <awels@redhat.com>
2798f2f to
957e45b
Compare
|
@awels , @midays , |
| github.com/prometheus/procfs v0.16.1 // indirect | ||
| github.com/rivo/uniseg v0.4.7 // indirect | ||
| github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect | ||
| github.com/sigstore/fulcio v1.6.6 // indirect |
There was a problem hiding this comment.
for CVE-2025-66506, which covers 2 jira tickets: (MIG-1802, MIG-1800) the bump needed >= 1.8.3
There was a problem hiding this comment.
So I can't do fulcio 1.8.3 because it is the thing requiring the newer version of docker as well. I guess that is the thing that pulls in that dependency to start with.
There was a problem hiding this comment.
I was wrong, found a way with some replace statements to update fulcio to 1.8.3.
Unfortunately I have to pick. Either update selinux or update docker. I cannot do both. I choose selinux. We don't directly use any of the docker stuff, it is all indirect imports from other libraries. Here is why we have to pick, docker/docker requires containers/storage 1.59.1+ which requires an old version of filepath-securejoin, while selinux requires a newer version of filepath-securejoin. They are not compatible, and there is no version which can satisfy both |
version of docker than we can support. But with a replace we can downgrade the actual version. Signed-off-by: Alexander Wels <awels@redhat.com>
A variety of libraries were updated to their recent versions. This includes many indirect libraries.
Summary by CodeRabbit