Skip to content

CVE fix: bump Go 1.26.4, fulcio v1.8.6, mongo-driver v1.17.7#1779

Closed
ngelman1 wants to merge 1 commit into
tektoncd:mainfrom
ngelman1:fix-CVE
Closed

CVE fix: bump Go 1.26.4, fulcio v1.8.6, mongo-driver v1.17.7#1779
ngelman1 wants to merge 1 commit into
tektoncd:mainfrom
ngelman1:fix-CVE

Conversation

@ngelman1

@ngelman1 ngelman1 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Changes

Bump Go version and dependencies to address multiple CVEs

Field Value
CVE ID CVE-2026-42504
GHSA GO-2026-5038
Severity IMPORTANT (CVSS 7.5)
Affected version go 1.26.1
Fixed version go 1.26.4
--- ---
CVE ID CVE-2026-27145
GHSA GO-2026-5037
Severity IMPORTANT (CVSS 7.5)
Affected version go 1.26.1
Fixed version go 1.26.4
--- ---
CVE ID CVE-2026-49478
GHSA GHSA-f5mr-q85p-6hh6
Severity IMPORTANT (CVSS 8.7)
Affected version v1.8.5
Fixed version v1.8.6
--- ---
CVE ID CVE-2026-42507
GHSA GO-2026-5039
Severity MODERATE (CVSS 5.3)
Affected version go 1.26.1
Fixed version go 1.26.4
--- ---
CVE ID CVE-2026-2303
GHSA -
Severity MODERATE (CVSS 6.5)
Affected version v1.17.6
Fixed version v1.17.7

test and build passed

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Bumped Go to 1.26.4 and updated sigstore/fulcio, mongo-driver to fix CVE-2026-42504, CVE-2026-27145, CVE-2026-49478, CVE-2026-42507, CVE-2026-2303.

@tekton-robot

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign ab-ghosh after the PR has been reviewed.
You can assign the PR to them by writing /assign @ab-ghosh in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 9, 2026
@tekton-robot tekton-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 9, 2026
@ngelman1 ngelman1 marked this pull request as draft July 9, 2026 08:27
@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 9, 2026
@ngelman1 ngelman1 closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants