Skip to content

Fix CVEs in gcs-fuse-csi-driver-sidecar-mounter:v1.17.9-gke.4#1311

Open
amacaskill wants to merge 1 commit into
GoogleCloudPlatform:release-1.17from
amacaskill:fix-cve-v1-17-9-gke-4
Open

Fix CVEs in gcs-fuse-csi-driver-sidecar-mounter:v1.17.9-gke.4#1311
amacaskill wants to merge 1 commit into
GoogleCloudPlatform:release-1.17from
amacaskill:fix-cve-v1-17-9-gke-4

Conversation

@amacaskill

@amacaskill amacaskill commented Apr 15, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

This PR fixes several vulnerabilities identified in the sidecar-mounter image (v1.17.9-gke.4):

Vulnerability Mapping

Code Change CVE ID Package Fixed Version
Update Golang Base Image to 1.25.8 CVE-2025-68121 stdlib 1.24.13
CVE-2025-61726 stdlib 1.24.12
CVE-2025-61732 toolchain 1.24.13
CVE-2026-25679 stdlib 1.25.8
CVE-2025-61731 toolchain 1.24.12
CVE-2026-27139 stdlib 1.25.8
CVE-2025-61728 stdlib 1.24.12
CVE-2026-27142 stdlib 1.25.8
CVE-2025-61730 stdlib 1.24.12
Update google.golang.org/grpc to v1.79.3 CVE-2026-33186 google.golang.org/grpc 1.79.3
Update github.com/go-jose/go-jose/v4 to v4.1.4 CVE-2026-34986 github.com/go-jose/go-jose/v4 4.1.4

Summary of Changes

  • Updated Golang base image to with digest in , , , and .
  • Updated project-level dependencies and refreshed the directory.
  • Reverted version in to to maintain compatibility with project constraints.
  • Created Buganizer issue b/503066960 for vulnerabilities in the external binary (CVE-2026-33186, CVE-2026-34986, CVE-2026-24051).

Note: The mandatory label 'releaser-new-branch=true' was not found in the repository and could not be added.

Closes b/503066960

@amacaskill
Fix CVEs in gcs-fuse-csi-driver-sidecar-mounter:v1.17.9-gke.4
5ade9b1 
- Update Golang base image to 1.25.8 in Dockerfiles.
- Update google.golang.org/grpc to v1.79.3.
- Update github.com/go-jose/go-jose/v4 to v4.1.4.
- Run go mod tidy and go mod vendor.
- Revert go version in go.mod to 1.23.0.

BUG=503066960
@amacaskill amacaskill added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 15, 2026
@google-oss-prow

google-oss-prow Bot commented Apr 15, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: amacaskill

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gemini-code-assist

gemini-code-assist Bot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

Note

The number of changes in this pull request is too large for Gemini Code Assist to generate a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amacaskill