Skip to content

[CVE-117] CVE-2026-39883 fix#8090

Closed
tbuchaillot wants to merge 1 commit intomasterfrom
fix/CVE-2026-39883
Closed

[CVE-117] CVE-2026-39883 fix#8090
tbuchaillot wants to merge 1 commit intomasterfrom
fix/CVE-2026-39883

Conversation

@tbuchaillot
Copy link
Copy Markdown
Contributor

@tbuchaillot tbuchaillot commented Apr 17, 2026
edited
Loading

Description

Related Issue

Motivation and Context

https://tyktech.atlassian.net/browse/CVE-117

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

  • I ensured that the documentation is up to date
  • I explained why this PR updates go.mod in detail with reasoning why it's required
  • I would like a code coverage CI quality gate exception and have explained why

@tbuchaillot tbuchaillot added the deps-reviewed Dependency changes reviewed and approved for CI execution label Apr 17, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 17, 2026

🚨 Jira Linter Failed

Commit: ba9e11c
Failed at: 2026-04-17 14:31:25 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details 
failed to validate branch and PR title rules: PR title contains 'CVE-117' but branch has 'CVE-2026' - they must match

Next Steps

  • Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
  • Verify your PR title matches the branch's Jira ticket ID
  • Check that the Jira ticket exists and is accessible

This comment will be automatically deleted once the linter passes.

@probelabs
Copy link
Copy Markdown
Contributor

probelabs Bot commented Apr 17, 2026
edited
Loading

This pull request addresses the security vulnerability CVE-2026-39883 by upgrading OpenTelemetry-related dependencies.

Files Changed Analysis

The changes are confined to go.mod and go.sum, indicating a dependency-only update. Key packages have been upgraded:

  • github.com/TykTechnologies/opentelemetry to v0.0.25
  • go.opentelemetry.io/otel and its sub-packages (trace, metric, sdk) from v1.42.0 to v1.43.0
  • golang.org/x/sys from v0.41.0 to v0.42.0

Architecture & Impact Assessment

What this PR accomplishes:
This PR patches the security vulnerability CVE-2026-39883 by updating dependencies to non-vulnerable versions.

Key technical changes introduced:
No application logic has been changed. The modifications consist solely of version bumps for dependencies, primarily focusing on the OpenTelemetry suite used for application observability.

Affected system components:
The observability and tracing infrastructure are the components affected by this change. While no functional changes to the gateway's core logic are expected, the update mitigates a security risk within the telemetry data processing pipeline. The review should focus on ensuring CI pipelines pass to detect any potential regressions introduced by the dependency upgrade.

Scope Discovery & Context Expansion

The scope of this change is limited to dependency management, but its impact is cross-cutting. Every part of the application that is instrumented with OpenTelemetry for tracing or metrics will now use the updated libraries. The vulnerability was likely present in the underlying OpenTelemetry libraries, and this update brings in the required security patch without altering how the application uses them. To verify the scope, a reviewer could search the codebase for usages of go.opentelemetry.io/otel to identify all instrumented areas.

Metadata
  • Review Effort: 2 / 5
  • Primary Label: bug

Powered by Visor from Probelabs

Last updated: 2026-04-17T14:32:16.611Z | Triggered by: pr_opened | Commit: ba9e11c

💡 TIP: You can chat with Visor using /visor ask <your question>

@probelabs
Copy link
Copy Markdown
Contributor

probelabs Bot commented Apr 17, 2026
edited
Loading

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Security Check Passed

No security issues found – changes LGTM.

\n\n

Architecture Issues (1)

Severity Location Issue
🟡 Warning go.mod:100-555
The pull request updates several dependencies but lacks a description explaining the reasons for these changes. The PR template includes a checklist item, "I explained why this PR updates go.mod in detail with reasoning why it's required," which has not been addressed. Documenting the motivation for dependency updates, especially when related to security fixes as the title suggests, is crucial for maintainability, security auditing, and understanding the architectural impact.
💡 SuggestionPlease update the pull request description to detail the reasons for each dependency version bump. If they are related to a CVE, please specify which vulnerability is being addressed by which update.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Powered by Visor from Probelabs

Last updated: 2026-04-17T14:32:15.358Z | Triggered by: pr_opened | Commit: ba9e11c

💡 TIP: You can chat with Visor using /visor ask <your question>

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 17, 2026

API Changes

no api changes detected

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 17, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@tbuchaillot tbuchaillot enabled auto-merge (squash) April 17, 2026 15:08
@buger
Copy link
Copy Markdown
Member

buger commented Apr 17, 2026

Closing: otel/sdk fix (CVE-2026-39883) has been consolidated into #8046 along with go-jose/v4 fix (CVE-2026-34986).

@buger buger closed this Apr 17, 2026
auto-merge was automatically disabled April 17, 2026 15:25

Pull request was closed

@buger buger mentioned this pull request Apr 17, 2026
Merged
2 tasks
buger added a commit that referenced this pull request Apr 17, 2026
@MFCaballero @ilijabojanovic
@buger @claude
[TT-16932] [Critical Fix 5.12.1 / 5.8.13] CVE fixes (#8046)
54b5b4c 
## Description
This PR addresses the following CVEs:

**[CVE-2026-34986]** go-jose/v3 -> Updated to v3.0.5 ✅
**[CVE-2026-34986]** go-jose/v4 -> Updated to v4.1.4 ✅
**[CVE-2026-32286]** pgproto3/v2 -> Removed (via bento v1.16.2 using
pgx/v5) ✅
**[CVE-2026-39883]** otel/sdk -> Updated to v1.43.0 (via
TykTechnologies/opentelemetry v0.0.25) ✅

Previously #8090 was a separate PR for otel/sdk fix - it has been closed
and consolidated here.

## Related Issue
TT-16932

## Test Plan
- [x] `go build ./...` passes
- [ ] CI passes

---------

Co-authored-by: Ilija Bojanovic <ilijabojanovic@gmail.com>
Co-authored-by: Leonid Bugaev <leonsbox@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mativm02 mativm02 Awaiting requested review from mativm02

@imogenkraak imogenkraak Awaiting requested review from imogenkraak

Assignees

No one assigned

Labels

deps-reviewed Dependency changes reviewed and approved for CI execution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tbuchaillot @buger