Skip to content

fix: bump go version to fix CVEs #399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ibihim merged 1 commit into from
Nov 25, 2025
Merged

fix: bump go version to fix CVEs #399

ibihim merged 1 commit into from
Nov 25, 2025

Conversation

@SebastienSyd
Copy link
Contributor

@SebastienSyd SebastienSyd commented Nov 5, 2025

bump go version to at least 1.24.8 to fix CVEs

❯ grype reg.echohq.com/kubebuilder-kube-rbac-proxy:v0.20.0-mini

NAME    INSTALLED  FIXED IN        TYPE       VULNERABILITY   SEVERITY  EPSS           RISK
stdlib  go1.25.1   1.24.8, 1.25.2  go-module  CVE-2025-61723  High      < 0.1% (21st)  < 0.1
stdlib  go1.25.1   1.24.8, 1.25.2  go-module  CVE-2025-61725  High      < 0.1% (21st)  < 0.1
stdlib  go1.25.1   1.24.8, 1.25.2  go-module  CVE-2025-58186  Medium    < 0.1% (15th)  < 0.1
stdlib  go1.25.1   1.24.8, 1.25.2  go-module  CVE-2025-61724  Medium    < 0.1% (15th)  < 0.1
stdlib  go1.25.1   1.24.8, 1.25.2  go-module  CVE-2025-47912  Medium    < 0.1% (15th)  < 0.1
stdlib  go1.25.1   1.24.8, 1.25.2  go-module  CVE-2025-58188  High      < 0.1% (7th)   < 0.1
stdlib  go1.25.1   1.24.8, 1.25.2  go-module  CVE-2025-58189  Medium    < 0.1% (10th)  < 0.1
stdlib  go1.25.1   1.24.8, 1.25.2  go-module  CVE-2025-58185  Medium    < 0.1% (5th)   < 0.1
stdlib  go1.25.1   1.24.9, 1.25.3  go-module  CVE-2025-58187  High      < 0.1% (2nd)   < 0.1
stdlib  go1.25.1   1.24.8, 1.25.2  go-module  CVE-2025-58183  Medium    < 0.1% (2nd)   < 0.1

@SebastienSyd
Copy link
Contributor Author

SebastienSyd commented Nov 6, 2025

cc. @ibihim

@ibihim
Copy link
Collaborator

ibihim commented Nov 24, 2025

Sorry, I was busy upstream. I will create a new release tomorrow. Thank you @SebastienSyd!

@ibihim
Copy link
Collaborator

ibihim commented Nov 24, 2025

Feel free to ping @stlaz or @ibihim on Kuberntes Slack, if we don't respond within 24 hours on an urgent issue.

@ibihim
Copy link
Collaborator

ibihim commented Nov 25, 2025
edited
Loading

@SebastienSyd, the Golang version in the go.mod indicates the minimal expected Golang version to be build the project. The Golang version is being set in https://github.com/brancz/kube-rbac-proxy/blob/master/.github/workflows/build.yml#L8.

When we build a new release in order to fix this #401, we indirectly will ship with the highest available Golang v1.25 version.

Even though it has no impact on the image we ship, we can merge the PR in case that someone wants to build this project with Golang v1.24, they should use the minimal version that has no vulnerabilities.

@SebastienSyd
Copy link
Contributor Author

SebastienSyd commented Nov 25, 2025

thanks @ibihim for the details

@ibihim ibihim merged commit 094540a into brancz:master Nov 25, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SebastienSyd @ibihim