Skip to content

fix(deps): update golang.org/x/net to v0.55.0 for CVE-2026-39821#33795

Open
bjp-rocks wants to merge 1 commit into
rhoai-2.25from
fix/cve-2026-39821-x-net
Open

fix(deps): update golang.org/x/net to v0.55.0 for CVE-2026-39821#33795
bjp-rocks wants to merge 1 commit into
rhoai-2.25from
fix/cve-2026-39821-x-net

Conversation

@bjp-rocks

@bjp-rocks bjp-rocks commented Jul 1, 2026

Copy link
Copy Markdown

Description

Update golang.org/x/net from v0.39.0 to v0.55.0 to fix [https://redhat.atlassian.net/browse/RHOAIENG-67978] CVE-2026-39821

Vulnerability: The idna package ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to ASCII-only labels, enabling domain spoofing and privilege escalation (CVSS 10.0).

Impact on this repo: The idna package is in an active dependency path via k8s.io/client-go/restgolang.org/x/net/http2golang.org/x/net/idna.

Changes

  • go.mod / go.sum — bump golang.org/x/net v0.39.0 → v0.55.0 and transitive x/ dependencies
  • go directive 1.24.4 → 1.25.0 (required by x/net v0.55.0)

How Has This Been Tested?

  • go mod verify — all modules verified
  • go build -o bin/manager cmd/main.go — builds successfully
  • make unit-test — 52/52 test suites passed (45.2% coverage)
  • make lint — 0 issues

Merge criteria

  • You have read the contributors guide.
  • Commit messages are meaningful - have a clear and concise summary and detailed explanation of what was changed and why.
  • Pull Request contains a description of the solution, a link to the JIRA issue, and to any dependent or related Pull Request.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant