Skip to content

fix(security): remediate CVE vulnerabilities#136

Merged
ulucinar merged 1 commit intorelease-1.1from
fix/cve-remediation-release-1.1-20260416-225417
Apr 17, 2026
Merged

fix(security): remediate CVE vulnerabilities#136
ulucinar merged 1 commit intorelease-1.1from
fix/cve-remediation-release-1.1-20260416-225417

Conversation

@upbound-bot
Copy link
Copy Markdown

@upbound-bot upbound-bot commented Apr 16, 2026
edited by ulucinar
Loading

Summary

This PR fixes CVE vulnerabilities identified by security scanning.

Vulnerabilities Fixed

CVE/GHSA Severity Package Fixed Version
CVE-2026-27140 High stdlib go1.25.9
CVE-2026-32283 High stdlib go1.25.9
CVE-2026-32280 High stdlib go1.25.9
CVE-2026-32281 High stdlib go1.25.9
CVE-2026-32289 Medium stdlib go1.25.9
CVE-2026-32282 Medium stdlib go1.25.9
CVE-2026-32288 Medium stdlib go1.25.9
GHSA-92mm-2pjq-r785 High github.com/hashicorp/go-getter v1.8.6

Changes Made

  • Updated Go version from 1.25.8 to 1.25.9 in go.mod
  • Updated github.com/hashicorp/go-getter from v1.7.9 to v1.8.6 in go.mod
  • Ran go mod tidy to update go.sum and resolve dependencies
  • Updated GO_VERSION from "1.25.8" to "1.25.9" in .github/workflows/ci.yml

References

Verification

  • Rescanned with cve-scan skill after fixes
  • All listed vulnerabilities resolved

@ulucinar
fix(security): remediate CVE vulnerabilities
39dc8be 
- Update Go version to 1.25.9 (fixes CVE-2026-27140, CVE-2026-32283, CVE-2026-32280, CVE-2026-32281, CVE-2026-32289, CVE-2026-32282, CVE-2026-32288)
- Update github.com/hashicorp/go-getter to v1.8.6 (fixes GHSA-92mm-2pjq-r785)
- Update CI workflow Go version to match go.mod

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
@upbound-bot
Copy link
Copy Markdown
Author

upbound-bot commented Apr 16, 2026

/test-examples="examples/cluster/workspace-inline-aws.yaml"

@ulucinar ulucinar merged commit 01131f9 into release-1.1 Apr 17, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulucinar ulucinar ulucinar approved these changes

@sergenyalcin sergenyalcin Awaiting requested review from sergenyalcin sergenyalcin is a code owner

@turkenf turkenf Awaiting requested review from turkenf turkenf is a code owner

@erhancagirici erhancagirici Awaiting requested review from erhancagirici erhancagirici is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@upbound-bot @ulucinar