Skip to content

fix(security): bump Go builder images for CVE-2025-61726#623

Merged
nsingla merged 1 commit into
red-hat-data-services:rhoai-3.3from
sduvvuri1603:fix/CVE-2025-61726-go-1.25.7
May 15, 2026
Merged

fix(security): bump Go builder images for CVE-2025-61726#623
nsingla merged 1 commit into
red-hat-data-services:rhoai-3.3from
sduvvuri1603:fix/CVE-2025-61726-go-1.25.7

Conversation

@sduvvuri1603
Copy link
Copy Markdown

@sduvvuri1603 sduvvuri1603 commented May 4, 2026
edited
Loading

Issue

CVE-2025-61726net/url / large URL-encoded forms can drive excessive memory use via ParseForm. Fixed in Go >= 1.25.6 or >= 1.24.12 (NVD).

Resolves Jira: RHOAIENG-48614 · RHOAIENG-48615 (argoexec / workflow-controller, rhel9)

Summary

  • Update Konflux builder images only for argoexec and workflow-controller.
  • Pin registry.access.redhat.com/ubi9/go-toolset:1.25 by digest in:
    • argo-argoexec/Dockerfile.konflux
    • argo-workflowcontroller/Dockerfile.konflux
  • No changes to go.mod, root Dockerfile, ODH Dockerfiles, CI workflows, or codegen artifacts in this PR.

Note

  • This PR is intentionally scoped to the minimal Konflux remediation path for CVE-2025-61726.
  • Broader Go/tooling alignment can be handled separately if needed.

@sduvvuri1603
Copy link
Copy Markdown
Author

sduvvuri1603 commented May 6, 2026

/retest

@sduvvuri1603 sduvvuri1603 force-pushed the fix/CVE-2025-61726-go-1.25.7 branch from f6ff775 to 9227cb9 Compare May 6, 2026 15:59
@sduvvuri1603 sduvvuri1603 marked this pull request as ready for review May 6, 2026 16:20
@VaniHaripriya
Copy link
Copy Markdown

VaniHaripriya commented May 6, 2026

/lgtm

nsingla
nsingla approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown

@nsingla nsingla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

nsingla
nsingla requested changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown

@nsingla nsingla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you need to update the go version in go.mod file as well

@sduvvuri1603 sduvvuri1603 force-pushed the fix/CVE-2025-61726-go-1.25.7 branch from 9227cb9 to 0d0f33c Compare May 7, 2026 17:46
sduvvuri1603 added a commit to sduvvuri1603/argo-workflows that referenced this pull request May 7, 2026
@sduvvuri1603 @cursoragent
chore(ci): noop comments on PR red-hat-data-services#623 file set (PR r…
0730a06 
…ed-hat-data-services#625 control)

Touch the same ten paths as fix(security) PR red-hat-data-services#623 with comments only:
workflows ci-build/docs/release, root Dockerfile + Makefile, Konflux/ODH
Dockerfiles for argoexec and workflow-controller, and go.mod — no toolchain
or workflow logic changes. Rebases control branch on rhoai-3.3.

Co-authored-by: Cursor <cursoragent@cursor.com>
@grdryn
Copy link
Copy Markdown

grdryn commented May 15, 2026

Closing to try to retrigger snyk checks by reopening.

@grdryn grdryn closed this May 15, 2026
@grdryn grdryn reopened this May 15, 2026
@grdryn
Copy link
Copy Markdown

grdryn commented May 15, 2026

you need to update the go version in go.mod file as well

This is not correct. To pick up changes in the Go compiler/standard library, only the image needs to be changed. It will compile for older versions of Go specified in the go.mod just fine.

I've created #646 with the minimal changes needed, and the snyk checks pass successfully there.

@nsingla
Copy link
Copy Markdown

nsingla commented May 15, 2026

you need to update the go version in go.mod file as well

This is not correct. To pick up changes in the Go compiler/standard library, only the image needs to be changed. It will compile for older versions of Go specified in the go.mod just fine.

I've created #646 with the minimal changes needed, and the snyk checks pass successfully there.

My bad, what I meant wasn't that its not required to fix the cve, but its a good practive to keep it in sync. We can skip it if its causing snyk issues and handle it separately

@sduvvuri1603 @cursoragent
fix(security): bump Konflux Go builder images for CVE-2025-61726
49805be 
Update the Konflux argoexec and workflow-controller builder images to Go 1.25 digest-pinned toolset for the CVE-2025-61726 remediation path.

Co-authored-by: Cursor <cursoragent@cursor.com>
@sduvvuri1603 sduvvuri1603 force-pushed the fix/CVE-2025-61726-go-1.25.7 branch from 8d9b587 to 49805be Compare May 15, 2026 15:22
@sduvvuri1603
Copy link
Copy Markdown
Author

sduvvuri1603 commented May 15, 2026
edited
Loading

you need to update the go version in go.mod file as well

This is not correct. To pick up changes in the Go compiler/standard library, only the image needs to be changed. It will compile for older versions of Go specified in the go.mod just fine.
I've created #646 with the minimal changes needed, and the snyk checks pass successfully there.

My bad, what I meant wasn't that its not required to fix the cve, but its a good practive to keep it in sync. We can skip it if its causing snyk issues and handle it separately

Updated PR changes to keep it minimal with ref to: #646

@sduvvuri1603 sduvvuri1603 mentioned this pull request May 15, 2026
Closed
@nsingla
Copy link
Copy Markdown

nsingla commented May 15, 2026

/build-konflux argoexec

@nsingla
Copy link
Copy Markdown

nsingla commented May 15, 2026

/build-konflux workflowcontroller

nsingla
nsingla approved these changes May 15, 2026
View reviewed changes
Copy link
Copy Markdown

@nsingla nsingla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@nsingla nsingla merged commit cb8ed2c into red-hat-data-services:rhoai-3.3 May 15, 2026
16 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nsingla nsingla nsingla approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sduvvuri1603 @VaniHaripriya @grdryn @nsingla