Skip to content

bump to 1.25.9 to fix CVEs#587

Merged
benchwang merged 1 commit intomainfrom
bewang/cves
Apr 8, 2026
Merged

bump to 1.25.9 to fix CVEs#587
benchwang merged 1 commit intomainfrom
bewang/cves

Conversation

@benchwang
Copy link
Copy Markdown
Contributor

@benchwang benchwang commented Apr 8, 2026 

trivy image mcr.microsoft.com/aks/eno/eno-reconciler:v20260316.20260316.1  --detection-priority comprehensive
2026-04-08T18:57:02Z    INFO    [vuln] Vulnerability scanning is enabled
2026-04-08T18:57:02Z    INFO    [secret] Secret scanning is enabled
2026-04-08T18:57:02Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-04-08T18:57:02Z    INFO    [secret] Please see https://trivy.dev/docs/v0.69/guide/scanner/secret#recommendation for faster secret detection
2026-04-08T18:57:03Z    INFO    Detected OS     family="debian" version="13.4"
2026-04-08T18:57:03Z    INFO    [debian] Detecting vulnerabilities...   os_version="13" pkg_num=5
2026-04-08T18:57:03Z    INFO    Number of language-specific files       num=1
2026-04-08T18:57:03Z    INFO    [gobinary] Detecting vulnerabilities...
2026-04-08T18:57:03Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/docs/v0.69/guide/scanner/vulnerability#severity-selection for details.

Report Summary

┌─────────────────────────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                                   Target                                    │   Type   │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ mcr.microsoft.com/aks/eno/eno-reconciler:v20260316.20260316.1 (debian 13.4) │  debian  │        0        │    -    │
├─────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ eno-reconciler                                                              │ gobinary │        9        │    -    │
└─────────────────────────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


eno-reconciler (gobinary)

Total: 9 (UNKNOWN: 6, LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2026-25679 │ HIGH     │ fixed  │ v1.24.13          │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-25679                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2026-27142 │ MEDIUM   │        │                   │                │ html/template: URLs in meta content attribute actions are   │
│         │                │          │        │                   │                │ not escaped in html/template...                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27142                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2026-27139 │ LOW      │        │                   │                │ os: FileInfo can escape from a Root in golang os module     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27139                  │
│         ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2026-32280 │ UNKNOWN  │        │                   │ 1.25.9, 1.26.2 │ Unexpected work during chain building in crypto/x509        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32280                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2026-32281 │          │        │                   │                │ Inefficient policy validation in crypto/x509                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32281                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2026-32282 │          │        │                   │                │ TOCTOU permits root escape on Linux via Root.Chmod in os in │
│         │                │          │        │                   │                │ internal/syscall/unix...                                    │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32282                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2026-32283 │          │        │                   │                │ Unauthenticated TLS 1.3 KeyUpdate record can cause          │
│         │                │          │        │                   │                │ persistent connection retention and DoS...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32283                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2026-32288 │          │        │                   │                │ Unbounded allocation for old GNU sparse in archive/tar      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32288                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2026-32289 │          │        │                   │                │ JsBraceDepth Context Tracking Bugs (XSS) in html/template   │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32289                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

https://portal.microsofticm.com/imp/v5/incidents/details/771147211/summary

@benchwang benchwang merged commit 6126eeb into main Apr 8, 2026
63 of 67 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tilnl tilnl tilnl approved these changes

@robbiezhang robbiezhang Awaiting requested review from robbiezhang robbiezhang is a code owner

@xiazhan xiazhan Awaiting requested review from xiazhan xiazhan is a code owner

@ruinan-liu ruinan-liu Awaiting requested review from ruinan-liu ruinan-liu is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@benchwang @tilnl