chore(core): cve mitigation 11-05-2026#2340
Merged
Merged
Conversation
- Fix CVE-2026-29181: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) - Fix CVE-2026-33811: When using LookupCNAME with the cgo DNS resolver, a very long CNAME... - Fix CVE-2026-33814: When processing HTTP/2 SETTINGS frames, transport will enter an infini ... - Fix CVE-2026-39820: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ... - Fix CVE-2026-39823: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ... - Fix CVE-2026-39825: ReverseProxy can forward queries containing parameters not visible to ... - Fix CVE-2026-39826: If a trusted template author were to write a <script> tag containing... - Fix CVE-2026-39836: Panic in Dial and LookupPort when handling NUL byte on Windows in... - Fix CVE-2026-41520: Cillium exposes sensitive information included in the cilium-bugtool debug archive - Fix CVE-2026-42499: Pathological inputs could cause DoS through consumePhrase when parsing ... Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
LopatinDmitr
requested review from
Isteb4k,
diafour,
nevermarine,
universal-itengineer and
yaroslavborbat
as code owners
universal-itengineer
approved these changes
May 13, 2026
LopatinDmitr
added a commit
that referenced
this pull request
May 13, 2026
- Fix CVE-2026-29181: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) - Fix CVE-2026-33811: When using LookupCNAME with the cgo DNS resolver, a very long CNAME... - Fix CVE-2026-33814: When processing HTTP/2 SETTINGS frames, transport will enter an infini ... - Fix CVE-2026-39820: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ... - Fix CVE-2026-39823: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ... - Fix CVE-2026-39825: ReverseProxy can forward queries containing parameters not visible to ... - Fix CVE-2026-39826: If a trusted template author were to write a <script> tag containing... - Fix CVE-2026-39836: Panic in Dial and LookupPort when handling NUL byte on Windows in... - Fix CVE-2026-41520: Cillium exposes sensitive information included in the cilium-bugtool debug archive - Fix CVE-2026-42499: Pathological inputs could cause DoS through consumePhrase when parsing ... Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
LopatinDmitr
added a commit
that referenced
this pull request
May 13, 2026
- Fix CVE-2026-29181: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) - Fix CVE-2026-33811: When using LookupCNAME with the cgo DNS resolver, a very long CNAME... - Fix CVE-2026-33814: When processing HTTP/2 SETTINGS frames, transport will enter an infini ... - Fix CVE-2026-39820: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ... - Fix CVE-2026-39823: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ... - Fix CVE-2026-39825: ReverseProxy can forward queries containing parameters not visible to ... - Fix CVE-2026-39826: If a trusted template author were to write a <script> tag containing... - Fix CVE-2026-39836: Panic in Dial and LookupPort when handling NUL byte on Windows in... - Fix CVE-2026-41520: Cillium exposes sensitive information included in the cilium-bugtool debug archive - Fix CVE-2026-42499: Pathological inputs could cause DoS through consumePhrase when parsing ... Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
LopatinDmitr
added a commit
that referenced
this pull request
May 14, 2026
- Fix CVE-2026-29181: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) - Fix CVE-2026-33811: When using LookupCNAME with the cgo DNS resolver, a very long CNAME... - Fix CVE-2026-33814: When processing HTTP/2 SETTINGS frames, transport will enter an infini ... - Fix CVE-2026-39820: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ... - Fix CVE-2026-39823: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ... - Fix CVE-2026-39825: ReverseProxy can forward queries containing parameters not visible to ... - Fix CVE-2026-39826: If a trusted template author were to write a <script> tag containing... - Fix CVE-2026-39836: Panic in Dial and LookupPort when handling NUL byte on Windows in... - Fix CVE-2026-41520: Cillium exposes sensitive information included in the cilium-bugtool debug archive - Fix CVE-2026-42499: Pathological inputs could cause DoS through consumePhrase when parsing ... Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
LopatinDmitr
added a commit
that referenced
this pull request
May 14, 2026
- Fix CVE-2026-29181: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) - Fix CVE-2026-33811: When using LookupCNAME with the cgo DNS resolver, a very long CNAME... - Fix CVE-2026-33814: When processing HTTP/2 SETTINGS frames, transport will enter an infini ... - Fix CVE-2026-39820: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ... - Fix CVE-2026-39823: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly ... - Fix CVE-2026-39825: ReverseProxy can forward queries containing parameters not visible to ... - Fix CVE-2026-39826: If a trusted template author were to write a <script> tag containing... - Fix CVE-2026-39836: Panic in Dial and LookupPort when handling NUL byte on Windows in... - Fix CVE-2026-41520: Cillium exposes sensitive information included in the cilium-bugtool debug archive - Fix CVE-2026-42499: Pathological inputs could cause DoS through consumePhrase when parsing ... Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
allocations (remote dos amplification)
archive
Why do we need it, and what problem does it solve?
Security vulnerabilities were identified in several Go libraries and bundled components used by the module. These issues may lead to denial of service, incorrect URL handling, HTTP/2 transport problems, template-related risks, DNS resolver issues, and exposure of sensitive debug information. This change updates affected dependencies and image versions to include upstream fixes and reduce security risk.
What is the expected result?
Checklist
Changelog entries