Skip to content

cloudflared/2025.11.1-r2: cve remediation #77823

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

cloudflared/2025.11.1-r2: cve remediation #77823

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jan 11, 2026

cloudflared/2025.11.1-r2: fix GHSA-93mf-426m-g6x9

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/cloudflared.advisories.yaml

"Breadcrumbs" for this automated service

Inspected git repositories: https://github.com/cloudflare/cloudflared@2025.11.1

@octo-sts octo-sts bot added automated pr request-cve-remediation go/bump GHSA-93mf-426m-g6x9 p:cloudflared P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. labels Jan 11, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 11, 2026

🛑 Build Failed: Compilation

undefined: quic.Conn and related QUIC interface compilation errors in github.com/coredns/coredns/core/dnsserver

Build Details

Category Details
Build System Go
Failure Point go build command during compilation of ./cmd/cloudflared

Root Cause Analysis 🔍

The coredns dependency has incompatible QUIC interface usage after the go/bump step updated dependencies. The quic.Conn type is undefined and *quic.Stream is being used as a pointer to interface rather than interface, causing multiple compilation errors in the QUIC server implementation.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: cloudflared.yaml

  • modification at line 25-28 (pipeline go/bump step)
    Original:
  - uses: go/bump
    with:
      deps: |-
        golang.org/x/crypto@v0.45.0
        github.com/coredns/coredns@v1.12.4

Replacement:

  - uses: go/bump
    with:
      deps: |-
        golang.org/x/crypto@v0.45.0
        github.com/coredns/coredns@v1.12.4
        github.com/quic-go/quic-go@v0.54.1

Content:

Add github.com/quic-go/quic-go@v0.54.1 to the deps list in the go/bump step
Click to expand fix analysis

Analysis

Both similar fixes follow a consistent pattern: they address QUIC-related compilation errors by upgrading the quic-go dependency to v0.54.1 using go/bump. Fix #0 (teleport-18) upgraded quic-go to v0.54.1 and applied patches for API compatibility changes. Fix #1 (k3s-1.33) upgraded multiple QUIC-related dependencies including quic-go@v0.54.1, webtransport-go@v0.9.0, and go-libp2p@v0.44.0. The pattern indicates that quic.Conn and related QUIC interface issues are resolved by upgrading to compatible versions of the quic-go ecosystem.

Click to expand fix explanation

Explanation

The QUIC compilation errors (undefined: quic.Conn and related interface issues) are occurring because the coredns dependency update introduced incompatible QUIC interface usage. Both similar fixes demonstrate that upgrading quic-go to v0.54.1 resolves these exact compilation errors. The quic-go v0.54.1 version contains the proper API definitions for quic.Conn and fixes the interface compatibility issues. By adding this dependency upgrade to the existing go/bump step, the build system will ensure that all QUIC-related dependencies use compatible versions, resolving the undefined type errors in the coredns/coredns/core/dnsserver package.

Click to expand alternative approaches

Alternative Approaches

  • Downgrade github.com/coredns/coredns to an earlier version that's compatible with the current quic-go version, though this would go against Wolfi's principle of using latest versions
  • Add additional QUIC-related dependency upgrades like webtransport-go@v0.9.0 if the single quic-go upgrade doesn't resolve all compatibility issues
  • Apply source patches to cloudflared code to adapt to QUIC API changes, similar to the teleport fix, but this would require maintaining custom patches

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jan 11, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 12, 2026

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-w629-mx4q-2f4p has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-w629-mx4q-2f4p
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/cloudflared.advisories.yaml

ID:      CGA-w629-mx4q-2f4p
Package: cloudflared
Aliases: CVE-2025-58063 GHSA-93mf-426m-g6x9
Events:
  - "scan/v1" at 2025-09-10 07:05:29 UTC
  - "pending-upstream-fix" at 2025-09-11 10:12:37 UTC

🔀 v2 advisory logic would not have closed this PR: Found 4 advisories, but 2 of them are not resolved (CGA-mx4m-qf9v-55f4, CGA-9cx8-4m3x-r4mr).

@octo-sts octo-sts bot closed this Jan 12, 2026
@aborrero aborrero reopened this Jan 15, 2026
@aborrero aborrero force-pushed the cve-cloudflared-2025.11.1-r2-7649f75328c7b8c2540f4f96b9d522f8 branch from 1504c0a to 736ecc7 Compare January 15, 2026 11:34
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 15, 2026

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-w629-mx4q-2f4p has the latest event type of "pending-upstream-fix"

View with: cg advisory show CGA-w629-mx4q-2f4p
Or view on GitHub: https://github.com/wolfi-dev/advisories/blob/main/cloudflared.advisories.yaml

ID:      CGA-w629-mx4q-2f4p
Package: cloudflared
Aliases: CVE-2025-58063 GHSA-93mf-426m-g6x9
Events:
  - "scan/v1" at 2025-09-10 07:05:29 UTC
  - "pending-upstream-fix" at 2025-09-11 10:12:37 UTC

@octo-sts octo-sts bot closed this Jan 15, 2026
@aborrero aborrero reopened this Jan 15, 2026
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 15, 2026

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-3j73-w8w9-7p5m has the latest event type of "PENDING_UPSTREAM_FIX"

View with: cg adv show CGA-3j73-w8w9-7p5m

ID:      CGA-3j73-w8w9-7p5m
Package: cloudflared
Aliases: CVE-2025-58063 GHSA-93mf-426m-g6x9 GO-2025-3942 CGA-3v87-hwj5-gf23
Events:
  - "DETECTION" at 2025-09-10 07:05:29 UTC
  - "PENDING_UPSTREAM_FIX" at 2025-09-11 10:12:37 UTC

@octo-sts octo-sts bot closed this Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr cve-pr-closer/v2-adv-disagreement GHSA-93mf-426m-g6x9 go/bump p:cloudflared P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aborrero