[release-ocm-2.13] ACM-18942: CVE-2025-22868 x/oauth2 => golang-oauth2 v0.26.openshift.1 #182
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@CrystalChun: This pull request references ACM-18173 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/XXL
openshift-ci
bot
added
the
approved
CrystalChun
force-pushed
the
release-ocm-2.13
branch
from
f5361f8 to
ba70657
Compare
…2 v0.26.openshift.1 To fix the CVE, golang.org/x/oauth2 would need to be bumped to v0.26 or higher. However, this requires a go version upgrade to 1.23, which is currently not feasible for this version as there's no base image with go 1.23. To work around this, we will use github.com/openshift/[email protected] which contains the CVE fix and doesn't require a go version upgrade.
CrystalChun
force-pushed
the
release-ocm-2.13
branch
from
ba70657 to
3bca7f0
Compare
|
@CrystalChun: This pull request references ACM-18173 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retitle [release-ocm-2.13] ACM-18942: CVE-2025-22868 x/oauth2 => golang-oauth2 v0.26.openshift.1 |
openshift-ci
bot
changed the title
|
@CrystalChun: This pull request references ACM-18942 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CrystalChun, gamli75 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
@CrystalChun: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-merge-bot
bot
merged commit fec0370
into
openshift:release-ocm-2.13
4 participants
To fix the CVE, golang.org/x/oauth2 would need to be bumped to v0.26 or higher.
However, this requires a go version upgrade to 1.23, which is currently not
feasible for this version as there's no base image with go 1.23. To work
around this, we will use github.com/openshift/[email protected]
which contains the CVE fix and doesn't require a go version upgrade.