Skip to content

Comments

fix: upgrade Go to 1.25.7 to resolve CVE-2025-68121#755

Open
WSandboxedOCCodeBot wants to merge 1 commit intokubernetes:masterfrom
WSandboxedOCCodeBot:fix/go-1.25.7-upgrade
Open

fix: upgrade Go to 1.25.7 to resolve CVE-2025-68121#755
WSandboxedOCCodeBot wants to merge 1 commit intokubernetes:masterfrom
WSandboxedOCCodeBot:fix/go-1.25.7-upgrade

Conversation

@WSandboxedOCCodeBot
Copy link

@WSandboxedOCCodeBot WSandboxedOCCodeBot commented Feb 24, 2026

Summary

Upgrades Go version to 1.25.7 to fix a CRITICAL vulnerability in the Go standard library.

CVE Fixed

CVE-2025-68121 (CRITICAL): crypto/tls session resumption vulnerability

Vulnerability Findings

Trivy Scan Command

trivy image --severity HIGH,CRITICAL registry.k8s.io/coredns/coredns:v1.12.0

Before Fix (registry.k8s.io/coredns/coredns:v1.12.0)

coredns (gobinary)
==================
Total: 3 (HIGH: 2, CRITICAL: 1)

| Library | Vulnerability  | Severity | Title |
|---------|----------------|----------|-------|
| stdlib  | CVE-2025-68121 | CRITICAL | crypto/tls: Unexpected session resumption |
| stdlib  | CVE-2025-47907 | HIGH     | database/sql: Postgres Scan Race Condition |
| stdlib  | CVE-2025-58183 | HIGH     | archive/tar: Unbounded allocation |

After Fix

Go 1.25.7 contains patches for these stdlib vulnerabilities.

This is a minimal patch-level version bump fix.

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Feb 24, 2026

CLA Missing ID CLA Not Signed

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 24, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 24, 2026

Hi @WSandboxedOCCodeBot. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 24, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: WSandboxedOCCodeBot
Once this PR has been reviewed and has the lgtm label, please assign damiansawicki for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from MrHohn and bowei February 24, 2026 02:58
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bowei bowei Awaiting requested review from bowei

@MrHohn MrHohn Awaiting requested review from MrHohn

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@WSandboxedOCCodeBot @k8s-ci-robot