OCPBUGS-97639: bump go-billy to v5.9.0 for CVE-2026-44740#16733
OCPBUGS-97639: bump go-billy to v5.9.0 for CVE-2026-44740#16733Cragsmann wants to merge 2 commits into
Conversation
Fixes denial of service via crafted input due to insufficient validation in go-git/go-billy (bsc#1267332). Upgrades github.com/go-git/go-billy/v5 from v5.7.0 to v5.9.0.
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@Cragsmann: This pull request references Jira Issue OCPBUGS-97639, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (8)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughThis change updates two transitive dependency versions in go.mod: github.com/go-git/go-billy/v5 from v5.7.0 to v5.9.0, and golang.org/x/exp to a newer pseudo-version. ChangesDependency updates
Estimated code review effort: 1 (Trivial) | ~2 minutes 🚥 Pre-merge checks | ✅ 14 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Cragsmann The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@Cragsmann: This pull request references Jira Issue OCPBUGS-97639, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Run `go mod tidy && go mod vendor` to fix vendor inconsistency detected by CI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
/retest |
1 similar comment
|
/retest |
|
@Cragsmann: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Summary
github.com/go-git/go-billy/v5from v5.7.0 to v5.9.0Details
go-billy prior to v5.9.0 is vulnerable to denial of service through infinite loops, panics, or resource consumption when processing crafted input (bsc#1267332).
Test plan
go mod verifypassesFixes: https://issues.redhat.com/browse/OCPBUGS-97639
Summary by CodeRabbit