Bug OCPBUGS-75754: Update Go to 1.25.6 to fix CVE-2025-61726#638
Bug OCPBUGS-75754: Update Go to 1.25.6 to fix CVE-2025-61726#638zhiqiangf wants to merge 2 commits intoopenshift:mainfrom
Conversation
CVE-2025-61726 is a high-severity vulnerability in Go's net/url package that allows memory exhaustion through uncontrolled query parameter parsing. The vulnerability affects the dpu-daemon-container which uses gRPC gateway code that extensively calls req.ParseForm() (40+ instances in vendor code). Root cause: Go standard library's net/url package does not set a limit on the number of query parameters in a URL. While URL sizes are generally limited by max header size, net/http.Request.ParseForm can parse large URL-encoded forms. Parsing forms with many unique query parameters can cause excessive memory consumption, leading to DoS. Fix: Update Go toolchain from 1.24.3 to 1.25.6 which includes the patch for CVE-2025-61726. This adds proper limits to query parameter parsing to prevent memory exhaustion attacks. Why 1.25.6 instead of 1.24.12: - Aligns with sister project sriov-network-operator (uses Go 1.25.3) - Future-proof for OpenShift 4.22+ (Kubernetes 1.35 uses Go 1.25.3) - Both 1.24.12 and 1.25.6 fix CVE-2025-61726 identically - Kubernetes 0.32.x client libraries fully support Go 1.25 - No code changes required - Go 1.25 maintains compatibility promise - Benefits: Better performance, smaller binaries (DWARF v5), improved container resource management (cgroup-aware GOMAXPROCS) Testing: CI/CD pipeline will verify: - Go modules download and compile successfully with Go 1.25.6 - All unit tests pass with new Go version - Container images build correctly - No regression in existing functionality Compatibility verified: - All k8s.io/*, sigs.k8s.io/*, golang.org/x/* dependencies support Go 1.25 - No deprecated APIs or breaking changes affect this codebase - Standard error handling patterns compatible with Go 1.25 compiler fixes References: - Jira: https://redhat.atlassian.net/browse/OCPBUGS-75754 - GitHub: golang/go#77101 - Go 1.25 Release: https://go.dev/doc/go1.25 - Fixed in Go 1.24.12 and 1.25.6 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
openshift-ci-robot
added
jira/severity-important
|
@zhiqiangf: This pull request references Jira Issue OCPBUGS-75754, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: zhiqiangf The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
CI was failing with: go: go.mod requires go >= 1.25.6 (running go 1.24.13; GOTOOLCHAIN=local) Root cause: dpu-operator targets OpenShift 4.21 which uses Go 1.24.x builder images. The builder image has Go 1.24.13, but go.mod required 1.25.6, causing version mismatch. Solution: Use Go 1.24.12 instead of 1.25.6: - Both versions fix CVE-2025-61726 identically - 1.24.12 matches OpenShift 4.21 toolchain (golang-1.24) - No Dockerfile changes needed - CI will pass with existing builder images Comparison with sriov-network-operator: - sriov-network-operator targets OpenShift 4.22 → uses golang-1.25 - dpu-operator targets OpenShift 4.21 → uses golang-1.24 When dpu-operator upgrades to OpenShift 4.22, then Go 1.25.x can be used. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@zhiqiangf: This pull request references Jira Issue OCPBUGS-75754, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
|
@zhiqiangf: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Closing this PR as it was submitted to the wrong branch. The correct PR |
|
@zhiqiangf: This pull request references Jira Issue OCPBUGS-75754. The bug has been updated to no longer refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
2 participants
Summary
Fixes OCPBUGS-75754, OCPBUGS-75756, OCPBUGS-75755 - Security vulnerability CVE-2025-61726 affecting multiple DPU containers
This PR updates the Go toolchain from 1.24.3 to 1.24.12 to remediate a high-severity memory exhaustion vulnerability in Go's
net/urlpackage.Vulnerability Details
CVE-2025-61726 - Memory exhaustion in query parameter parsing
net/urlpackage lacks limits on query parameter counts in URL-encoded formsFix
go.mod: Go 1.24.3 → 1.24.12Why Go 1.24.12 (not 1.25.6)
Initially attempted Go 1.25.6, but CI failed due to version mismatch:
dpu-operator targets OpenShift 4.21, which uses Go 1.24.x builder images:
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21Go 1.24.12 is the correct choice because:
Comparison:
When dpu-operator upgrades to OpenShift 4.22, Go 1.25.x can be used.
Testing
CI/CD will verify:
Containers Fixed
All three containers built from this repository are fixed:
References
🤖 Co-Authored-By: Claude Sonnet 4.5