Skip to content

[release-v0.39.1] fix: bump Go to 1.25.8 to fix CVE-2025-61728, CVE-2025-61726, CVE-2025-61729#2793

Open
waveywaves wants to merge 1 commit intotektoncd:release-v0.39.1from
waveywaves:fix/cve-2025-61728-release-v0.39.1
Open

[release-v0.39.1] fix: bump Go to 1.25.8 to fix CVE-2025-61728, CVE-2025-61726, CVE-2025-61729#2793
waveywaves wants to merge 1 commit intotektoncd:release-v0.39.1from
waveywaves:fix/cve-2025-61728-release-v0.39.1

Conversation

@waveywaves
Copy link
Copy Markdown
Member

@waveywaves waveywaves commented Apr 7, 2026
edited
Loading

Changes

Bump Go version to 1.25.8 to fix three CVEs:

  • CVE-2025-61728: Excessive CPU consumption when building archive index in archive/zip
  • CVE-2025-61726: Memory exhaustion in net/url query parameter parsing
  • CVE-2025-61729: Resource exhaustion in crypto/x509 certificate validation

/kind bug

Submitter Checklist

  • Includes tests (if functionality changed/added)
  • Run the code checkers with make check
  • Regenerate the manpages, docs and go formatting with make generated
  • Commit messages follow commit message best practices

Release Notes

Bump Go to 1.25.8 to fix CVE-2025-61728 (archive/zip DoS), CVE-2025-61726 (net/url memory exhaustion), CVE-2025-61729 (crypto/x509 resource exhaustion).

@waveywaves @claude
fix: bump Go to 1.25.8 to fix CVE-2025-61728, CVE-2025-61726, CVE-202…
0eeb374 
…5-61729

- CVE-2025-61728: Excessive CPU consumption in archive/zip
- CVE-2025-61726: Memory exhaustion in net/url
- CVE-2025-61729: Resource exhaustion in crypto/x509

Part of tektoncd#2716

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tekton-robot tekton-robot added kind/bug Categorizes issue or PR as related to a bug. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Apr 7, 2026
@tekton-robot tekton-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Apr 7, 2026
@vdemeester
Copy link
Copy Markdown
Member

vdemeester commented Apr 7, 2026

/approve
/lgtm

No ci ?

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 7, 2026
@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented Apr 7, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 7, 2026
@chmouel
Copy link
Copy Markdown
Member

chmouel commented Apr 7, 2026

/lgtm

@chmouel
Copy link
Copy Markdown
Member

chmouel commented Apr 7, 2026

/lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chmouel chmouel Awaiting requested review from chmouel

@vinamra28 vinamra28 Awaiting requested review from vinamra28

At least 1 approving review is required to merge this pull request.

Assignees

@vdemeester vdemeester

@chmouel chmouel

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@waveywaves @vdemeester @tekton-robot @chmouel