[release-0.99] CVE-2026-33186: Bump grpc#2683
[release-0.99] CVE-2026-33186: Bump grpc#2683sbiradar10 wants to merge 1 commit intokubevirt:release-0.99from
Conversation
Signed-off-by: Super User <sbiradar@redhat.com>
kubevirt-bot
added
dco-signoff: yes
|
/release-note-none |
kubevirt-bot
added
release-note-none
|
| kubevirt.io/client-go => kubevirt.io/client-go v1.4.0 | ||
| ) | ||
|
|
||
| replace google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.75.1-sec.1 |
There was a problem hiding this comment.
grpc 1.79.3 require go 1.24 version. and this repo using 1.23 so our team(sustaining team) created this folk for lower go version.
There was a problem hiding this comment.
There was a problem hiding this comment.
What's the diff from the original repo?
There was a problem hiding this comment.
In original repo we dont have any remediation for lower go lang version. > 1.23
so we forked it and created patch till 1.23
There was a problem hiding this comment.
If it's not too troublesome, could you please show me the commit you branched from on the original, and the PR(s) diff since you branched
There was a problem hiding this comment.
|
@gemini-code-assist review this PR |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies and their vendored code, including major components of OpenTelemetry and gRPC. It also introduces a replace directive in go.mod to use a fork of the grpc-go library and adds new internal telemetry and auto-instrumentation SDK packages. I have no feedback to provide.
|
hey @RamLavi can you please check this? |
|
Hey @sbiradar10 The description makes this sound like a narrow security backport, but the actual change appears to pull CNAO from Can you please clarify:
If this is truly the smallest viable fix, I think the PR description should say that explicitly. Right now “bump grpc” understates the actual scope of the change. |
|
@Atharva-Shinde ^^ can you please reply here? |
|
Hey @RamLavi
It is not pragmatic to backport the fix to each grpc version available.
github.com/openshift-sustaining/grpc-go v1.75.1-sec.1 is based upon the tag https://github.com/openshift-sustaining/grpc-go/tree/v1.75.1.
The patch specific unit tests from the grpc-go module were used for testing the patches, moreover the unit and e2e test suite of the component(in this case cluster-network-addons-operator) should be able to capture any build or regression related issues. |
|
hey @RamLavi can you have a look here? |
|
grpc-go supports only last 2 releases, so the 1.65 CNAO uses here is no longer supported, which explains why they don't have it. /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RamLavi The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
4 participants
Bump grpc to 1.79.3 leads to go lang bump so i used grpc folk to avoid this:
Used below command for replace:
go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/grpc-go@v1.75.1-sec.1