Skip to content

Rebuild etcdctl from source with Go 1.25.10 and patched x/net to remove high-severity CVEs#3

Draft
Copilot wants to merge 2 commits into
mainfrom
copilot/fix-high-severity-vulnerability
Draft

Rebuild etcdctl from source with Go 1.25.10 and patched x/net to remove high-severity CVEs#3
Copilot wants to merge 2 commits into
mainfrom
copilot/fix-high-severity-vulnerability

Conversation

Copy link
Copy Markdown

Copilot AI commented May 24, 2026
edited
Loading

The image currently ships an etcdctl binary compiled with Go 1.25.9, which carries multiple HIGH CVEs in Go stdlib plus a HIGH CVE in golang.org/x/net. This change moves etcdctl to an in-image source build using a patched Go toolchain and updated vulnerable Go modules.

  • Build pipeline: replace prebuilt binary download with source build

    • Switched Docker builder stage from release archive download to compiling etcdctl from etcd-io/etcd tag v3.6.11.
    • Builder now uses golang:1.25.10-bookworm to ensure stdlib fixes are present.

  • Dependency hardening in builder stage

    • Explicitly upgrades vulnerable networking/runtime-adjacent modules during build:
      • golang.org/x/net@v0.55.0
      • golang.org/x/sys@v0.45.0
      • golang.org/x/text@v0.37.0

  • Runtime behavior preserved

    • Final image and wrapper contract remain unchanged (etcdctl-wrapper.sh, entrypoint/cmd flow, binary path in runtime image).

  • Docs alignment

    • Updated README wording to reflect that etcdctl is now built from tagged source during image build (not extracted from release tarballs).
FROM golang:1.25.10-bookworm AS builder
ARG ETCD_VERSION="v3.6.11"

WORKDIR /build
RUN git clone --branch "${ETCD_VERSION}" --depth 1 https://github.com/etcd-io/etcd.git .

WORKDIR /build/etcdctl
RUN go get golang.org/x/net@v0.55.0 golang.org/x/sys@v0.45.0 golang.org/x/text@v0.37.0 \
    && go mod download \
    && CGO_ENABLED=0 go build -o /out/etcdctl-bin .

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • dhi.io
    • Triggering command: /usr/libexec/docker/cli-plugins/docker-buildx /usr/libexec/docker/cli-plugins/docker-buildx buildx build -t etcdctl:test . (dns block)
    • Triggering command: /usr/libexec/docker/cli-plugins/docker-buildx /usr/libexec/docker/cli-plugins/docker-buildx buildx build -t etcdctl:test . -nolocalimports e.golang.org/grpc@v1.79.3/internal/transport/networktype;/tmp/go-build1057602671/go/pkg/mod/go.uber.org/zap@v1.27.0/internal/level_enabler.go /tmp/go-build1057602671/b299/importcfg -pack /go/pkg/mod/google.golang.org/grpc@v1.79.3/internal/backoff/backoff.go (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue May 24, 2026 that may be closed by this pull request
High Severity Vulnerability in etcd-utils #2
Open
Copilot AI changed the title [WIP] Fix high severity vulnerability in etcd-utils Rebuild etcdctl from source with Go 1.25.10 and patched x/net to remove high-severity CVEs May 24, 2026
Copilot AI requested a review from dejanu May 24, 2026 19:13
Copilot finished work on behalf of dejanu May 24, 2026 19:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dejanu dejanu Awaiting requested review from dejanu

Assignees

@dejanu dejanu

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

High Severity Vulnerability in etcd-utils

2 participants

@dejanu