OCPBUGS-81791: Bump github.com/go-jose/go-jose/v4 to v4.1.4#1496
OCPBUGS-81791: Bump github.com/go-jose/go-jose/v4 to v4.1.4#1496jkaurredhat wants to merge 1 commit into
Conversation
|
@jkaurredhat: This pull request references Jira Issue OCPBUGS-81791, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Update github.com/go-jose/go-jose/v3 from v3.0.4 to v3.0.5 to address CVE-2026-34986 (Go JOSE DoS via crafted JWE object). The assisted-installer-agent is an OpenShift-specific component with no upstream equivalent, so this is an OpenShift-only patch. This update uses go-jose v3.0.5 (compatible with Go 1.21) instead of v4.1.4 which requires Go 1.24+. Release-4.17 uses go-jose v3.x, so the fix is applied within the same major version. Related: OCPBUGS-81791
fa3c912 to
15d8921
Compare
Updated Fix ApproachChanged the fix from v4.1.4 → v3.0.5 because:
Changes:
This should now pass CI on release-4.17! 🎉 |
|
@jkaurredhat: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gamli75, jkaurredhat The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Summary
This PR addresses CVE-2026-34986 by bumping github.com/go-jose/go-jose/v4 to v4.1.4,
which includes a fix for a Denial of Service vulnerability via crafted JSON Web Encryption (JWE) objects.
Changes
github.com/go-jose/go-jose/v4from v4.0.5 to v4.1.4go mod tidyandgo mod vendorCVE Details
CVE-2026-34986: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object
Test Plan
Related
🤖 Generated with Claude Code