From 78efb7cc69f3639824acfe3a0a5a7a0b89e6f202 Mon Sep 17 00:00:00 2001 From: Zhiqiang Fang Date: Tue, 24 Mar 2026 10:50:13 -0400 Subject: [PATCH 1/2] Bug OCPBUGS-75754: Update Go to 1.25.6 to fix CVE-2025-61726 CVE-2025-61726 is a high-severity vulnerability in Go's net/url package that allows memory exhaustion through uncontrolled query parameter parsing. The vulnerability affects the dpu-daemon-container which uses gRPC gateway code that extensively calls req.ParseForm() (40+ instances in vendor code). Root cause: Go standard library's net/url package does not set a limit on the number of query parameters in a URL. While URL sizes are generally limited by max header size, net/http.Request.ParseForm can parse large URL-encoded forms. Parsing forms with many unique query parameters can cause excessive memory consumption, leading to DoS. Fix: Update Go toolchain from 1.24.3 to 1.25.6 which includes the patch for CVE-2025-61726. This adds proper limits to query parameter parsing to prevent memory exhaustion attacks. Why 1.25.6 instead of 1.24.12: - Aligns with sister project sriov-network-operator (uses Go 1.25.3) - Future-proof for OpenShift 4.22+ (Kubernetes 1.35 uses Go 1.25.3) - Both 1.24.12 and 1.25.6 fix CVE-2025-61726 identically - Kubernetes 0.32.x client libraries fully support Go 1.25 - No code changes required - Go 1.25 maintains compatibility promise - Benefits: Better performance, smaller binaries (DWARF v5), improved container resource management (cgroup-aware GOMAXPROCS) Testing: CI/CD pipeline will verify: - Go modules download and compile successfully with Go 1.25.6 - All unit tests pass with new Go version - Container images build correctly - No regression in existing functionality Compatibility verified: - All k8s.io/*, sigs.k8s.io/*, golang.org/x/* dependencies support Go 1.25 - No deprecated APIs or breaking changes affect this codebase - Standard error handling patterns compatible with Go 1.25 compiler fixes References: - Jira: https://redhat.atlassian.net/browse/OCPBUGS-75754 - GitHub: https://github.com/golang/go/issues/77101 - Go 1.25 Release: https://go.dev/doc/go1.25 - Fixed in Go 1.24.12 and 1.25.6 Co-Authored-By: Claude Sonnet 4.5 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 0b13c8dc4..d5d745309 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/openshift/dpu-operator -go 1.24.3 +go 1.25.6 require ( github.com/containernetworking/cni v1.2.3 From 8e52e9b4a4bc4d1a49b4d1ef2a5611bd56393f71 Mon Sep 17 00:00:00 2001 From: Zhiqiang Fang Date: Tue, 24 Mar 2026 13:33:00 -0400 Subject: [PATCH 2/2] Fix CI: Update Go to 1.24.12 to match OpenShift 4.21 builder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CI was failing with: go: go.mod requires go >= 1.25.6 (running go 1.24.13; GOTOOLCHAIN=local) Root cause: dpu-operator targets OpenShift 4.21 which uses Go 1.24.x builder images. The builder image has Go 1.24.13, but go.mod required 1.25.6, causing version mismatch. Solution: Use Go 1.24.12 instead of 1.25.6: - Both versions fix CVE-2025-61726 identically - 1.24.12 matches OpenShift 4.21 toolchain (golang-1.24) - No Dockerfile changes needed - CI will pass with existing builder images Comparison with sriov-network-operator: - sriov-network-operator targets OpenShift 4.22 → uses golang-1.25 - dpu-operator targets OpenShift 4.21 → uses golang-1.24 When dpu-operator upgrades to OpenShift 4.22, then Go 1.25.x can be used. Co-Authored-By: Claude Sonnet 4.5 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index d5d745309..aa5170af2 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/openshift/dpu-operator -go 1.25.6 +go 1.24.12 require ( github.com/containernetworking/cni v1.2.3