bump google.golang.org/grpc to v1.79.3 to fix CVE-2026-33186 [release-4.20]#646
bump google.golang.org/grpc to v1.79.3 to fix CVE-2026-33186 [release-4.20]#646zhiqiangf wants to merge 1 commit intoopenshift:release-4.20from
Conversation
Bump google.golang.org/grpc from v1.74.2 to v1.79.3 to address CVE-2026-33186 (gRPC-Go: Authorization bypass due to improper HTTP/2 path validation). Fixes: https://redhat.atlassian.net/browse/OCPBUGS-80625 Fixes: https://redhat.atlassian.net/browse/OCPBUGS-80624 Fixes: https://redhat.atlassian.net/browse/OCPBUGS-80623 Fixes: https://redhat.atlassian.net/browse/OCPBUGS-80622 Fixes: https://redhat.atlassian.net/browse/OCPBUGS-80621
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: zhiqiangf The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@zhiqiangf: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
1 participant
Description
Bump
google.golang.org/grpcfromv1.74.2tov1.79.3to address CVE-2026-33186 (gRPC-Go: Authorization bypass due to improper HTTP/2 path validation, CVSS 9.1 Critical).Versions prior to v1.79.3 accept HTTP/2
:pathheaders without a leading slash, causing path-based authorization interceptors to silently miss deny rules. Pure dependency bump — no code changes required.Testing
make fmt✓make vet✓Jira