Skip to content

Fix CVE-2026-33186, CVE-2026-25679, CVE-2026-27142, CVE-2026-27171, CVE-2025-60876#233

Merged
kezhenxu94 merged 3 commits intomainfrom
fix-cve-2026-03-20
Mar 20, 2026
Merged

Fix CVE-2026-33186, CVE-2026-25679, CVE-2026-27142, CVE-2026-27171, CVE-2025-60876#233
kezhenxu94 merged 3 commits intomainfrom
fix-cve-2026-03-20

Conversation

@kezhenxu94
Copy link
Member

@kezhenxu94 kezhenxu94 commented Mar 20, 2026

Summary

Fix multiple CVEs in skywalking-satellite:

  • CVE-2026-33186 (CRITICAL): Upgrade google.golang.org/grpc from v1.78.0 to v1.79.3
  • CVE-2026-25679 (HIGH): Upgrade Go stdlib from 1.25 to 1.25.8
  • CVE-2026-27142 (MEDIUM): Upgrade Go stdlib from 1.25 to 1.25.8
  • CVE-2026-27171 (MEDIUM): Upgrade Alpine base image from 3.19 to 3.21 (zlib fix)
  • CVE-2025-60876 (MEDIUM): Upgrade Alpine base image from 3.19 to 3.21 (busybox fix)

Changes

  • go.mod: Bumped Go version to 1.25.8, upgraded grpc to v1.79.3
  • docker/Dockerfile: Updated Go builder image to 1.25.8, Alpine base to 3.21

@kezhenxu94
Fix CVE-2026-33186, CVE-2026-25679, CVE-2026-27142, CVE-2026-27171, C…
fa30a77 
…VE-2025-60876

- Upgrade google.golang.org/grpc from v1.78.0 to v1.79.3 (CVE-2026-33186)
- Upgrade Go from 1.25 to 1.25.8 (CVE-2026-25679, CVE-2026-27142)
- Upgrade Alpine base image from 3.19 to 3.21 (CVE-2026-27171, CVE-2025-60876)
Copilot AI review requested due to automatic review settings March 20, 2026 04:19
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the project’s Go and container build dependencies to address several reported CVEs in skywalking-satellite, primarily by bumping google.golang.org/grpc, the Go toolchain version used for builds, and the Alpine runtime base image.

Changes:

  • Upgraded google.golang.org/grpc to v1.79.3 (and corresponding indirect deps in go.sum).
  • Updated the Docker build image to Go 1.25.8 and runtime base image to alpine:3.21.
  • Updated indirect module versions in go.sum as a result of dependency upgrades.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
go.mod Bumps Go version declaration and upgrades grpc + indirect genproto reference.
go.sum Refreshes dependency checksums/versions due to module upgrades (grpc, otel, genproto).
docker/Dockerfile Updates builder Go image tag and Alpine runtime base image version.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

go.mod Outdated
module github.com/apache/skywalking-satellite

go 1.25
go 1.25.8
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The go directive in go.mod only accepts a major.minor version (e.g., 1.25), not a patch version. Using go 1.25.8 will cause go mod tidy / builds to fail with an invalid Go version. Keep go 1.25 and, if you need to pin the patch level for the CVE fix, add a toolchain go1.25.8 directive (and/or align CI/Docker to that toolchain).

Suggested change
go 1.25.8
go 1.25
toolchain go1.25.8

Copilot uses AI. Check for mistakes.
@kezhenxu94
fix: fix CI failures after grpc/Go upgrade
cce2b31 
- Fix go.mod: use 'go 1.25' + 'toolchain go1.25.8' (patch version not valid in go directive)
- Fix TestStaticServer: replace fixed sleep with retry loop since grpc.NewClient
  connects lazily and both connections may not be READY within 1 second
- Fix Istio E2E: add xpack.security.enabled=false for ES 8 compatibility
@kezhenxu94
fix: update Istio E2E tests to use skywalking-helm OCI chart with ECK…
0725e94 
… operator

Following apache/skywalking@92a8f5d:
- Update SW_KUBERNETES_COMMIT_SHA to 2850db1502283a2d8516146c57cc2b49f1da934b
  (supports ECK operator with ES 8.18.8)
- Add ECK operator installation step before SkyWalking install
- Switch helm install from git-clone approach to OCI registry pull
- Replace --set elasticsearch.replicas/minimumMasterNodes with --set eckOperator.enabled=false
- Fix values file path (no longer relative to chart subdir)
- Remove xpack.security.enabled from values.yaml (ECK handles ES security)
@kezhenxu94 kezhenxu94 merged commit b2ceca4 into main Mar 20, 2026
19 checks passed
@kezhenxu94 kezhenxu94 deleted the fix-cve-2026-03-20 branch March 20, 2026 06:22
@tetrate-ci tetrate-ci mentioned this pull request Mar 24, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mrproliu mrproliu mrproliu approved these changes

@wu-sheng wu-sheng wu-sheng approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kezhenxu94 @mrproliu @wu-sheng