Skip to content

Commit 54f0ec5

Browse files
hardcoretimeIsteb4k
hardcoretime
authored and
Isteb4k
committed
chore: update base images and Golang dependencies (#1846)
- Used the builder/golang-alt image instead of builder/alt and package installation. - Updated base image to Golang 1.24.11 to resolve CVE-2025-61729. - Updated golang.org/x/crypto to version 0.45.0 to resolve CVE-2025-47914. Signed-off-by: Roman Sysoev <[email protected]> (cherry picked from commit 95f95e4)
1 parent 35f5c1d commit 54f0ec5

File tree

6 files changed

+143
-195
lines changed

6 files changed

+143
-195
lines changed

build/components/versions.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ firmware:
44
edk2: stable202411
55
core:
66
3p-kubevirt: v1.6.2-v12n.3
7-
3p-containerized-data-importer: v1.60.3-v12n.12
7+
3p-containerized-data-importer: v1.60.3-v12n.13
88
distribution: 2.8.3
99
package:
1010
acl: v2.3.1

images/cdi-artifact/werf.inc.yaml

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ shell:
4747
---
4848
image: {{ .ModuleNamePrefix }}{{ .ImageName }}
4949
final: false
50-
fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/alt" "builder/golang-alt-svace-1.24" }}
50+
fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/golang-alt-1.24" "builder/golang-alt-svace-1.24" }}
5151
mount:
5252
- fromPath: ~/go-pkg-cache
5353
to: /go/pkg
@@ -63,12 +63,6 @@ import:
6363
before: install
6464
{{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
6565
shell:
66-
beforeInstall:
67-
{{- include "alt packages proxy" . | nindent 2 }}
68-
- |
69-
apt-get -qq install -y \
70-
git binutils make gcc golang
71-
{{- include "alt packages clean" . | nindent 2 }}
7266
install:
7367
- |
7468
# Install packages

images/dvcr-artifact/werf.inc.yaml

Lines changed: 1 addition & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,6 @@
11
---
22
{{- $nameDeps := print $.ImageName "-dependencies" -}}
33
{{- define "$nameDeps" -}}
4-
altPackages:
5-
- gcc
6-
- git golang make binutils
74
packages:
85
- libnbd
96
- libxml2
@@ -14,7 +11,7 @@ packages:
1411

1512
image: {{ .ModuleNamePrefix }}{{ .ImageName }}-builder
1613
final: false
17-
fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/alt" "builder/golang-alt-svace-1.24" }}
14+
fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/golang-alt-1.24" "builder/golang-alt-svace-1.24" }}
1815
git:
1916
- add: {{ .ModuleDir }}/images/{{ .ImageName }}
2017
to: /src
@@ -30,12 +27,6 @@ secrets:
3027
import:
3128
{{- include "importPackageImages" (list . $builderDeps.packages "install") -}}
3229
shell:
33-
beforeInstall:
34-
{{- include "alt packages proxy" . | nindent 2 }}
35-
- |
36-
apt-get -qq install -y \
37-
{{ $builderDeps.altPackages | join " " }}
38-
{{- include "alt packages clean" . | nindent 2 }}
3930
install:
4031
- |
4132
# Install packages

images/virt-artifact/werf.inc.yaml

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -25,12 +25,9 @@ shell:
2525
{{- $name := print .ImageName "-dependencies" -}}
2626
{{- define "$name" -}}
2727
altPackages:
28-
- git
2928
- pkg-config
3029
- libtool
31-
- gcc
3230
- gcc-c++
33-
- golang
3431
packages:
3532
- libmnl
3633
- ncurses
@@ -46,7 +43,7 @@ packages:
4643

4744
image: {{ .ModuleNamePrefix }}{{ .ImageName }}
4845
final: false
49-
fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/alt" "builder/golang-alt-svace-1.24" }}
46+
fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/golang-alt-1.24" "builder/golang-alt-svace-1.24" }}
5047
mount:
5148
- fromPath: ~/go-pkg-cache
5249
to: /go/pkg

images/vm-route-forge/go.mod

Lines changed: 33 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -5,15 +5,15 @@ go 1.24.6
55
tool github.com/cilium/ebpf/cmd/bpf2go
66

77
require (
8-
github.com/cilium/cilium v1.15.16
8+
github.com/cilium/cilium v1.16.17
99
github.com/cilium/ebpf v0.16.0
1010
github.com/deckhouse/virtualization/api v0.0.0-00010101000000-000000000000
1111
github.com/go-logr/logr v1.4.3
1212
github.com/spf13/cobra v1.9.1
1313
github.com/spf13/pflag v1.0.7
14-
github.com/vishvananda/netlink v1.2.1-beta.2.0.20240524165444-4d4ba1473f21
14+
github.com/vishvananda/netlink v1.3.1-0.20241022031324-976bd8de7d81
1515
go.uber.org/zap v1.27.0
16-
golang.org/x/sys v0.34.0
16+
golang.org/x/sys v0.38.0
1717
k8s.io/apimachinery v0.33.3
1818
k8s.io/client-go v0.33.3
1919
sigs.k8s.io/controller-runtime v0.21.0
@@ -26,40 +26,39 @@ require (
2626
github.com/beorn7/perks v1.0.1 // indirect
2727
github.com/blang/semver/v4 v4.0.0 // indirect
2828
github.com/cespare/xxhash/v2 v2.3.0 // indirect
29-
github.com/cilium/proxy v0.0.0-20231202123106-38b645b854f3 // indirect
29+
github.com/cilium/hive v0.0.0-20240529072208-d997f86e4219 // indirect
30+
github.com/cilium/proxy v0.0.0-20250526114940-b80199397e8a // indirect
3031
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
31-
github.com/emicklei/go-restful/v3 v3.11.2 // indirect
32+
github.com/emicklei/go-restful/v3 v3.12.0 // indirect
3233
github.com/evanphx/json-patch/v5 v5.9.11 // indirect
3334
github.com/fsnotify/fsnotify v1.7.0 // indirect
3435
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
3536
github.com/go-logr/stdr v1.2.2 // indirect
3637
github.com/go-logr/zapr v1.3.0 // indirect
37-
github.com/go-ole/go-ole v1.2.6 // indirect
38-
github.com/go-openapi/analysis v0.21.4 // indirect
39-
github.com/go-openapi/errors v0.20.4 // indirect
38+
github.com/go-openapi/analysis v0.23.0 // indirect
39+
github.com/go-openapi/errors v0.22.0 // indirect
4040
github.com/go-openapi/jsonpointer v0.21.0 // indirect
41-
github.com/go-openapi/jsonreference v0.20.4 // indirect
42-
github.com/go-openapi/loads v0.21.2 // indirect
43-
github.com/go-openapi/runtime v0.26.2 // indirect
44-
github.com/go-openapi/spec v0.20.11 // indirect
45-
github.com/go-openapi/strfmt v0.21.9 // indirect
41+
github.com/go-openapi/jsonreference v0.21.0 // indirect
42+
github.com/go-openapi/loads v0.22.0 // indirect
43+
github.com/go-openapi/runtime v0.28.0 // indirect
44+
github.com/go-openapi/spec v0.21.0 // indirect
45+
github.com/go-openapi/strfmt v0.23.0 // indirect
4646
github.com/go-openapi/swag v0.23.0 // indirect
47-
github.com/go-openapi/validate v0.22.3 // indirect
47+
github.com/go-openapi/validate v0.24.0 // indirect
4848
github.com/gogo/protobuf v1.3.2 // indirect
4949
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
5050
github.com/google/btree v1.1.3 // indirect
5151
github.com/google/gnostic-models v0.7.0 // indirect
5252
github.com/google/go-cmp v0.7.0 // indirect
5353
github.com/google/gopacket v1.1.19 // indirect
5454
github.com/google/uuid v1.6.0 // indirect
55-
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
56-
github.com/hashicorp/hcl v1.0.0 // indirect
55+
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
5756
github.com/inconshreveable/mousetrap v1.1.0 // indirect
5857
github.com/josharian/intern v1.0.0 // indirect
5958
github.com/json-iterator/go v1.1.12 // indirect
6059
github.com/kr/pretty v0.3.1 // indirect
6160
github.com/kr/text v0.2.0 // indirect
62-
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
61+
github.com/mackerelio/go-osstat v0.2.5 // indirect
6362
github.com/magiconair/properties v1.8.7 // indirect
6463
github.com/mailru/easyjson v0.7.7 // indirect
6564
github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -69,50 +68,45 @@ require (
6968
github.com/oklog/ulid v1.3.1 // indirect
7069
github.com/openshift/custom-resource-status v1.1.2 // indirect
7170
github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
72-
github.com/pelletier/go-toml/v2 v2.1.0 // indirect
73-
github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
71+
github.com/pelletier/go-toml/v2 v2.2.2 // indirect
72+
github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 // indirect
7473
github.com/pkg/errors v0.9.1 // indirect
7574
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
76-
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
7775
github.com/prometheus/client_golang v1.22.0 // indirect
7876
github.com/prometheus/client_model v0.6.1 // indirect
7977
github.com/prometheus/common v0.62.0 // indirect
8078
github.com/prometheus/procfs v0.15.1 // indirect
8179
github.com/rogpeppe/go-internal v1.13.1 // indirect
8280
github.com/sagikazarmark/locafero v0.4.0 // indirect
8381
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
84-
github.com/sasha-s/go-deadlock v0.3.1 // indirect
85-
github.com/shirou/gopsutil/v3 v3.23.5 // indirect
82+
github.com/sasha-s/go-deadlock v0.3.5 // indirect
8683
github.com/sirupsen/logrus v1.9.3 // indirect
8784
github.com/sourcegraph/conc v0.3.0 // indirect
8885
github.com/spf13/afero v1.11.0 // indirect
8986
github.com/spf13/cast v1.6.0 // indirect
90-
github.com/spf13/viper v1.18.1 // indirect
87+
github.com/spf13/viper v1.19.0 // indirect
9188
github.com/subosito/gotenv v1.6.0 // indirect
92-
github.com/tklauser/go-sysconf v0.3.11 // indirect
93-
github.com/tklauser/numcpus v0.6.0 // indirect
9489
github.com/vishvananda/netns v0.0.4 // indirect
9590
github.com/x448/float16 v0.8.4 // indirect
96-
github.com/yusufpapurcu/wmi v1.2.3 // indirect
97-
go.mongodb.org/mongo-driver v1.13.1 // indirect
91+
go.mongodb.org/mongo-driver v1.14.0 // indirect
9892
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
99-
go.opentelemetry.io/otel v1.33.0 // indirect
100-
go.opentelemetry.io/otel/metric v1.33.0 // indirect
101-
go.opentelemetry.io/otel/trace v1.33.0 // indirect
93+
go.opentelemetry.io/otel v1.34.0 // indirect
94+
go.opentelemetry.io/otel/metric v1.34.0 // indirect
95+
go.opentelemetry.io/otel/trace v1.34.0 // indirect
10296
go.uber.org/dig v1.17.1 // indirect
10397
go.uber.org/multierr v1.11.0 // indirect
10498
go.yaml.in/yaml/v2 v2.4.2 // indirect
10599
go.yaml.in/yaml/v3 v3.0.3 // indirect
106100
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
107101
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
108-
golang.org/x/net v0.39.0 // indirect
109-
golang.org/x/oauth2 v0.27.0 // indirect
110-
golang.org/x/sync v0.14.0 // indirect
111-
golang.org/x/term v0.32.0 // indirect
112-
golang.org/x/text v0.25.0 // indirect
113-
golang.org/x/time v0.9.0 // indirect
102+
golang.org/x/net v0.47.0 // indirect
103+
golang.org/x/oauth2 v0.30.0 // indirect
104+
golang.org/x/sync v0.18.0 // indirect
105+
golang.org/x/term v0.37.0 // indirect
106+
golang.org/x/text v0.31.0 // indirect
107+
golang.org/x/time v0.12.0 // indirect
114108
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
115-
google.golang.org/protobuf v1.36.5 // indirect
109+
google.golang.org/protobuf v1.36.6 // indirect
116110
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
117111
gopkg.in/inf.v0 v0.9.1 // indirect
118112
gopkg.in/ini.v1 v1.67.0 // indirect
@@ -127,12 +121,13 @@ require (
127121
kubevirt.io/controller-lifecycle-operator-sdk/api v0.0.0-20220329064328-f3cc58c6ed90 // indirect
128122
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
129123
sigs.k8s.io/randfill v1.0.0 // indirect
130-
sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
124+
sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
131125
sigs.k8s.io/yaml v1.4.0 // indirect
132126
)
133127

134128
// CVE Replaces
135129
replace (
130+
golang.org/x/crypto => golang.org/x/crypto v0.45.0 // CVE-2024-45337,CVE-2025-22869,CVE-2025-47914
136131
golang.org/x/net => golang.org/x/net v0.40.0 // CVE-2025-22870, CVE-2025-22872
137132
golang.org/x/oauth2 => golang.org/x/oauth2 v0.27.0 // CVE-2025-22868
138133
)

0 commit comments

Comments
 (0)