Skip to content

[release-1.3] Bump golang.org/x/net to v0.57.0 (requires Go 1.25)#5368

Open
smerkviladze wants to merge 1 commit into
opencontainers:release-1.3from
smerkviladze:release-1.3-bump-x-net
Open

[release-1.3] Bump golang.org/x/net to v0.57.0 (requires Go 1.25)#5368
smerkviladze wants to merge 1 commit into
opencontainers:release-1.3from
smerkviladze:release-1.3-bump-x-net

Conversation

@smerkviladze

@smerkviladze smerkviladze commented Jul 10, 2026

Copy link
Copy Markdown

Bumps golang.org/x/net to v0.57.0, and golang.org/x/sys to v0.47.0 (required by the new x/net);

The version bump satisfies vulnerability scanners that flag the affected module version: CVE-2026-39821

Both modules require Go 1.25, so this raises the minimum Go version for building runc on this branch from 1.23 to 1.25:

  • go.mod: go directive 1.23.0 → 1.25.0
  • CI: Go 1.23.x dropped from the test matrix (1.25.x and 1.26.x remain)

The Go 1.25+ runtime holds cgroup CPU limit fds open for container-aware GOMAXPROCS (https://go.dev/cl/670497), which trips the fd-leak integration test. Whitelisted the v1 files; plus the cgroup v2 cpu.max equivalent, which shows up when the test runs in nested-container environments.

Also bump golang.org/x/sys to v0.47.0. Both modules now require
Go 1.25, so raise the go directive in go.mod from 1.23.0 to 1.25.0
and drop Go 1.23 from the CI test matrix.

Starting with Go 1.25, the runtime opens the cgroup CPU limit files
(cpu.cfs_quota_us and cpu.cfs_period_us on cgroup v1, cpu.max on
cgroup v2) and keeps them open to periodically re-evaluate GOMAXPROCS
(https://go.dev/cl/670497\). As a result, a container's init process
now legitimately holds these file descriptors, which the fd leak
integration test used to flag as a leak. Add them to the test's
whitelist of allowed fd targets.

Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
@rata

rata commented Jul 10, 2026

Copy link
Copy Markdown
Member

Why is this needed? I didn't follow

@smerkviladze

Copy link
Copy Markdown
Author

Why is this needed? I didn't follow

The bump satisfies vulnerability scanners that flag the module version (CVE-2026-39821).

@rata

rata commented Jul 10, 2026

Copy link
Copy Markdown
Member

@smerkviladze Oh, that wasn't mentioned at all.

Also, the commit seems to do quite more stuff that updaging the dependency. If you copied stuff from main, a proper cherry-pick is what is expected.

But there is no earlier release that fixes the CVE that maybe doesn't require a go update?

@smerkviladze

Copy link
Copy Markdown
Author

@smerkviladze Oh, that wasn't mentioned at all.

Also, the commit seems to do quite more stuff that updaging the dependency. If you copied stuff from main, a proper cherry-pick is what is expected.

But there is no earlier release that fixes the CVE that maybe doesn't require a go update?

Unfortunately, no. The CVE is fixed in x/net v0.55.0, and every release containing the fix requires Go 1.25. The last x/net version that still builds with Go 1.23 is v0.43.0, which predates the fix; so bumping past the CVE unavoidably raises the minimum Go version.

Please let me know if the Go bump is acceptable for release-1.3, and I will split the PR into separate commits and cherry-pick the relevant ones from upstream.

@rata

rata commented Jul 10, 2026

Copy link
Copy Markdown
Member

Hmm, but I don't think we use the vuln functions directly/indirectly, right? govulncheck probably doesn't report it, right? It's just scanners that just check the version the problem? Which one in particular are you seeing the issue with?

@smerkviladze

Copy link
Copy Markdown
Author

Hmm, but I don't think we use the vuln functions directly/indirectly, right? govulncheck probably doesn't report it, right? It's just scanners that just check the version the problem? Which one in particular are you seeing the issue with?

Correct on both counts. I ran govulncheck on release-1.3 to confirm: "Your code is affected by 0 vulnerabilities. This scan also found … 1 vulnerability in modules you require, but your code doesn't appear to call these vulnerabilities."

So yes, it's version-matching scanners flagging the module version rather than an actual exposure. In our case it's Sysdig, which scans the vendored module versions and flags golang.org/x/net < v0.55.0 regardless of which packages are used.

@rata

rata commented Jul 10, 2026

Copy link
Copy Markdown
Member

We did changed it once: #4277 (comment)

Oh, but this is v1.3. It will receive high severity fixes now, see the policy: https://github.com/opencontainers/runc/blob/main/RELEASES.md#support-policy. And it will be unsupported in a few months.

Can't you update to runc 1.5? Updating the dep there is also simpler :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants