Upgrade go.opentelemetry.io/otel to v1.44.0 - Fix CVE-2026-39883#440
Open
raghavendra-nataraj wants to merge 1 commit into
Open
Upgrade go.opentelemetry.io/otel to v1.44.0 - Fix CVE-2026-39883#440raghavendra-nataraj wants to merge 1 commit into
raghavendra-nataraj wants to merge 1 commit into
Conversation
Bump the OpenTelemetry Go SDK family (otel, otel/metric, otel/sdk, otel/sdk/metric, otel/trace) from v1.39.0 to v1.44.0 to remediate CVE-2026-39883, a PATH hijacking vulnerability in the resource detector (via BSD kenv) affecting otel/sdk 1.15.0-1.42.0 (fixed in v1.43.0). otel/sdk is pulled in transitively via google.golang.org/grpc v1.79.3 and is not compiled into moc (provenance only). Catch-all replace directives pin the family to the fixed version and collapse the go.sum entries to v1.44.0, matching the existing replace convention used for proto/otlp, x/net and x/sys. Addresses Component Governance alert (CVE-2026-39883): https://dev.azure.com/msazure/msk8s/_workitems/edit/37477434 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. |
Contributor
Author
|
/azp run |
|
Azure Pipelines: Successfully started running 1 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps the OpenTelemetry Go SDK family (
otel,otel/metric,otel/sdk,otel/sdk/metric,otel/trace) from v1.39.0 to v1.44.0 to remediate CVE-2026-39883 — a PATH hijacking vulnerability in the OTel resource detector (via BSDkenv) affectingotel/sdk1.15.0–1.42.0 (fixed in v1.43.0).Details
otel/sdkis pulled in transitively viagoogle.golang.org/grpc v1.79.3and is not compiled into moc (go mod whyreports the main module does not need it) — it is module-graph provenance only.replacedirectives to pin the family to v1.44.0, matching the existing replace convention already used in this repo forproto/otlp,x/netandx/sys. This collapses thego.sumentries to a single fixed version (no stale v1.39.0 hashes remain).Validation
go mod graphresolves with no missing entriesgo mod verify→ all modules verifiedgo.sumcontains only v1.44.0 otel-family hashesWork item
Addresses Component Governance alert CVE-2026-39883: https://dev.azure.com/msazure/msk8s/_workitems/edit/37477434