Skip to content

Upgrade go.opentelemetry.io/otel to v1.44.0 - Fix CVE-2026-39883#440

Open
raghavendra-nataraj wants to merge 1 commit into
mainfrom
raghavendra-nataraj/fix-otel-sdk-cve
Open

Upgrade go.opentelemetry.io/otel to v1.44.0 - Fix CVE-2026-39883#440
raghavendra-nataraj wants to merge 1 commit into
mainfrom
raghavendra-nataraj/fix-otel-sdk-cve

Conversation

@raghavendra-nataraj

Copy link
Copy Markdown
Contributor

Summary

Bumps the OpenTelemetry Go SDK family (otel, otel/metric, otel/sdk, otel/sdk/metric, otel/trace) from v1.39.0 to v1.44.0 to remediate CVE-2026-39883 — a PATH hijacking vulnerability in the OTel resource detector (via BSD kenv) affecting otel/sdk 1.15.0–1.42.0 (fixed in v1.43.0).

Details

  • otel/sdk is pulled in transitively via google.golang.org/grpc v1.79.3 and is not compiled into moc (go mod why reports the main module does not need it) — it is module-graph provenance only.
  • Fix uses catch-all replace directives to pin the family to v1.44.0, matching the existing replace convention already used in this repo for proto/otlp, x/net and x/sys. This collapses the go.sum entries to a single fixed version (no stale v1.39.0 hashes remain).

Validation

  • go mod graph resolves with no missing entries
  • go mod verifyall modules verified
  • go.sum contains only v1.44.0 otel-family hashes

Work item

Addresses Component Governance alert CVE-2026-39883: https://dev.azure.com/msazure/msk8s/_workitems/edit/37477434

Bump the OpenTelemetry Go SDK family (otel, otel/metric, otel/sdk,
otel/sdk/metric, otel/trace) from v1.39.0 to v1.44.0 to remediate
CVE-2026-39883, a PATH hijacking vulnerability in the resource
detector (via BSD kenv) affecting otel/sdk 1.15.0-1.42.0 (fixed in
v1.43.0).

otel/sdk is pulled in transitively via google.golang.org/grpc v1.79.3
and is not compiled into moc (provenance only). Catch-all replace
directives pin the family to the fixed version and collapse the
go.sum entries to v1.44.0, matching the existing replace convention
used for proto/otlp, x/net and x/sys.

Addresses Component Governance alert (CVE-2026-39883):
https://dev.azure.com/msazure/msk8s/_workitems/edit/37477434

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.

@raghavendra-nataraj

Copy link
Copy Markdown
Contributor Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 1 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant