Skip to content

security: go 1.25.11 + microdnf update UBI9 base (94 -> 8 CVEs, 0 CRITICAL)#289

Merged
blue4209211 merged 1 commit into
mainfrom
security/go1.25.11-x-net-ubi-update
Jul 9, 2026
Merged

security: go 1.25.11 + microdnf update UBI9 base (94 -> 8 CVEs, 0 CRITICAL)#289
blue4209211 merged 1 commit into
mainfrom
security/go1.25.11-x-net-ubi-update

Conversation

@mayankpande88

Copy link
Copy Markdown
Contributor

Summary

Takes the node-agent image from 94 fixable CVEs to 8, and CRITICAL to 0, with a Dockerfile-only change (no go.mod surgery):

  • GO_VERSION 1.25.0 → 1.25.11 — clears the Go stdlib CRITICAL (CVE-2025-68121) and all stdlib HIGH/MEDIUM in the nudgebee-node-agent binary.
  • microdnf update on the runtime stage — patches the pinned ubi9/ubi-minimal base (gnutls, openssl-libs, glibc, krb5-libs, …) which ships stale.
  • The rebuild also picks up main's already-bumped modules (x/net v0.55.0, containerd v1.7.33, mongo-driver v1.17.9, otel v1.44.0, cilium v1.17.15) that the stale :0.1.0 image predated.

Verification

Rebuilt the image locally: 8 fixable / 0 CRITICAL (was 94), and the agent binary runs (nudgebee-node-agent --help).

Remaining 8 (deferred)

All in the agent binary, all risky/large go-module bumps that need coroot-fork alignment + integration testing:

  • github.com/docker/docker v28 → v29 (major)
  • github.com/prometheus/prometheus v0.51 → v0.311 (large)
  • github.com/cilium/cilium v1.17.15 → 1.17.16 (patch), github.com/ulikunitz/xz 0.5.14 → 0.5.15 (patch)

These belong in a separate, tested dependency PR — a major docker/prometheus bump in an eBPF agent shouldn't ride along with an OS/toolchain hardening change.

Part of the nudgebee image-hardening effort (nudgebee/nudgebee#578).

Takes the node-agent image from 94 fixable CVEs to 8 (CRITICAL 0):
- GO_VERSION 1.25.0 -> 1.25.11 clears the Go stdlib CRITICAL (CVE-2025-68121)
  and all stdlib HIGH/MEDIUM in the nudgebee-node-agent binary.
- `microdnf update` patches the pinned ubi9/ubi-minimal base (gnutls,
  openssl-libs, glibc, krb5-libs, ...) which shipped stale.
- The rebuild also picks up main's already-bumped modules (x/net v0.55.0,
  containerd v1.7.33, mongo-driver v1.17.9, otel v1.44.0, cilium v1.17.15).

Verified: rebuilt image scans 8 fixable / 0 CRITICAL (was 94); the agent
binary runs (`nudgebee-node-agent --help`).

The remaining 8 are risky/large go-module bumps (docker v28->v29 major,
prometheus v0.51->v0.311, cilium 1.17.16, xz 0.5.15) that need coroot-fork
alignment + integration testing — deferred to a separate dependency PR.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Go version to 1.25.11 in the builder stage and adds a package update and cleanup step to the runtime stage in the Dockerfile. The reviewer suggested optimizing the image size by disabling weak dependencies during package installation.

Comment thread Dockerfile
@blue4209211 blue4209211 merged commit cf29f1d into main Jul 9, 2026
7 checks passed
@blue4209211 blue4209211 deleted the security/go1.25.11-x-net-ubi-update branch July 9, 2026 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants