Fix CVE-2024-25621: Upgrade containerd to v1.7.29#181
Merged
Conversation
This commit fixes CVE-2024-25621, a local privilege escalation vulnerability in containerd versions up to 1.7.28. The issue involved overly broad default permissions for directory paths in containerd. Changes: - Added replace directive to force containerd v1.7.29 - Updated go.mod and go.sum with new containerd version - Also updated transitive dependencies (go-jose, golang.org/x/crypto) Fixes: ACM-27214 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: clyang82 <chuyang@redhat.com>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: clyang82 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Add replace directives in go.mod for k8s.io components to resolve v0.0.0 dependency issues that prevented go work vendor from running successfully. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
yanmxa
pushed a commit
to yanmxa/glo-grafana
that referenced
this pull request
Jan 23, 2026
* Fix CVE-2024-25621: Upgrade containerd to v1.7.29 This commit fixes CVE-2024-25621, a local privilege escalation vulnerability in containerd versions up to 1.7.28. The issue involved overly broad default permissions for directory paths in containerd. Changes: - Added replace directive to force containerd v1.7.29 - Updated go.mod and go.sum with new containerd version - Also updated transitive dependencies (go-jose, golang.org/x/crypto) Fixes: ACM-27214 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: clyang82 <chuyang@redhat.com> * Fix k8s.io dependency resolution for go work vendor Add replace directives in go.mod for k8s.io components to resolve v0.0.0 dependency issues that prevented go work vendor from running successfully. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Signed-off-by: clyang82 <chuyang@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
clyang82
added a commit
that referenced
this pull request
Jan 27, 2026
* Replace ACM Konflux config with Global Hub Konflux config - Remove ACM tekton pipelines (grafana-acm-216-*) - Remove Containerfile.operator - Add Global Hub tekton pipelines (glo-grafana-globalhub-1-7-*) - Add Containerfile.konflux - Add renovate.json Signed-off-by: Meng Yan <myan@redhat.com> * Upgrade golang to 1.25.3 Signed-off-by: clyang82 <chuyang@redhat.com> * Fix CVE-2025-64756 and CVE-2025-66031: Upgrade glob and node-forge (#185) * Fix CVE-2025-64756 and CVE-2025-66031: Upgrade glob and node-forge This commit addresses two security vulnerabilities in dependencies: 1. CVE-2025-64756 (ACM-27068): glob command injection vulnerability - Upgraded glob from 10.4.1 to 11.1.0 - Vulnerability allowed arbitrary command execution via malicious filenames - Fixed by upgrading to glob 11.1.0+ 2. CVE-2025-66031 (ACM-27062): node-forge ASN.1 unbounded recursion - Upgraded node-forge from ^1.3.1 to ^1.3.2 - Vulnerability could cause DoS via stack exhaustion - Fixed by upgrading to node-forge 1.3.2+ Changes: - Updated package.json with new dependency versions - Updated yarn.lock with resolved dependencies Fixes: ACM-27068, ACM-27062 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: clyang82 <chuyang@redhat.com> * Update build artifacts after dependency upgrades This commit updates the build artifacts after upgrading glob and node-forge dependencies for CVE fixes (ACM-27068, ACM-27062). Changes: - Rebuilt AngularApp bundle with new hash - Rebuilt runtime bundle with new hash - Updated assets manifest 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: clyang82 <chuyang@redhat.com> * rerun in linux --------- Signed-off-by: clyang82 <chuyang@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * Fix CVE-2024-25621: Upgrade containerd to v1.7.29 (#181) * Fix CVE-2024-25621: Upgrade containerd to v1.7.29 This commit fixes CVE-2024-25621, a local privilege escalation vulnerability in containerd versions up to 1.7.28. The issue involved overly broad default permissions for directory paths in containerd. Changes: - Added replace directive to force containerd v1.7.29 - Updated go.mod and go.sum with new containerd version - Also updated transitive dependencies (go-jose, golang.org/x/crypto) Fixes: ACM-27214 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: clyang82 <chuyang@redhat.com> * Fix k8s.io dependency resolution for go work vendor Add replace directives in go.mod for k8s.io components to resolve v0.0.0 dependency issues that prevented go work vendor from running successfully. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Signed-off-by: clyang82 <chuyang@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * Revert glob/node-forge CVE changes to fix yarn.lock sync The glob and node-forge version upgrades require yarn.lock regeneration which cannot be done from a fork PR. Reverting to original versions to maintain consistency between package.json and yarn.lock. The containerd CVE fix (via go.mod replace directive) is still in place. Signed-off-by: Meng Yan <myan@redhat.com> * Fix Containerfile.konflux for release-1.7 codebase Update Containerfile.konflux to match the release-1.7 directory structure: - Remove references to non-existent directories (plugins-bundled, .bingo) - Add kindsv2, apps, .citools directories - Add stolostron-patches and apply them during build - Use ubi:latest instead of ubi-minimal (matches Dockerfile.ocp) - Fix binary copy path Signed-off-by: Meng Yan <myan@redhat.com> * Simplify Containerfile.konflux for hermetic build - Remove stolostron-patches and git apply (not compatible with hermetic build) - Add GOFLAGS="-mod=readonly" for hermetic build compatibility - Use ubi-minimal as base image (matches original Konflux config) - Use relative path for binary copy (./bin/ instead of $GOPATH/...) - Keep kindsv2, apps, .citools directories for release-1.7 compatibility Signed-off-by: Meng Yan <myan@redhat.com> * Fix Containerfile.konflux build: apply patches and use build.go - Use 'git init && git apply' to apply stolostron patches - Use 'go run build.go -build-tags=strictfipsruntime build' instead of make build-go - This matches the ACM build approach which works with Konflux Signed-off-by: Meng Yan <myan@redhat.com> * Fix CVE-2025-68156: Upgrade expr-lang/expr to v1.17.7 Addresses HIGH severity vulnerability in github.com/expr-lang/expr: - Denial of Service via uncontrolled recursion in expression evaluation - Affected files: .citools/src/cog/go.mod, pkg/codegen/go.mod, pkg/plugins/codegen/go.mod Signed-off-by: Meng Yan <myan@redhat.com> * Fix Konflux build: add workspace modules to prefetch-input Add pkg/codegen and pkg/plugins/codegen to cachi2 prefetch-input so that their dependencies (including expr-lang/expr v1.17.7) are properly prefetched for hermetic builds. Signed-off-by: Meng Yan <myan@redhat.com> * Upgrade Go version to 1.25.3 in sub-modules Align sub-module Go versions with the workspace (go.work): - pkg/codegen/go.mod: 1.24.6 -> 1.25.3 - pkg/plugins/codegen/go.mod: 1.24.6 -> 1.25.3 - .citools/src/cog/go.mod: 1.24.5 -> 1.25.3 Signed-off-by: Meng Yan <myan@redhat.com> * Fix flaky TestAlertRuleRetry test timeout Increase EventuallyWithT timeout from 5ms to 5s and poll interval from 1ms to 10ms to avoid flaky test failures in CI environments. Signed-off-by: Meng Yan <myan@redhat.com> * Remove workflows requiring unavailable runners Delete GitHub Actions workflows that require large runners (ubuntu-x64-large, ubuntu-x64-large-io) which are not available in the stolostron/glo-grafana fork. Removed workflows: - backend-unit-tests.yml (Grafana unit tests) - pr-test-integration.yml (MySQL/Postgres/Sqlite tests) - pr-e2e-tests.yml (E2E tests) - pr-frontend-unit-tests.yml (Frontend tests) - pr-test-docker.yml (Docker build tests) - release-build.yml (Release builds) Signed-off-by: Meng Yan <myan@redhat.com> * Remove more workflows requiring large runners Delete additional workflows using large runners: - run-schema-v2-e2e.yml (ubuntu-latest-8-cores) - storybook-a11y.yml (ubuntu-latest-8-cores) Signed-off-by: Meng Yan <myan@redhat.com> * Add JavaScript build stage to Containerfile.konflux Fix PostgreSQL datasource plugin 404 error by adding frontend build stage. The previous Containerfile only copied source code without building, causing Grafana to fail loading plugins that require compiled JS modules. Reference: https://github.com/grafana/grafana/blob/main/Dockerfile Changes: - Add js-builder stage using ubi9/nodejs-22 base image - Run yarn install and yarn build for frontend compilation - Copy built public directory from js-builder instead of source code Signed-off-by: Meng Yan <myan@redhat.com> * yarn install & yarn build to generate runnable resources for Grafana 12 Generate compiled frontend assets including plugin dist directories. This fixes the PostgreSQL datasource 404 error in Grafana 12.x. Reference: 4ae4713e Signed-off-by: Meng Yan <myan@redhat.com> Signed-off-by: myan <myan@redhat.com> * Update go.work.sum with complete dependency checksums Fix Konflux hermetic build failure by ensuring all transitive dependency checksums are present in go.work.sum. Signed-off-by: Meng Yan <myan@redhat.com> Signed-off-by: myan <myan@redhat.com> --------- Signed-off-by: Meng Yan <myan@redhat.com> Signed-off-by: clyang82 <chuyang@redhat.com> Signed-off-by: myan <myan@redhat.com> Co-authored-by: clyang82 <chuyang@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes CVE-2024-25621, a local privilege escalation vulnerability in containerd.
Changes
go.modto force containerd v1.7.29go.modandgo.sumwith the new containerd versionVulnerability Details
The vulnerability involved overly broad default permissions for directory paths
/var/lib/containerd,/run/containerd/io.containerd.grpc.v1.cri, and/run/containerd/io.containerd.sandbox.controller.v1.shimin containerd. This has been fixed in version 1.7.29.Testing
go mod tidyRelated Issues
Fixes: ACM-27214
🤖 Generated with Claude Code