OCPBUGS-68150: Update library-go to fix CVE-2025-65637 by amitesh1201 · Pull Request #840 · openshift/cluster-authentication-operator

amitesh1201 · 2026-02-10T07:46:25Z

Description

OCPBUGS-68150: deps: Update github.com/openshift/library-go from v0.0.0-20241023075405-e3586cc1ab21 to v0.0.0-20260202164332-cedbe1daf8d0 to fix CVE-2025-65637 (DoS vulnerability in logrus).

Changes

Updated github.com/openshift/library-go to commit cedbe1daf8d0876c55731ad53934bbb243541d94
Indirectly updates github.com/sirupsen/logrus from v1.9.0 to v1.9.3

CVE Information

CVE ID: CVE-2025-65637
Severity: High (CVSS 7.5)
Vulnerable Versions: < 1.8.3, >= 1.9.0 < 1.9.1, >= 1.9.2 < 1.9.3
Fixed Version: v1.9.3
Impact: Denial of Service (DoS) vulnerability

Testing

go build ./... successful
Verified logrus version: go list -m github.com/sirupsen/logrus shows v1.9.3
Verified library-go version includes fix commit

Update github.com/openshift/library-go to include commit cedbe1daf8d0876c55731ad53934bbb243541d94 which updates logrus from v1.9.0 to v1.9.3, fixing CVE-2025-65637

openshift-ci-robot · 2026-02-10T07:46:32Z

@amitesh1201: This pull request references Jira Issue OCPBUGS-68150, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
expected Jira Issue OCPBUGS-68150 to depend on a bug targeting a version in 4.18.0, 4.18.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Description

OCPBUGS-68150: deps: Update github.com/openshift/library-go from v0.0.0-20241023075405-e3586cc1ab21 to v0.0.0-20260202164332-cedbe1daf8d0 to fix CVE-2025-65637 (DoS vulnerability in logrus).

Changes

Updated github.com/openshift/library-go to commit cedbe1daf8d0876c55731ad53934bbb243541d94

Indirectly updates github.com/sirupsen/logrus from v1.9.0 to v1.9.3

CVE Information

CVE ID: CVE-2025-65637

Severity: High (CVSS 7.5)

Vulnerable Versions: < 1.8.3, >= 1.9.0 < 1.9.1, >= 1.9.2 < 1.9.3

Fixed Version: v1.9.3

Impact: Denial of Service (DoS) vulnerability

Testing

go build ./... successful

Verified logrus version: go list -m github.com/sirupsen/logrus shows v1.9.3

Verified library-go version includes fix commit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-02-10T07:46:36Z

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

amitesh1201 · 2026-02-10T10:33:55Z

/retest-required

openshift-ci · 2026-02-10T12:36:30Z

@amitesh1201: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

amitesh1201 · 2026-02-12T06:26:37Z

/jira refresh

openshift-ci-robot · 2026-02-12T06:26:42Z

@amitesh1201: This pull request references Jira Issue OCPBUGS-68150, which is invalid:

expected Jira Issue OCPBUGS-68150 to depend on a bug targeting a version in 4.18.0, 4.18.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

liouk · 2026-02-12T09:39:27Z

/lgtm

amitesh1201 · 2026-02-13T11:04:24Z

/assign @deads2k

amitesh1201 · 2026-02-16T13:30:38Z

/jira refresh

openshift-ci-robot · 2026-02-16T13:30:46Z

@amitesh1201: This pull request references Jira Issue OCPBUGS-68150, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.17.z) matches configured target version for branch (4.17.z)
bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-76946 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
dependent Jira Issue OCPBUGS-76946 targets the "4.18.z" version, which is one of the valid target versions: 4.18.0, 4.18.z
bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

benluddy · 2026-02-18T14:10:34Z

/label backport-risk-assessed

benluddy · 2026-02-18T14:11:23Z

/verified by @amitesh1201

openshift-ci · 2026-02-18T14:11:25Z

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: amitesh1201, liouk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2026-02-18T14:11:36Z

@benluddy: This PR has been marked as verified by @amitesh1201.

Details

In response to this:

/verified by @amitesh1201

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-02-18T14:16:21Z

@amitesh1201: An error was encountered invalid pull identifier with 2 parts: "mjuanxd/logrus-dos-poc" for bug OCPBUGS-68150 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message.

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.Jira Issue Verification Checks: Jira Issue OCPBUGS-68150
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-68150 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Description

OCPBUGS-68150: deps: Update github.com/openshift/library-go from v0.0.0-20241023075405-e3586cc1ab21 to v0.0.0-20260202164332-cedbe1daf8d0 to fix CVE-2025-65637 (DoS vulnerability in logrus).

Changes

Updated github.com/openshift/library-go to commit cedbe1daf8d0876c55731ad53934bbb243541d94

Indirectly updates github.com/sirupsen/logrus from v1.9.0 to v1.9.3

CVE Information

CVE ID: CVE-2025-65637

Severity: High (CVSS 7.5)

Vulnerable Versions: < 1.8.3, >= 1.9.0 < 1.9.1, >= 1.9.2 < 1.9.3

Fixed Version: v1.9.3

Impact: Denial of Service (DoS) vulnerability

Testing

go build ./... successful

Verified logrus version: go list -m github.com/sirupsen/logrus shows v1.9.3

Verified library-go version includes fix commit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

deps: update library-go to fix CVE-2025-65637

718a87f

Update github.com/openshift/library-go to include commit cedbe1daf8d0876c55731ad53934bbb243541d94 which updates logrus from v1.9.0 to v1.9.3, fixing CVE-2025-65637

openshift-ci bot requested review from ibihim and liouk February 10, 2026 07:46

openshift-ci bot assigned liouk Feb 12, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 12, 2026

openshift-ci bot assigned deads2k Feb 13, 2026

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 16, 2026

benluddy added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 18, 2026

openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Feb 18, 2026

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Feb 18, 2026

openshift-merge-bot bot merged commit 9f93caf into openshift:release-4.17 Feb 18, 2026
11 checks passed

amitesh1201 deleted the fix-cve-2025-65637-logrus branch February 19, 2026 06:40

Conversation

amitesh1201 commented Feb 10, 2026

Description

Changes

CVE Information

Testing

Uh oh!

openshift-ci-robot commented Feb 10, 2026

Description

Changes

CVE Information

Testing

Uh oh!

coderabbitai bot commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Uh oh!

amitesh1201 commented Feb 10, 2026

Uh oh!

openshift-ci bot commented Feb 10, 2026

Uh oh!

amitesh1201 commented Feb 12, 2026

Uh oh!

openshift-ci-robot commented Feb 12, 2026

Uh oh!

liouk commented Feb 12, 2026

Uh oh!

amitesh1201 commented Feb 13, 2026

Uh oh!

amitesh1201 commented Feb 16, 2026

Uh oh!

openshift-ci-robot commented Feb 16, 2026

Uh oh!

benluddy commented Feb 18, 2026

Uh oh!

benluddy commented Feb 18, 2026

Uh oh!

openshift-ci bot commented Feb 18, 2026

Uh oh!

openshift-ci-robot commented Feb 18, 2026

Uh oh!

Uh oh!

openshift-ci-robot commented Feb 18, 2026

Description

Changes

CVE Information

Testing

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

coderabbitai bot commented Feb 10, 2026 •

edited

Loading