Skip to content

Bump cloudnative-pg/cloudnative-pg to v1.29.2 to fix CVE-2026-44477#4029

Open
malayparida2000 wants to merge 2 commits into
red-hat-storage:mainfrom
malayparida2000:4_23_cve
Open

Bump cloudnative-pg/cloudnative-pg to v1.29.2 to fix CVE-2026-44477#4029
malayparida2000 wants to merge 2 commits into
red-hat-storage:mainfrom
malayparida2000:4_23_cve

Conversation

@malayparida2000

Copy link
Copy Markdown
Contributor

Signed-off-by: Malay Kumar Parida <mparida@redhat.com>
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 13, 2026
@malayparida2000

Copy link
Copy Markdown
Contributor Author

Go vulncheck reported this actually affects our code at multiple places

Vulnerability #2: GO-2026-5106
    CloudNativePG's metrics exporter allows privilege escalation to PostgreSQL
    superuser and OS RCE in github.com/cloudnative-pg/cloudnative-pg
  More info: https://pkg.go.dev/vuln/GO-2026-5106
  Module: github.com/cloudnative-pg/cloudnative-pg
    Found in: github.com/cloudnative-pg/cloudnative-pg@v1.29.0
    Fixed in: github.com/cloudnative-pg/cloudnative-pg@v1.29.1
    Example traces found:
      #1: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.Backup.DeepCopyObject
      #2: pkg/util/events.go:62:55: util.getNameSpacedName calls api.Backup.GetName
      #3: pkg/util/events.go:62:29: util.getNameSpacedName calls api.Backup.GetNamespace
      #4: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.BackupList.DeepCopyObject
      #5: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.Cluster.DeepCopyObject
      #6: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.ClusterImageCatalog.DeepCopyObject
      #7: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.ClusterImageCatalogList.DeepCopyObject
      #8: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.ClusterList.DeepCopyObject
      #9: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.Database.DeepCopyObject
      #10: pkg/util/events.go:62:55: util.getNameSpacedName calls api.Database.GetName
      #11: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.DatabaseList.DeepCopyObject
      #12: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.FailoverQuorum.DeepCopyObject
      #13: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.FailoverQuorumList.DeepCopyObject
      #14: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.ImageCatalog.DeepCopyObject
      #15: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.ImageCatalogList.DeepCopyObject
      #16: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.Pooler.DeepCopyObject
      #17: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.PoolerList.DeepCopyObject
      #18: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.Publication.DeepCopyObject
      #19: pkg/util/events.go:62:55: util.getNameSpacedName calls api.Publication.GetName
      #20: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.PublicationList.DeepCopyObject
      #21: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.ScheduledBackup.DeepCopyObject
      #22: pkg/util/events.go:62:55: util.getNameSpacedName calls api.ScheduledBackup.GetName
      #23: pkg/util/events.go:62:29: util.getNameSpacedName calls api.ScheduledBackup.GetNamespace
      #24: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.ScheduledBackupList.DeepCopyObject
      #25: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.Subscription.DeepCopyObject
      #26: pkg/util/events.go:62:55: util.getNameSpacedName calls api.Subscription.GetName
      #27: cmd/main.go:175:29: cmd.main calls manager.New, which eventually calls api.SubscriptionList.DeepCopyObject
      #28: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which calls api.init
      #29: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls compatibility.init
      #30: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls configparser.ReadConfigMap
      #31: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls configparser.init
      #32: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls configuration.init
      #33: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls context.init
      #34: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls executablehash.init
      #35: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls hba.init
      #36: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls postgres.init
      #37: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls system.init
      #38: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls utils.init
      #39: services/provider/server/server.go:44:2: server.init calls v1alpha1.init, which eventually calls versions.init

@malayparida2000

Copy link
Copy Markdown
Contributor Author
$ docker run --pull=always --rm \
  brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.26 \
  go version 2>&1 | grep '^go version'
go version go1.26.4 (Red Hat 1.26.4-1.el9_8) linux/arm64

We have 1.26.4 availble in DS builder so it's safe to upgrade to 1.26.4 go

Signed-off-by: Malay Kumar Parida <mparida@redhat.com>
@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 13, 2026
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iamniting, malayparida2000

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [iamniting,malayparida2000]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

@malayparida2000: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ocs-operator-bundle-e2e-aws fa5ac1a link true /test ocs-operator-bundle-e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants