fix: upgrade extras/dagger OpenTelemetry dependencies to v1.41.0#3273
fix: upgrade extras/dagger OpenTelemetry dependencies to v1.41.0#3273chainloop-development[bot] wants to merge 1 commit into
Conversation
Kusari Analysis Results:Caution Flagged Issues Detected The code security analysis found zero issues across the modified files (go.sum and go.mod), confirming no secrets, workflow, or code-level vulnerabilities were introduced. However, the dependency analysis identified multiple critical and high-severity unresolved vulnerabilities in the newly introduced dependency versions that we strongly recommend addressing before merging. Key concerns are: (1) google.golang.org/grpc v1.79.1 contains an authorization bypass (CVE-2026-33186, CVSS HIGH: C:H/I:H) where attackers can circumvent path-based deny rules via missing leading slashes in HTTP/2 :path pseudo-headers — update to v1.82.0; (2) golang.org/x/net v0.50.0 carries two unresolved HIGH advisories: an HTTP/2 infinite loop DoS (CVE-2026-33814) and an IDNA privilege escalation enabling access control bypass (CVE-2026-39821) — update to v0.56.0; (3) go.opentelemetry.io/otel/sdk v1.41.0 has a PATH hijacking vulnerability enabling arbitrary code execution on BSD/Solaris platforms (CVE-2026-39883) — update to v1.44.0; (4) OTLP HTTP exporters at v1.41.0 allow memory exhaustion via unbounded HTTP response body reads if the collector endpoint is compromised or subject to MITM (CVE-2026-39882) — update both otlpmetrichttp and otlptracehttp to v1.44.0. While this PR successfully remediates GHSA-mh2q-q3fh-2475, the net security posture introduces more high-severity risk than it resolves. We strongly recommend updating all affected dependencies to their fixed versions before merging. Note View full detailed analysis result for more information on the output and the checks that were run. Required Dependency Mitigations
Found this helpful? Give it a 👍 or 👎 reaction! |
Summary
Upgraded the
extras/daggermodule from OpenTelemetryv1.38.0to the first fixed release line,v1.41.0, to remove the vulnerable baggage header parsing implementation. The change is limited to that helper module and its required transitive dependency updates.Vulnerability Fixed
GHSA-mh2q-q3fh-2475(HIGH): OpenTelemetry-Go multi-valuebaggageheader extraction can trigger excessive allocations and enable remote denial-of-service amplification beforev1.41.0.Changes Made
go.opentelemetry.io/otel,go.opentelemetry.io/otel/sdk,go.opentelemetry.io/otel/trace, and related OTLP exporter/metric modules inextras/dagger/go.modfromv1.38.0tov1.41.0.v1.41.0OpenTelemetry release line requires in the same module.extras/dagger/go.sumto match the patched dependency graph.Verification
Classification:
resolved.Attempted SBOM-first verification with
syft dir:. -o cyclonedx-json | grype sbom:/dev/stdin --only-fixed -o json, but thisgrypebuild requires a seekable SBOM input and could not read stdin. As a best-effort fallback, I rangrype dir:. --only-fixed -o jsonagainstrepo/, and it reported0matches forGHSA-mh2q-q3fh-2475.Risk Assessment
View the risk assessment in Chainloop