Skip to content

OCPBUGS-51746: Bump golang x/oauth2 to fix CVE-2025-22868 #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-4.16
Choose a base branch
from
Open

OCPBUGS-51746: Bump golang x/oauth2 to fix CVE-2025-22868 #108

wants to merge 1 commit into from

Conversation

aman4433
Copy link
Contributor

A flaw was found in golang.org/x/oauth2. Due to this an attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

To address this issue, we have upgraded the library to version v0.28.0, which includes a fix for the vulnerability.

Affected Library: golang.org/x/oauth2
Current Version: v0.14.0
Fixed Version: v0.28.0

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Mar 17, 2025
@openshift-ci-robot
Copy link

@aman4433: This pull request references Jira Issue OCPBUGS-51746, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
  • expected Jira Issue OCPBUGS-51746 to depend on a bug targeting a version in 4.17.0, 4.17.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

A flaw was found in golang.org/x/oauth2. Due to this an attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

To address this issue, we have upgraded the library to version v0.28.0, which includes a fix for the vulnerability.

Affected Library: golang.org/x/oauth2
Current Version: v0.14.0
Fixed Version: v0.28.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Mar 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aman4433 @openshift-ci-robot