[release-4.16] OCPBUGS-74316: Backport ansible-runner-http and fix CVE-2026-24049 by using wheel 0.46.3#74
Conversation
In addition fix CVE-2026-21441, CVE-2025-66471, and CVE-2025-66418 by bumping urllib3 to ~=2.6.3 Also backport "Install ansible_runner_http as local package" (commits: e4b92e0 and 1a59c6c) to simplify dependencies and make it easier to apply future CVE fixes.
openshift-ci-robot
added
jira/severity-important
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Review skipped — only excluded labels are configured. (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@mytreya-rh: This pull request references Jira Issue OCPBUGS-74316, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
…er/kube-rbac-proxy:v0.16.0 to registry.k8s.io/kubebuilder/kube-rbac-proxy:v0.16.0
mytreya-rh
force-pushed
the
fix_CVE-2026-21441_4.16
branch
2 times, most recently
from
35fb5d1 to
eab9345
Compare
…g requirements Pin setuptools==75.3.0 and setuptools-scm==7.1.0 in requirements-pre-build.txt so cachi2 fetches versions that satisfy build isolation constraints: - ansible-runner requires setuptools>=45.2.0,<=75.3.0 - kubernetes requires setuptools_scm<8.0 The later requirements-build.txt steps upgrade both to their newer versions. Made-with: Cursor
mytreya-rh
force-pushed
the
fix_CVE-2026-21441_4.16
branch
2 times, most recently
from
82b018c to
38b2390
Compare
…on conflict google-auth 2.49.1 requires cryptography>=38.0.3, but the RHEL 9 RPM (python3-cryptography) only provides 36.0.1. Pin to 2.38.0 (matching the current published operator image) and regenerate all requirements files. Made-with: Cursor
mytreya-rh
force-pushed
the
fix_CVE-2026-21441_4.16
branch
from
38b2390 to
1dc7b68
Compare
|
/retitle [release-4.16] OCPBUGS-74316: Backport ansible-runner-http and fix CVE-2026-24049 by using wheel 0.46.3 |
openshift-ci
bot
changed the title
chiragkyal
left a comment
chiragkyal
left a comment
There was a problem hiding this comment.
LGTM!
I'll add the labels whenever the unit test CI passes. Thanks!
| # Ref: https://github.com/operator-framework/ansible-operator-plugins/pull/67#issuecomment-2189164688 | ||
| # NOTE: This ignored vulnerability (74261) was detected in ansible-core, \ | ||
| # but the fix is not available in any 2.15.z version of ansible-core as it has already reached EOL, See: \ | ||
| # - https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix |
There was a problem hiding this comment.
nit: We can keep this URL for future reference.
The previous setup-envtest version downloaded envtest binaries (kube-apiserver, etcd) from Google Cloud Storage, which now permanently returns 401 Unauthorized. This caused the handler unit tests to fail because KUBEBUILDER_ASSETS could not be resolved. Update setup-envtest to a release-0.17 build (cb94c680f5d5) that supports downloading from GitHub releases while remaining compatible with Go 1.21 used in CI. Pass --use-deprecated-gcs=false in the Makefile to opt into GitHub-based downloads. Made-with: Cursor
mytreya-rh
force-pushed
the
fix_CVE-2026-21441_4.16
branch
from
fbdd1f0 to
4e976e7
Compare
|
@mytreya-rh: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
chiragkyal
left a comment
chiragkyal
left a comment
There was a problem hiding this comment.
Thanks @mytreya-rh for this fix!
/lgtm
/approve
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chiragkyal, mytreya-rh The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/jira refresh |
|
@chiragkyal: This pull request references Jira Issue OCPBUGS-74316, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
openshift-ci-robot
added
the
jira/valid-bug
|
@chiragkyal: This pull request references Jira Issue OCPBUGS-74316, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
removed
the
jira/invalid-bug
3 participants
Description of the change:
Fix CVE-2026-24049 with by using wheel 0.46.3
In addition fix CVE-2026-21441, CVE-2025-66471, and CVE-2025-66418 by bumping urllib3 to ~=2.6.3
Also backport "Install ansible_runner_http as local package" (commits: e4b92e0 and 1a59c6c) to simplify dependencies and make it easier to apply future CVE fixes.
Motivation for the change:
Reduce CVE Exposure