OCPBUGS-67556,OCPBUGS-67652: CVE-2025-65637 - bump github.com/sirupsen/logrus to v1.9.3 [4.13]

[rissh]

Summary

• Bumps github.com/sirupsen/logrus from v1.8.1 to v1.9.3
• Fixes CVE-2025-65637 (Denial of Service vulnerability)
• Added replace directives for golang.org/x packages to prevent transitive dependency cascade

CVE Details

• CVE: CVE-2025-65637
• Severity: High (DoS)
• Fixed in: v1.9.3

Related PRs

release-4.17: #2573
release-4.16: #2582
release-4.15: #2583
release-4.14: #2586

Testing

• Verified vendor changes are minimal (~20 files) and focused on logrus update
• CI validation

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 605b3550-f4a1-429e-84b5-f1bdf3ea9855

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@rissh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• f455142|UPSTREAM: : Bump github.com/sirupsen/logrus to v1.9.3 for CVE-2025-65637: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@rissh: This pull request references Jira Issue OCPBUGS-67556, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.13.z) matches configured target version for branch (4.13.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-67736 is in the state Closed (Done-Errata), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-67736 targets the "4.14.z" version, which is one of the valid target versions: 4.14.0, 4.14.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-67652, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.13.z) matches configured target version for branch (4.13.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-67822 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-67822 targets the "4.14.z" version, which is one of the valid target versions: 4.14.0, 4.14.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• Bumps github.com/sirupsen/logrus from v1.8.1 to v1.9.3
• Fixes CVE-2025-65637 (Denial of Service vulnerability)
• Added replace directives for golang.org/x packages to prevent transitive dependency cascade

CVE Details

• CVE: CVE-2025-65637
• Severity: High (DoS)
• Fixed in: v1.9.3

Related PRs

release-4.17: #2573
release-4.16: #2582
release-4.15: #2583
release-4.14: #2586

Testing

• Verified vendor changes are minimal (~20 files) and focused on logrus update
• CI validation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@rissh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• bc30617|UPSTREAM: : Bump github.com/sirupsen/logrus to v1.9.3 for CVE-2025-65637: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[rissh]

/retest

[dusk125]

/lgtm

[dusk125]

/retest-required

[rissh]

/retest

[dusk125]

I doubt these failures are related to this fix
/assign @bertinatto

[dusk125]

/override ci/prow/e2e-aws-ovn-serial
Permafailing openshift/cluster-kube-apiserver-operator#2048 (comment)

[dusk125]

/test e2e-gcp

[openshift-ci]

@dusk125: dusk125 unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file, and the following github teams:openshift: openshift-release-oversight openshift-staff-engineers openshift-sustaining-engineers.

Details

In response to this:

/override ci/prow/e2e-aws-ovn-serial
Permafailing openshift/cluster-kube-apiserver-operator#2048 (comment)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rissh]

e2e-gcp Test Failure Analysis

The 7 failures in the JUnit section are pre-existing permafailures unrelated to this logrus CVE fix.

Failing Tests (all GCP storage infrastructure)

Test	Runs	Result
[sig-storage] Multi-AZ Cluster Volumes should schedule pods in the same zones as statically provisioned PVs	2	Both failed
[sig-storage] In-tree Volumes [Driver: gcepd] ephemeral should create read/write inline ephemeral volume	2	Both failed
[sig-storage] In-tree Volumes [Driver: gcepd] ephemeral should create read-only inline ephemeral volume	2	Both failed
[sig-storage] In-tree Volumes [Driver: gcepd] ephemeral should support expansion of pvcs	2	Both failed
[sig-storage] In-tree Volumes [Driver: gcepd] ephemeral should support two pods with same volume definition	2	Both failed
The 2 step failures (Run multi-stage test e2e-gcp... and Run multi-stage test test phase) are consequences of the above test failures.

Evidence This Is Unrelated to the CVE Fix

1. PR OCPBUGS-77800: UPSTREAM: 133262: Remove permafailing tests using an expired GCP project #2611 (merged Mar 10, 2026) specifically removed these permafailing tests due to "expired GCP project" - OCPBUGS-77800
2. All 5 failing tests are [Driver: gcepd] (GCE Persistent Disk) - GCP storage infrastructure tests
3. This PR only bumps github.com/sirupsen/logrus v1.8.1 → v1.9.3 - a logging library with no impact on storage drivers
4. 1,368 tests passed - no regressions from the code change

Note: We added replace directives for golang.org/x packages to minimize transitive dependency drift. These do not affect GCP storage drivers - the gcepd failures are caused by expired GCP project credentials (infrastructure issue), not dependency changes.

[sjenning]

/verified by e2e and conformance tests

[openshift-ci-robot]

@sjenning: This PR has been marked as verified by e2e and conformance tests.

Details

In response to this:

/verified by e2e and conformance tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: dusk125, rissh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jacobsee]

/remove-label backports/unvalidated-commits

[jacobsee]

/retest-required

[sjenning]

/override ci/prow/e2e-aws-ovn-serial
/override ci/prow/e2e-gcp

[openshift-ci]

@sjenning: Overrode contexts on behalf of sjenning: ci/prow/e2e-aws-ovn-serial, ci/prow/e2e-gcp

Details

In response to this:

/override ci/prow/e2e-aws-ovn-serial
/override ci/prow/e2e-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@rissh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@rissh: An error was encountered invalid pull identifier with 2 parts: "mjuanxd/logrus-dos-poc" for bug OCPBUGS-67556 on the Jira server at https://redhat.atlassian.net. No known errors were detected, please see the full error message for details.

Full error message.

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.Jira Issue Verification Checks: Jira Issue OCPBUGS-67556
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-67556 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

An error was encountered invalid pull identifier with 2 parts: "mjuanxd/logrus-dos-poc" for bug OCPBUGS-67652 on the Jira server at https://redhat.atlassian.net. No known errors were detected, please see the full error message for details.

Full error message.

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.Jira Issue Verification Checks: Jira Issue OCPBUGS-67652
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-67652 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Summary

• Bumps github.com/sirupsen/logrus from v1.8.1 to v1.9.3
• Fixes CVE-2025-65637 (Denial of Service vulnerability)
• Added replace directives for golang.org/x packages to prevent transitive dependency cascade

CVE Details

• CVE: CVE-2025-65637
• Severity: High (DoS)
• Fixed in: v1.9.3

Related PRs

release-4.17: #2573
release-4.16: #2582
release-4.15: #2583
release-4.14: #2586

Testing

• Verified vendor changes are minimal (~20 files) and focused on logrus update
• CI validation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.