Revert "fix(deps): upgrade otel/sdk to v1.43.0 in extras/dagger to re…#3179
Conversation
…solve GHSA-9h8m-3fm2-qjrq" This reverts commit 31212a8. Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Kusari Analysis Results:Caution Flagged Issues Detected The code analysis found no issues in the changed files (go.mod and go.sum) — no exposed secrets, no insecure patterns, and no workflow concerns. However, the dependency analysis identified a serious security regression introduced by this PR, which downgrades 10 OpenTelemetry packages from v1.43.0 to v1.38.0. The downgraded versions carry multiple HIGH severity CVEs that were not present in the prior versions: (1) CVE-2026-29181 (CVSS AV:N/AC:L/PR:N/UI:N/A:H) — a remotely exploitable DoS in go.opentelemetry.io/otel v1.38.0 caused by excessive allocations during multi-value baggage header parsing, requiring no authentication; (2) CVE-2026-39882 — unbounded HTTP response body reads in both the OTLP trace and metric HTTP exporters, allowing a malicious or MitM collector to cause OOM crashes; (3) CVE-2026-24051 and CVE-2026-39883 — local arbitrary code execution vulnerabilities in the SDK via PATH hijacking of platform utilities (ioreg on macOS, kenv on BSD/Solaris). The remote DoS in particular represents a critical network-exploitable risk with no authentication barrier. The clean code scan does not offset these dependency risks, as they are independent concerns. If the Dagger revert motivating this PR is necessary, we strongly recommend pinning all affected OpenTelemetry packages to v1.44.0 (patched) rather than v1.38.0 before merging. Note View full detailed analysis result for more information on the output and the checks that were run. Required Dependency Mitigations
Found this helpful? Give it a 👍 or 👎 reaction! |
|
Kusari PR Analysis rerun based on - ea73c57 performed at: 2026-06-09T13:45:19Z - link to updated analysis |
The upgrade broke generation
…solve GHSA-9h8m-3fm2-qjrq"
This reverts commit 31212a8.