Skip to content

[release-v1.43] Align third-party and x/ lib versions with CE v3.24 CVE patches#4926

Open
vara2504 wants to merge 4 commits into
tigera:release-v1.43from
vara2504:vara/release-v1.43-cve-version-bumps
Open

[release-v1.43] Align third-party and x/ lib versions with CE v3.24 CVE patches#4926
vara2504 wants to merge 4 commits into
tigera:release-v1.43from
vara2504:vara/release-v1.43-cve-version-bumps

Conversation

@vara2504

@vara2504 vara2504 commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bump coreos-prometheus v3.9.1 → v3.12.0, coreos-alertmanager v0.30.1 → v0.31.1
  • Bump eck-elasticsearch/kibana 8.19.15 → 8.19.16, eck-elasticsearch-operator 2.16.0 → 3.3.2
  • Bump golang.org/x/* libs (x/crypto v0.53.0, x/net v0.56.0, etc.) to match release-v1.40 CVE levels

Aligns operator release-v1.43 with the versions calico-private master (CE v3.24) builds and what release-v1.40 (v3.22) already carries for x/ libs.

Bump third-party component versions and Go x/ libraries to address CVEs (GO-2026-5026, CVE-2026-42151/42154).

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@vara2504 vara2504 requested a review from a team as a code owner June 16, 2026 01:50
@marvin-tigera marvin-tigera added this to the v1.43.0 milestone Jun 16, 2026
vara2504 and others added 4 commits June 16, 2026 10:17
@vara2504 @claude
[release-v1.43] Align coreos-prometheus (v3.12.0) and coreos-alertman…
78e7f48 
…ager (v0.31.1) with CE v3.24

release-v1.43 pairs with calico-private release-calient-v3.24-1, which builds
prometheus v3.12.0 and alertmanager v0.31.1. The operator pins drive the
Prometheus/Alertmanager CR spec.version, so they must match the built images:
- coreos-prometheus   v3.9.1  -> v3.12.0
- coreos-alertmanager v0.30.1 -> v0.31.1

Regenerated pkg/components/enterprise.go via make gen-versions.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vara2504 @claude
[release-v1.43] Bump ES/Kibana 8.19.16, ECK operator 3.3.2 to match C…
6c0a7fd 
…E v3.24

Align remaining third-party version pins with calico-private master:
- eck-elasticsearch:          8.19.15 -> 8.19.16
- eck-kibana:                 8.19.15 -> 8.19.16
- eck-elasticsearch-operator: 2.16.0  -> 3.3.2

Regenerated pkg/components/enterprise.go via make gen-versions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vara2504 @claude
[release-v1.43] Bump golang.org/x/* libs to match v1.40/v3.22 CVE levels
5f78539 
Align x/ library versions with what release-v1.40 already carries:
- x/crypto v0.52.0 -> v0.53.0 (GO-2026-5026, x/crypto SSH)
- x/net    v0.55.0 -> v0.56.0 (GO-2026-5026)
- x/mod    v0.36.0 -> v0.37.0
- x/sync   v0.20.0 -> v0.21.0
- x/sys    v0.45.0 -> v0.46.0
- x/term   v0.43.0 -> v0.44.0
- x/text   v0.37.0 -> v0.38.0
- x/tools  v0.44.0 -> v0.45.0
- api/: x/net v0.52.0 -> v0.56.0, x/text v0.35.0 -> v0.38.0

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vara2504 @claude
[release-v1.43] Bump coreos-alertmanager v0.31.1 -> v0.32.1
2defe0f 
Align with calico-private v3.24 which now builds alertmanager v0.32.1.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vara2504 vara2504 force-pushed the vara/release-v1.43-cve-version-bumps branch from e921e8d to 2defe0f Compare June 16, 2026 17:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.43.0

Development

Successfully merging this pull request may close these issues.

2 participants

@vara2504 @marvin-tigera