Skip to content

OCPBUGS-68132,OCPBUGS-68190: CVE-2025-65637 - bump github.com/sirupsen/logrus to v1.9.3#2573

Merged
openshift-merge-bot[bot] merged 1 commit intoopenshift:release-4.17from
rissh:fix/CVE-2025-65637-4.17
Feb 3, 2026
Merged

OCPBUGS-68132,OCPBUGS-68190: CVE-2025-65637 - bump github.com/sirupsen/logrus to v1.9.3#2573
openshift-merge-bot[bot] merged 1 commit intoopenshift:release-4.17from
rissh:fix/CVE-2025-65637-4.17

Conversation

@rissh
Copy link

@rissh rissh commented Jan 23, 2026

This PR bumps github.com/sirupsen/logrus from v1.9.0 to v1.9.3 to address CVE-2025-65637.

@openshift-ci-robot openshift-ci-robot added backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. labels Jan 23, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 23, 2026

@rissh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jan 23, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 23, 2026

@rissh: This pull request references Jira Issue OCPBUGS-68132, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.17.z) matches configured target version for branch (4.17.z)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-74355 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-74355 targets the "4.18.z" version, which is one of the valid target versions: 4.18.0, 4.18.z
  • bug has dependents

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-68190, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.17.z) matches configured target version for branch (4.17.z)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-74356 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-74356 targets the "4.18.z" version, which is one of the valid target versions: 4.18.0, 4.18.z
  • bug has dependents

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR bumps github.com/sirupsen/logrus from v1.9.0 to v1.9.3 to address CVE-2025-65637.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Jan 23, 2026
@rissh rissh force-pushed the fix/CVE-2025-65637-4.17 branch from 6d90d39 to 2a21a96 Compare January 23, 2026 13:26
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 23, 2026

@rissh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@rissh
Copy link
Author

rissh commented Jan 23, 2026

/jira refresh

@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 23, 2026

@rissh: This pull request references Jira Issue OCPBUGS-68132, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.17.z) matches configured target version for branch (4.17.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-74355 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-74355 targets the "4.18.z" version, which is one of the valid target versions: 4.18.0, 4.18.z
  • bug has dependents

This pull request references Jira Issue OCPBUGS-68190, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.17.z) matches configured target version for branch (4.17.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-74356 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-74356 targets the "4.18.z" version, which is one of the valid target versions: 4.18.0, 4.18.z
  • bug has dependents
Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@rissh
Copy link
Author

rissh commented Jan 24, 2026

/retest

1 similar comment
@rissh
Copy link
Author

rissh commented Feb 2, 2026

/retest

@rissh rissh force-pushed the fix/CVE-2025-65637-4.17 branch from 2a21a96 to fa84530 Compare February 2, 2026 18:24
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 2, 2026

@rissh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@rissh
Copy link
Author

rissh commented Feb 3, 2026

/retest

1 similar comment
@rissh
Copy link
Author

rissh commented Feb 3, 2026

/retest

bertinatto
bertinatto reviewed Feb 3, 2026
View reviewed changes
Copy link
Member

@bertinatto bertinatto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/remove-label backports/unvalidated-commits
/label backport-risk-assessed
/lgtm

@openshift-ci openshift-ci bot added backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. and removed backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. labels Feb 3, 2026
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 3, 2026
@openshift-ci
Copy link

openshift-ci bot commented Feb 3, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bertinatto, rissh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 3, 2026
@gangwgr
Copy link

gangwgr commented Feb 3, 2026

/verified by ci runs

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Feb 3, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 3, 2026

@gangwgr: This PR has been marked as verified by ci runs.

Details

In response to this:

/verified by ci runs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@gangwgr
Copy link

gangwgr commented Feb 3, 2026

/retest-required

@rissh
Copy link
Author

rissh commented Feb 3, 2026

/retest

@openshift-ci
Copy link

openshift-ci bot commented Feb 3, 2026

@rissh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit 4e295fa into openshift:release-4.17 Feb 3, 2026
18 checks passed
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 3, 2026

@rissh: An error was encountered invalid pull identifier with 2 parts: "mjuanxd/logrus-dos-poc" for bug OCPBUGS-68132 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message.

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.Jira Issue Verification Checks: Jira Issue OCPBUGS-68132
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-68132 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

An error was encountered invalid pull identifier with 2 parts: "mjuanxd/logrus-dos-poc" for bug OCPBUGS-68190 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message.

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.Jira Issue Verification Checks: Jira Issue OCPBUGS-68190
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-68190 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

This PR bumps github.com/sirupsen/logrus from v1.9.0 to v1.9.3 to address CVE-2025-65637.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@rissh rissh mentioned this pull request Feb 3, 2026
Open
@openshift-merge-robot
Copy link

openshift-merge-robot commented Feb 4, 2026

Fix included in accepted release 4.17.0-0.nightly-2026-02-04-043527

@rissh rissh mentioned this pull request Feb 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bertinatto bertinatto bertinatto left review comments

@wangke19 wangke19 Awaiting requested review from wangke19

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@bertinatto bertinatto

@kasturinarra kasturinarra

@zhouying7780 zhouying7780

@xingxingxia xingxingxia

@lyman9966 lyman9966

@duanwei33 duanwei33

@wangke19 wangke19

@gangwgr gangwgr

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. vendor-update Touching vendor dir or related files verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.