fix(security): update vulnerability-updates [security]#1934
Merged
renovate[bot] merged 1 commit intomainfrom Apr 9, 2026
Merged
fix(security): update vulnerability-updates [security]#1934renovate[bot] merged 1 commit intomainfrom
renovate[bot] merged 1 commit intomainfrom
Conversation
Contributor
Author
ℹ️ Artifact update noticeFile name: core/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: flagd-proxy/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
File name: flagd/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
![renovate-approve-2[bot]](https://avatars.githubusercontent.com/in/62175?s=60&v=4){kind=small}
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
✅ Deploy Preview for polite-licorice-3db33c canceled.
|
|
Merged
toddbaert
pushed a commit
that referenced
this pull request
Apr 9, 2026
🤖 I have created a release *beep* *boop* --- <details><summary>flagd: 0.15.2</summary> ## [0.15.2](flagd/v0.15.1...flagd/v0.15.2) (2026-04-09) ### 🐛 Bug Fixes * **security:** update vulnerability-updates [security] ([#1933](#1933)) ([04338dc](04338dc)) * **security:** update vulnerability-updates [security] ([#1934](#1934)) ([40d444a](40d444a)) ### ✨ New Features * gRPC sync experimental incremental updates ([#1922](#1922)) ([d785557](d785557)) </details> <details><summary>flagd-proxy: 0.9.4</summary> ## [0.9.4](flagd-proxy/v0.9.3...flagd-proxy/v0.9.4) (2026-04-09) ### 🐛 Bug Fixes * **security:** update vulnerability-updates [security] ([#1933](#1933)) ([04338dc](04338dc)) * **security:** update vulnerability-updates [security] ([#1934](#1934)) ([40d444a](40d444a)) ### 🧹 Chore * fix proxy test race ([17cd08f](17cd08f)) </details> <details><summary>core: 0.15.2</summary> ## [0.15.2](core/v0.15.1...core/v0.15.2) (2026-04-09) ### 🐛 Bug Fixes * **security:** update vulnerability-updates [security] ([#1933](#1933)) ([04338dc](04338dc)) * **security:** update vulnerability-updates [security] ([#1934](#1934)) ([40d444a](40d444a)) ### ✨ New Features * gRPC sync experimental incremental updates ([#1922](#1922)) ([d785557](d785557)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Signed-off-by: OpenFeature Bot <109696520+openfeaturebot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.14.0→v0.19.0v0.18.0→v0.19.0v1.40.0→v1.43.0v1.42.0→v1.43.0v1.40.0→v1.43.0v1.42.0→v1.43.0v1.40.0→v1.43.0GitHub Vulnerability Alerts
CVE-2026-39882
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory
bytes.Bufferwithout a size cap.this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
severity
HIGH
not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.
callsite (pinned):
permalinks (pinned):
root cause:
each exporter client reads
resp.Bodyusingio.Copy(&respData, resp.Body)into abytes.Bufferon both success and error paths, with no upper bound.impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).
affected component:
repro (local-only):
unzip poc.zip -d poc cd poc make canonical resp_bytes=33554432 chunk_delay_ms=0expected output contains:
control (same env, patched target):
unzip poc.zip -d poc cd poc make control resp_bytes=33554432 chunk_delay_ms=0expected control output contains:
attachments: poc.zip (attached)
PR_DESCRIPTION.md
attack_scenario.md
poc.zip
Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108
CVE-2026-39883
Summary
The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin
ioregcommand to use an absolute path but left the BSDkenvcommand using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.Root Cause
sdk/resource/host_id.goline 42:Compare with the fixed Darwin path at line 58:
The
execCommandhelper atsdk/resource/host_id_exec.gousesexec.Command(name, arg...)which searches$PATHwhen the command name contains no path separator.Affected platforms (per build tag in
host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.The
kenvpath is reached when/etc/hostiddoes not exist (line 38-40), which is common on FreeBSD systems.Attack
go.opentelemetry.io/otel/sdkkenvbinary earlier in$PATHhostIDReaderBSD.read()callsexec.Command("kenv", ...)which resolves to the malicious binarySame attack vector and impact as CVE-2026-24051.
Suggested Fix
Use the absolute path:
On FreeBSD,
kenvis located at/bin/kenv.Release Notes
open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp)
v0.19.0Compare Source
Added
Marshalerconfig option tootlphttpto enable otlp over json or protobufs. (#1586)ForceFlushmethod to the"go.opentelemetry.io/otel/sdk/trace".TracerProviderto flush all registeredSpanProcessors. (#1608)WithSamplerandWithSpanLimitsto tracer provider. (#1633, #1702)"go.opentelemetry.io/otel/trace".SpanContextnow has aremoteproperty, andIsRemote()predicate, that is true when theSpanContexthas been extracted from remote context data. (#1701)Validmethod to the"go.opentelemetry.io/otel/attribute".KeyValuetype. (#1703)Changed
trace.SpanContextis now immutable and has no exported fields. (#1573)trace.NewSpanContext()can be used in conjunction with thetrace.SpanContextConfigstruct to initialize a newSpanContextwhere all values are known.ForceFlushmethod signature to the"go.opentelemetry.io/otel/sdk/trace".SpanProcessorto accept acontext.Contextand return an error. (#1608)Shutdownmethod to the"go.opentelemetry.io/otel/sdk/trace".TracerProviderreturn an error on shutdown failure. (#1608)SpanExporterand gracefully ignore subsequent calls toOnEndafterShutdownis called. (#1612)"go.opentelemetry.io/sdk/metric/controller.basic".WithPusheris replaced withWithExporterto provide consistent naming across project. (#1656)Attributekeys. (#1659)descriptionto SpanStatus only whenStatusCodeis set to error. (#1662)resource.Default'sservice.nameif the exported Span does not have one. (#1673)LabelSetmethod of"go.opentelemetry.io/otel/sdk/resource".ResourcetoSet. (#1692)WithSDKtoWithSDKOptionsto accept variadic arguments ofTracerProviderOptiontype ingo.opentelemetry.io/otel/exporters/trace/jaegerpackage. (#1693)WithSDKtoWithSDKOptionsto accept variadic arguments ofTracerProviderOptiontype ingo.opentelemetry.io/otel/exporters/trace/zipkinpackage. (#1693)"go.opentelemetry.io/otel/sdk/resource".NewWithAttributeswill now drop any invalid attributes passed. (#1703)"go.opentelemetry.io/otel/sdk/resource".StringDetectorwill now error if the produced attribute is invalid. (#1703)Removed
serviceNameparameter from Zipkin exporter and uses resource instead. (#1549)WithConfigfrom tracer provider to avoid overriding configuration. (#1633)SimpleSpanProcessorandBatchSpanProcessorstructs.These are now returned as a SpanProcessor interface from their respective constructors. (#1638)
WithRecord()fromtrace.SpanOptionwhen creating a span. (#1660)Errorwhile recording an error as a span event inRecordError. (#1663)jaeger.WithProcessconfiguration option. (#1673)ApplyConfigmethod from"go.opentelemetry.io/otel/sdk/trace".TracerProviderand the now unneededConfigstruct. (#1693)Fixed
SamplingResult.TraceStateis correctly propagated to a newly created span'sSpanContext. (#1655)otel-collectorexample now correctly flushes metric events prior to shutting down the exporter. (#1678)SpanStatusFromHTTPStatusCodeif it can be inferred fromhttp.status_code. (#1681)TracerProvider. (#1687)Raw changes made between v0.18.0 and v0.19.0
2b4fa96(HEAD -> main, tag: v0.19.0, tag: trace/v0.19.0, tag: sdk/v0.19.0, tag: sdk/metric/v0.19.0, tag: sdk/export/metric/v0.19.0, tag: oteltest/v0.19.0, tag: metric/v0.19.0, tag: exporters/trace/zipkin/v0.19.0, tag: exporters/trace/jaeger/v0.19.0, tag: exporters/stdout/v0.19.0, tag: exporters/otlp/v0.19.0, tag: exporters/metric/prometheus/v0.19.0, tag: example/zipkin/v0.19.0, tag: example/prometheus/v0.19.0, tag: example/prom-collector/v0.19.0, tag: example/otel-collector/v0.19.0, tag: example/opencensus/v0.19.0, tag: example/namedtracer/v0.19.0, tag: example/jaeger/v0.19.0, tag: bridge/opentracing/v0.19.0, tag: bridge/opencensus/v0.19.0, upstream/main, origin/main) Release v0.19.0 (#1710)4beb704sdk/trace: removing ApplyConfig and Config (#1693)1d42be1Rename WithDefaultSampler TracerProvider option to WithSampler and update docs (#1702)860d5d8Add flag to determine whether SpanContext is remote (#1701)0fe65e6Comply with OpenTelemetry attributes specification (#1703)8888435Bump google.golang.org/api from 0.40.0 to 0.41.0 in /exporters/trace/jaeger (#1700)345f264(global-docs) breaking(zipkin): removes servicName from zipkin exporter. (#1697)62cbf0fPopulate Jaeger's Span.Process from Resource (#1673)28eaaa9Add a test to prove the Tracer is safe for concurrent calls (#1665)8b1be11Rename resource pkg label vars and methods (#1692)a1539d4OpenCensus metric exporter bridge (#1444)77aa218Fix issue #1490, apply same logic as in the SDK (#1687)9d3416cFix synchronization issues in global trace delegate implementation (#1686)58f69f0Span status from HTTP code: Do not set status message if it can be inferred (#1681)9c305bdFlush metric events prior to shutdown in OTLP example (#1678)66b1135Fix CHANGELOG (#1680)90bd4abUpdate employer information for maintainers (#1683)3684191Remove WithRecord() option from trace.SpanOption when starting a span (#1660)65c7de2Remove trace prefix from NoOp src files. (#1679)e88a091Make SpanContext Immutable (#1573)d75e268Avoid overriding configuration of tracer provider (#1633)2b4d5acBump github.com/golangci/golangci-lint in /internal/tools (#1671)150b868Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (#1667)76aa924Fix the examples target info messaging (#1676)a3aa9fdBump github.com/itchyny/gojq from 0.12.1 to 0.12.2 in /internal/tools (#1672)a5edd79Removed setting error status while recording err as span event (#1663)e981475chore(zipkin): improves zipkin example to not to depend on timeouts. (#1566)3dc91f2Add ForceFlush method to TracerProvider (#1608)bd0bba4exporter: swap pusher for exporter (#1656)5690485Update the SimpleSpanProcessor (#1612)a7f7abaSpanStatus description set only when status code is set to Error (#1662)05252f4Jaeger Exporter: Fix minor mapping discrepancies (#1626)238e7c6Add non-empty string check for attribute keys (#1659)e9b9acaAdd tests for propagation of Sampler Tracestate changes (#1655)875a258Add docs on when reviews should be cleared (#1556)7153ef2Add HTTP/JSON to the otlp exporter (#1586)62e2a0fUnexport the simple and batch SpanProcessors (#1638)992837fAdd TracerProvider tests to oteltest harness (#1607)v0.18.0Compare Source
Added
resource.Default()for use with meter and tracer providers. (#1507)AttributePerEventCountLimitandAttributePerLinkCountLimitforSpanLimits. (#1535)Keys()method topropagation.TextMapCarrierandpropagation.HeaderCarrierto adapthttp.Headerto this interface. (#1544)codeattributes togo.opentelemetry.io/otel/semconvpackage. (#1558)Changed
oteltest.SpanRecorderwith its existing implementationStandardSpanRecorder(#1542).MaxEventsPerSpan,MaxAttributesPerSpanandMaxLinksPerSpantoEventCountLimit,AttributeCountLimitandLinkCountLimit, and move these fields intoSpanLimits. (#1535)otel/labelpackage tootel/attribute. (#1541)WithBatchTimeout(5 * time.Second)rather thanWithBatchTimeout(5). (#1621)Removed
span.SetName(). (#1545)test-benchmarkis no longer a dependency of theprecommitmake target. (#1567)test-386make target.This was replaced with a full compatibility testing suite (i.e. multi OS/arch) in the CI system. (#1567)
Fixed
Raw changes made between v0.17.0 and v0.18.0
bb4c297Pre release v0.18.0 (#1635)712c3dcFix makefile ci target and coverage test packages (#1634)841d2a5Rename local var new to not collide with builtin (#1610)13938abUpdate SpanProcessor docs (#1611)e25503aAdd compatibility tests to CI (#1567)1519d95Use reasonable interval in sdktrace.WithBatchTimeout (#1621)7d4496ePass metric labels when transforming to gaugeArray (#1570)6d4a5e0Bump google.golang.org/grpc from 1.35.0 to 1.36.0 in /exporters/otlp (#1619)a93393aBump google.golang.org/grpc in /example/prom-collector (#1620)e499ca8Fix validation for tracestate with vendor and add tests (#1581)43886e5Make timestamps sequential in lastvalue agg check (#1579)37688efrevent end-users from implementing some interfaces (#1575)85e696dUpdating documentation with an working example for creating NewExporter (#1513)562eb28Unify the Added sections of the unreleased changes (#1580)c4cf1afFix Windows build of Jaeger tests (#1577)4a163beFix stdout TestStdoutTimestamp failure with sleep (#1572)bd4701eStagger timestamps in exact aggregator tests (#1569)b94cd4badd code attributes to semconv package (#1558)78c06ceUpdate docs from gitter to slack for communication (#1554)1307c91Remove vendor exclude from license-check (#1552)5d2636eBump github.com/golangci/golangci-lint in /internal/tools (#1565)d7aff47Vendor Thrift dependency (#1551)298c5a1Update span limits to conform with OpenTelemetry specification (#1535)ecf65d7Rename otel/label -> otel/attribute (#1541)1b5b662Remove resampling on span.SetName (#1545)8da5299fix: grpc reconnection (#1521)3bce9c9Add Keys() method to propagation.TextMapCarrier (#1544)0b1a1c7Make oteltest.SpanRecorder into a concrete type (#1542)7d0e3e5SDK span no modification after ended (#1543)7de3b58Remove extra labels types (#1314)73194e4Bump google.golang.org/api from 0.39.0 to 0.40.0 in /exporters/trace/jaeger (#1536)8fae0a6Create resource.Default() with required attributes/default values (#1507)v0.17.0Compare Source
Changed
mastertomain.Resourceattributes are merged, per change in spec. (#1501)9b242bc(upstream/main, origin/main, main) Organize API into Go modules based on stability and dependencies (#1528)e50a1c8Bump actions/cache from v2 to v2.1.4 (#1518)a6aa7f0Bump google.golang.org/api from 0.38.0 to 0.39.0 in /exporters/trace/jaeger (#1517)38efc87Code Improvement - Error strings should not be capitalized (#1488)6b34050Update default branch name (#1505)b39fd05nit: Fix comment to be up-to-date (#1510)186c295Fix golint error of package comment form (#1487)9308d66Bump google.golang.org/api from 0.37.0 to 0.38.0 in /exporters/trace/jaeger (#1506)1952d7bReverse order of attribute precedence when merging two Resources (#1501)ad7b471Remove build flags for runtime/trace support (#1498)4bf4b69Remove inaccurate and unnecessary import comment (#1481)7e19eb6Bump google.golang.org/api from 0.36.0 to 0.37.0 in /exporters/trace/jaeger (#1504)c6a4406Bump github.com/golangci/golangci-lint in /internal/tools (#1503)9524ac0(upstream/master, origin/master, origin/HEAD) Update workflows to include main branch as trigger (#1497)c066f15Bump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /internal/tools (#1478)894e024Bump github.com/golangci/golangci-lint in /internal/tools (#1477)71ffba3Bump google.golang.org/grpc from 1.34.0 to 1.35.0 in /exporters/otlp (#1471)515809aBump github.com/itchyny/gojq from 0.12.0 to 0.12.1 in /internal/tools (#1472)3e96ad1gitignore: remove unused example path (#1474)c562277Histogram aggregator functional options (#1434)0df8cd6Rename Makefile.proto to avoid interpretation as proto file (#1468)979ff51Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 (#1453)1df8b3bBump github.com/gogo/protobuf from 1.3.1 to 1.3.2 in /exporters/otlp (#1456)4c30a90Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /sdk (#1455)5a9f8f6Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/stdout (#1454)7786f34Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/zipkin (#1457)4352a7aBump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/otlp (#1460)6990b3bBump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/metric/prometheus (#1461)7af40d2Bump github.com/stretchr/testify from 1.6.1 to 1.7.0 in /exporters/trace/jaeger (#1463)f16f189Bump google.golang.org/grpc in /example/otel-collector (#1465)fe363beMove Span Event to API (#1452)4392224Bump google.golang.org/grpc in /example/prom-collector (#1466)v0.16.0Compare Source
Added
ReadOnlySpanandReadWriteSpaninterfaces to provide better control for accessing span data. (#1360)NewGRPCDriverfunction returns aProtocolDriverthat maintains a single gRPC connection to the collector. (#1369)NewSplitDriverfor OTLP exporter that allows sending traces and metrics to different endpoints. (#1418)exporters/otlp/otlphttp. Currently it only supports the binary protobuf payloads. (#1420)Changed
internal/testingtointernal/internaltest. (#1449)export.SpanDatatoexport.SpanSnapshotand use it only for exporting spans. (#1360)SpanContextrather than just its span ID in thespanstruct. (#1360)arrayaggregator renamedexactto match itsaggregation.Kind(#1412)exactaggregator includes per-point timestamps (#1412)NewExporterfromexporters/otlpnow takes aProtocolDriveras a parameter. (#1369)uint64. (1430)SamplingResultnow passed aTracestatefrom the parentSpanContext(#1432)exporters/otlp/otlpgrpc. (#1420)TraceContextpropagator now correctly propagatesTraceStatethrough theSpanContext. (#1447)WithExporter()andStart()to configure Push behaviorStart()is optional; useCollect()andForEach()for Pull behaviorStart()andStop()accept Context. (#1378)Removed
errUninitializedSpanas its only usage is now obsolete. (#1360)Fixed
BatchSpanProcessor.Shutdown()will now shutdown underlyingexport.SpanExporter. (#1443)Raw changes made between v0.15.0 and v0.16.0
0aadfb2Prepare release v0.16.0 (#1464)207587bMetric histogram aggregator: Swap in SynchronizedMove to avoid allocations (#1435)c29c6fdShutdown underlying span exporter while shutting down BatchSpanProcessor (#1443)dfece3dCombine the Push and Pull metric controllers (#1378)74deeddHandle tracestate in TraceContext propagator (#1447)49f699dRemove Quantile aggregation, DDSketch aggregator; add Exact timestamps (#1412)9c94941Rename internal/testing to internal/internaltest ([#1449](https://redirect.github.com/open-telemetry/openConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.