virtualization icon indicating copy to clipboard operation
virtualization copied to clipboard
verified publisher icon deckhouse

fix(module): fix CVE-2025-54410 and CVE-2025-54410

Open Isteb4k opened this issue 5 months ago • 1 comments

Description

Checklist

  • [ ] The code is covered by unit tests.
  • [ ] e2e tests passed.
  • [ ] Documentation updated according to the changes.
  • [ ] Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: module
type: fix
summary: fix cve CVE-2025-58058

Isteb4k avatar Oct 09 '25 21:10 Isteb4k

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Patch CVE-2025-58058 by enhancing the CDI artifact build to use a timestamped cache version and the correct branch, and by bumping the xz library to v0.5.15.

File-Level Changes

Change Details Files
Add cache-busting timestamp and correct git branch to CDI build script
  • Insert installCacheVersion shell variable using current timestamp
  • Update git clone command to use the fix/module/fix-cve branch
 images/cdi-artifact/werf.inc.yaml
Upgrade xz dependency to mitigate CVE-2025-58058
  • Bump github.com/ulikunitz/xz from v0.5.12 to v0.5.15
  • Regenerate go.sum to reflect the updated dependency
 images/dvcr-artifact/go.mod
images/dvcr-artifact/go.sum
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an issue from a review comment by replying to it. You can also reply to a review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull request title to generate a title at any time. You can also comment @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in the pull request body to generate a PR summary at any time exactly where you want it. You can also comment @sourcery-ai summary on the pull request to (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the pull request to resolve all Sourcery comments. Useful if you've already addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull request to dismiss all existing Sourcery reviews. Especially useful if you want to start fresh with a new review - don't forget to comment @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

  • Contact our support team for questions or feedback.
  • Visit our documentation for detailed guides and information.
  • Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

sourcery-ai[bot] avatar Oct 09 '25 21:10 sourcery-ai[bot]