fix(deps): Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] - autoclosed by cloudquery-ci[bot] · Pull Request #22491 · cloudquery/cloudquery

cloudquery-ci · 2026-04-08T20:16:05Z

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/sdk	`v1.42.0` → `v1.43.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-39883

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
Attacker places a malicious kenv binary earlier in $PATH
Application initializes OpenTelemetry resource detection at startup
hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/sdk)

`v1.43.0`: /v0.65.0/v0.19.0

Compare Source

Added

Add IsRandom and WithRandom on TraceFlags, and IsRandom on SpanContext in go.opentelemetry.io/otel/trace
for W3C Trace Context Level 2 Random Trace ID Flag support. (#8012)
Add service detection with WithService in go.opentelemetry.io/otel/sdk/resource. (#7642)
Add DefaultWithContext and EnvironmentWithContext in go.opentelemetry.io/otel/sdk/resource to support plumbing context.Context through default and environment detectors. (#8051)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#8038)
Support attributes with empty value (attribute.EMPTY) in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8038)
Add support for per-series start time tracking for cumulative metrics in go.opentelemetry.io/otel/sdk/metric.
Set OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true to enable. (#8060)
Add WithCardinalityLimitSelector for metric reader for configuring cardinality limits specific to the instrument kind. (#7855)

Changed

Introduce the EMPTY Type in go.opentelemetry.io/otel/attribute to reflect that an empty value is now a valid value, with INVALID remaining as a deprecated alias of EMPTY. (#8038)
Refactor slice handling in go.opentelemetry.io/otel/attribute to optimize short slice values with fixed-size fast paths. (#8039)
Improve performance of span metric recording in go.opentelemetry.io/otel/sdk/trace by returning early if self-observability is not enabled. (#8067)
Improve formatting of metric data diffs in go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest. (#8073)

Deprecated

Deprecate INVALID in go.opentelemetry.io/otel/attribute. Use EMPTY instead. (#8038)

Fixed

Return spec-compliant TraceIdRatioBased description. This is a breaking behavioral change, but it is necessary to
make the implementation spec-compliant. (#8027)
Fix a race condition in go.opentelemetry.io/otel/sdk/metric where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (#8056)
Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
Responses exceeding the limit are treated as non-retryable errors. (#8108)
Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
Responses exceeding the limit are treated as non-retryable errors. (#8108)
Limit HTTP response body to 4 MiB in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to mitigate excessive memory usage caused by a misconfigured or malicious server.
Responses exceeding the limit are treated as non-retryable errors. (#8108)
WithHostID detector in go.opentelemetry.io/otel/sdk/resource to use full path for kenv command on BSD. (#8113)
Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to correctly handle HTTP2 GOAWAY frame. (#8096)

What's Changed

chore(deps): update module github.com/jgautheron/goconst to v1.9.0 by @renovate[bot] in #8014
fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to 190d7d4 by @renovate[bot] in #8013
chore(deps): update module go.yaml.in/yaml/v2 to v2.4.4 by @renovate[bot] in #8016
fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.1 by @renovate[bot] in #8011
fix(deps): update golang.org/x by @renovate[bot] in #8023
fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.2 by @renovate[bot] in #8020
chore(deps): update module github.com/mattn/go-runewidth to v0.0.21 by @renovate[bot] in #8017
chore(deps): update module codeberg.org/chavacava/garif to v0.2.1 by @renovate[bot] in #8019
Add doc on how to upgrade to new semconv by @jmmcorreia in #7807
fix(deps): update module go.opentelemetry.io/proto/otlp to v1.10.0 by @renovate[bot] in #8028
resource: add WithService detector option by @codeboten in #7642
fix(deps): update googleapis to a57be14 by @renovate[bot] in #8031
fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.3 by @renovate[bot] in #8032
chore(deps): update module github.com/prometheus/procfs to v0.20.1 by @renovate[bot] in #8034
chore(deps): update github.com/securego/gosec/v2 digest to 8895462 by @renovate[bot] in #8036
chore(deps): update module github.com/sonatard/noctx to v0.5.1 by @renovate[bot] in #8040
chore(deps): update github.com/securego/gosec/v2 digest to 6e66a94 by @renovate[bot] in #8043
docs(otlp): document HTTP/protobuf insecure env vars by @marcschaeferger in #8037
Rebuild semconvkit and verifyreadmes on changes by @MrAlias in #7995
chore(sdk/trace): join errors properly by @ash2k in #8030
fix(deps): update googleapis to 84a4fc4 by @renovate[bot] in #8048
attribute: change INVALID Type to EMPTY and mark INVALID as deprecated by @pellared in #8038
fix(sdk/trace): return spec-compliant TraceIdRatioBased description by @ash2k in #8027
linting: add depguard rule to enforce semconv version by @ajuijas in #8041
chore(deps): update actions/download-artifact action to v8.0.1 by @renovate[bot] in #8046
chore(deps): update github.com/securego/gosec/v2 digest to b7b2c7b by @renovate[bot] in #8044
fix(deps): update golang.org/x by @renovate[bot] in #8045
Optimize attribute slice conversion by @MrAlias in #8039
Add benchmarks for end-to-end metrics SDK usage by @dashpole in #7768
fix(deps): update golang.org/x by @renovate[bot] in #8052
chore(deps): update github.com/securego/gosec/v2 digest to befce8d by @renovate[bot] in #8053
trace: add Random Trace ID Flag by @yuanyuanzhao3 in #8012
Improve aggregation concurrent safe tests by @dashpole in #8021
Add tests for exponential histogram concurrent-safety edge-cases by @dashpole in #8024
exphist: replace min, max, sum, and count with atomics by @dashpole in #8025
chore(deps): update github.com/securego/gosec/v2 digest to c2dfcec by @renovate[bot] in #8055
chore(deps): update otel/weaver docker tag to v0.22.0 by @renovate[bot] in #8058
chore(deps): update github.com/securego/gosec/v2 digest to dec52c4 by @renovate[bot] in #8063
chore(deps): update otel/weaver docker tag to v0.22.1 by @renovate[bot] in #8061
chore(deps): update github/codeql-action action to v4.33.0 by @renovate[bot] in #8065
Fix race in the lastvalue aggregation where 0 could be observed by @dashpole in #8056
chore(deps): update github.com/securego/gosec/v2 digest to 744bfb5 by @renovate[bot] in #8064
Migrate to new bare metal runner (Ubuntu 24) by @trask in #8068
sdk/resource: add WithContext variants for Default and Environment (#7808) by @ajuijas in #8051
Use atomics for exponential histogram buckets by @dashpole in #8057
Added the internal/observ package to stdoutlog by @yumosx in #7735
Add support for the development per-series starttime feature by @dashpole in #8060
sdk/trace/internal/observ: guard SpanStarted and spanLive with Enabled by @kouji-yoshimura in #8067
Cleanup exemplar featuregate readme by @dashpole in #8072
chore(deps): update codecov/codecov-action action to v5.5.3 by @renovate[bot] in #8080
chore(deps): update module github.com/ryanrolds/sqlclosecheck to v0.6.0 by @renovate[bot] in #8083
fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to de6f1cc by @renovate[bot] in #8082
chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.54.0 by @renovate[bot] in #8085
chore(deps): update module github.com/securego/gosec/v2 to v2.25.0 by @renovate[bot] in #8084
chore(deps): update module github.com/protonmail/go-crypto to v1.4.1 by @renovate[bot] in #8081
fix(deps): update module go.opentelemetry.io/collector/pdata to v1.54.0 by @renovate[bot] in #8086
chore(deps): update actions/cache action to v5.0.4 by @renovate[bot] in #8079
chore(deps): update module github.com/fatih/color to v1.19.0 by @renovate[bot] in #8087
fix(deps): update googleapis to d00831a by @renovate[bot] in #8078
chore(deps): update golang.org/x/telemetry digest to b6b0c46 by @renovate[bot] in #8076
fix(deps): update module google.golang.org/grpc to v1.79.3 [security] by @renovate[bot] in #8075
sdk/metric: Support specifying cardinality limits per instrument kinds by @petern48 in #7855
chore(deps): update github/codeql-action action to v4.34.0 by @renovate[bot] in #8088
chore(deps): update codspeedhq/action action to v4.12.1 by @renovate[bot] in #8089
chore(deps): update github/codeql-action action to v4.34.1 by @renovate[bot] in #8090
fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.4 by @renovate[bot] in #8092
chore: fix noctx issues by @mmorel-35 in #8008
chore(deps): update module github.com/pelletier/go-toml/v2 to v2.3.0 by @renovate[bot] in #8095
chore(deps): update codecov/codecov-action action to v5.5.4 by @renovate[bot] in #8097
chore(deps): update codecov/codecov-action action to v6 by @renovate[bot] in #8098
chore(deps): update module github.com/tetafro/godot to v1.5.6 by @renovate[bot] in #8099
chore(deps): update module github.com/butuzov/ireturn to v0.4.1 by @renovate[bot] in #8100
chore(deps): update github/codeql-action action to v4.35.0 by @renovate[bot] in #8101
chore(deps): update actions/setup-go action to v6.4.0 by @renovate[bot] in #8107
chore(deps): update module github.com/go-git/go-git/v5 to v5.17.1 by @renovate[bot] in #8106
chore(deps): update module github.com/lucasb-eyer/go-colorful to v1.4.0 by @renovate[bot] in #8103
chore(deps): update github/codeql-action action to v4.35.1 by @renovate[bot] in #8102
chore(deps): update module github.com/hashicorp/go-version to v1.9.0 by @renovate[bot] in #8109
metricdatatest: Improve printing of diffs by @dashpole in #8073
fix(deps): update googleapis to d5a96ad by @renovate[bot] in #8112
chore(deps): update codspeedhq/action action to v4.13.0 by @renovate[bot] in #8114
fix(deps): update module go.opentelemetry.io/collector/pdata to v1.55.0 by @renovate[bot] in #8119
chore(deps): update fossas/fossa-action action to v1.9.0 by @renovate[bot] in #8118
chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 by @renovate[bot] in #8115
fix(deps): update googleapis to 9d38bb4 by @renovate[bot] in #8117
fix: support getBody in otelploghttp by @Tpuljak in #8096
fix(deps): update module google.golang.org/grpc to v1.80.0 by @renovate[bot] in #8121
Use an absolute path when calling bsd kenv by @dmathieu in #8113
limit response body size for OTLP HTTP exporters by @pellared in #8108
chore(deps): update github.com/golangci/dupl digest to c99c5cf by @renovate[bot] in #8122
chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 by @renovate[bot] in #8131
Release v1.43.0 / v0.65.0 / v0.19.0 by @dmathieu in #8128

New Contributors

@jmmcorreia made their first contribution in #7807
@marcschaeferger made their first contribution in #8037
@ajuijas made their first contribution in #8041
@yuanyuanzhao3 made their first contribution in #8012
@kouji-yoshimura made their first contribution in #8067
@Tpuljak made their first contribution in #8096

Full Changelog: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

cloudquery-ci · 2026-04-08T20:16:08Z