Skip to content

Commit be2cd7a

Browse files
Shelnutt2dependabot[bot]
Shelnutt2
and
dependabot[bot]
authored
fix: cherry-pick OTel SDK v1.43.0 for CVE-2026-39883 (v2.32.x) (#25227)
Cherry-pick of #24078 (commit 0552b92) to `release/2.32`. Bumps OpenTelemetry Go SDK from v1.42.0 to v1.43.0 to fix CVE-2026-39883 (PATH hijacking on BSD/Solaris via bare `kenv` command in `go.opentelemetry.io/otel/sdk`). Refs GHSA-hfvc-g4fc-pqhx <details> <summary>Version changes</summary> | Package | Before | After | |---------|--------|-------| | `go.opentelemetry.io/otel` | v1.42.0 | v1.43.0 | | `go.opentelemetry.io/otel/sdk` | v1.42.0 | v1.43.0 | | `go.opentelemetry.io/otel/trace` | v1.42.0 | v1.43.0 | | `go.opentelemetry.io/otel/metric` | v1.42.0 | v1.43.0 | | `go.opentelemetry.io/otel/sdk/metric` | v1.42.0 | v1.43.0 | | `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` | v0.67.0 | v0.68.0 | </details> > 🤖 Generated by Coder Agents Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1 parent a7e6c6e commit be2cd7a

2 files changed

Lines changed: 18 additions & 18 deletions

File tree

go.mod

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -211,11 +211,11 @@ require (
211211
github.com/zclconf/go-cty-yaml v1.2.0
212212
go.mozilla.org/pkcs7 v0.9.0
213213
go.nhat.io/otelsql v0.16.0
214-
go.opentelemetry.io/otel v1.42.0
214+
go.opentelemetry.io/otel v1.43.0
215215
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0
216216
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0
217-
go.opentelemetry.io/otel/sdk v1.42.0
218-
go.opentelemetry.io/otel/trace v1.42.0
217+
go.opentelemetry.io/otel/sdk v1.43.0
218+
go.opentelemetry.io/otel/trace v1.43.0
219219
go.uber.org/atomic v1.11.0
220220
go.uber.org/goleak v1.3.1-0.20240429205332-517bace7cc29
221221
go.uber.org/mock v0.6.0
@@ -458,8 +458,8 @@ require (
458458
go.opentelemetry.io/collector/pdata/pprofile v0.121.0 // indirect
459459
go.opentelemetry.io/collector/semconv v0.123.0 // indirect
460460
go.opentelemetry.io/contrib v1.19.0 // indirect
461-
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0
462-
go.opentelemetry.io/otel/metric v1.42.0 // indirect
461+
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0
462+
go.opentelemetry.io/otel/metric v1.43.0 // indirect
463463
go.opentelemetry.io/proto/otlp v1.9.0 // indirect
464464
go.uber.org/multierr v1.11.0 // indirect
465465
go.uber.org/zap v1.27.1 // indirect
@@ -628,7 +628,7 @@ require (
628628
github.com/zeebo/xxh3 v1.0.2 // indirect
629629
go.opentelemetry.io/contrib/detectors/gcp v1.40.0 // indirect
630630
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 // indirect
631-
go.opentelemetry.io/otel/sdk/metric v1.42.0 // indirect
631+
go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
632632
go.yaml.in/yaml/v2 v2.4.3 // indirect
633633
go.yaml.in/yaml/v3 v3.0.4 // indirect
634634
go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect

go.sum

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1311,11 +1311,11 @@ go.opentelemetry.io/contrib/detectors/gcp v1.40.0 h1:Awaf8gmW99tZTOWqkLCOl6aw1/r
13111311
go.opentelemetry.io/contrib/detectors/gcp v1.40.0/go.mod h1:99OY9ZCqyLkzJLTh5XhECpLRSxcZl+ZDKBEO+jMBFR4=
13121312
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 h1:yI1/OhfEPy7J9eoa6Sj051C7n5dvpj0QX8g4sRchg04=
13131313
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0/go.mod h1:NoUCKYWK+3ecatC4HjkRktREheMeEtrXoQxrqYFeHSc=
1314-
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o=
1315-
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg=
1314+
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
1315+
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
13161316
go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs=
1317-
go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=
1318-
go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=
1317+
go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
1318+
go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
13191319
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 h1:QKdN8ly8zEMrByybbQgv8cWBcdAarwmIPZ6FThrWXJs=
13201320
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0/go.mod h1:bTdK1nhqF76qiPoCCdyFIV+N/sRHYXYCTQc+3VCi3MI=
13211321
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0 h1:DvJDOPmSWQHWywQS6lKL+pb8s3gBLOZUtw4N+mavW1I=
@@ -1326,16 +1326,16 @@ go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0 h1:ZrPRak/kS4xI3A
13261326
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0/go.mod h1:3y6kQCWztq6hyW8Z9YxQDDm0Je9AJoFar2G0yDcmhRk=
13271327
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.37.0 h1:SNhVp/9q4Go/XHBkQ1/d5u9P/U+L1yaGPoi0x+mStaI=
13281328
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.37.0/go.mod h1:tx8OOlGH6R4kLV67YaYO44GFXloEjGPZuMjEkaaqIp4=
1329-
go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=
1330-
go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=
1329+
go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
1330+
go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
13311331
go.opentelemetry.io/otel/sdk v1.3.0/go.mod h1:rIo4suHNhQwBIPg9axF8V9CA72Wz2mKF1teNrup8yzs=
1332-
go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=
1333-
go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=
1334-
go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=
1335-
go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=
1332+
go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
1333+
go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
1334+
go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
1335+
go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
13361336
go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKunbvWM4/fEjk=
1337-
go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=
1338-
go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
1337+
go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
1338+
go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
13391339
go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
13401340
go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
13411341
go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=

0 commit comments

Comments
 (0)