Skip to content

Update OLM registry builder to v4.21 to fix CVE-2025-68121#689

Open
BATMAN-JD wants to merge 1 commit intoopenshift:masterfrom
BATMAN-JD:SREP-3588-update-olm-registry-v4.21
Open

Update OLM registry builder to v4.21 to fix CVE-2025-68121#689
BATMAN-JD wants to merge 1 commit intoopenshift:masterfrom
BATMAN-JD:SREP-3588-update-olm-registry-v4.21

Conversation

@BATMAN-JD
Copy link

@BATMAN-JD BATMAN-JD commented Mar 3, 2026

Summary

Update OLM registry builder from v4.19 to v4.21 to fix CVE-2025-68121 (CRITICAL - CVSS 10) in Go stdlib.

Problem

CVE-2025-68121 exists in Go binaries (registry-server, grpc_health_probe, initializer) compiled with Go v1.23.10 in the
v4.19 builder image. This affects all repositories using this template for OLM catalog builds.

Affected: Production, stage, and integration environments across all 17 consumer repositories.

Solution

v4.21 (built Feb 24, 2026) is the latest stable version with the patched Go stdlib. Trivy scan confirms 0 CRITICAL CVEs.

References

@BATMAN-JD
Update OLM registry builder to v4.21 to fix CVE-2025-68121
7aae616 
Update ose-operator-registry-rhel9 from v4.19 to v4.21 in the
Dockerfile.olm-registry template to resolve CVE-2025-68121
(CRITICAL - CVSS 10) in Go stdlib.

The vulnerability exists in Go binaries (registry-server,
grpc_health_probe, initializer) compiled with Go v1.23.10
in the v4.19 builder image.

v4.21 was built on Feb 24, 2026 with patched Go stdlib and
does not contain CVE-2025-68121.

This affects all consuming repositories using this template
for OLM registry builds.

Related: SREP-3588
@openshift-ci openshift-ci bot requested review from bergmannf and joshbranham March 3, 2026 21:58
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 3, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: BATMAN-JD
Once this PR has been reviewed and has the lgtm label, please assign reedcort for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@BATMAN-JD
Copy link
Author

BATMAN-JD commented Mar 3, 2026

Note on Test Failures

The execute-boilerplate-pr-check failure is due to 2 pre-existing test failures on master that are unrelated to this change:

  • convention/openshift/golang-osd-operator/01-generated-files-checker
  • convention/openshift/golang-osd-operator/07-generate-crd-v1

I verified locally that these same 2 tests fail on clean master (before my change), and the 6 other tests pass successfully on both master and my branch.

This one-line change (v4.19 → v4.21) does not introduce any new test failures.

The 05-build-olm-catalog test (which specifically tests OLM catalog builds) passes successfully.

joshbranham
joshbranham reviewed Mar 4, 2026
View reviewed changes
boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry
@@ -1,4 +1,4 @@
FROM registry.redhat.io/openshift4/ose-operator-registry-rhel9:v4.19 AS builder
FROM registry.redhat.io/openshift4/ose-operator-registry-rhel9:v4.21 AS builder
Copy link
Contributor

@joshbranham joshbranham Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should build an operators catalog registry with this and ensure you can run it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshbranham joshbranham joshbranham left review comments

@bergmannf bergmannf Awaiting requested review from bergmannf

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BATMAN-JD @joshbranham