Skip to content

Fixed Go Vulns due to istioctl and rootless docker kit #580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
priyaananthasankar merged 5 commits into from
Dec 10, 2025
Merged

Fixed Go Vulns due to istioctl and rootless docker kit #580

priyaananthasankar merged 5 commits into from
Dec 10, 2025

Conversation

@priyaananthasankar
Copy link
Contributor

@priyaananthasankar priyaananthasankar commented Dec 9, 2025
edited
Loading

Vulnerability Summary

Vulnerabilities Fixed ✅

1. istioctl (FIXED)

Location: usr/local/bin/istioctl

Vulnerabilities:

Fix Applied: Updated from version 1.28.0 to 1.28.1 (released Dec 3, 2025)

  • Line 175: ENV ISTIO_VERSION=1.28.1
  • This version should include updated dependencies and be compiled with newer Go stdlib

Why it can be fixed: Istio releases are frequent and the latest stable version (1.28.1) contains the necessary security patches.

2. rootlesskit (FIXED)

Location: usr/bin/rootlesskit and usr/bin/rootlesskit-docker-proxy

Vulnerabilities:

  • stdlib v1.24.3 → needs v1.24.4 or v1.24.6

Fix Applied: Pinned to explicit version v2.3.5 (latest stable, released May 2025)

  • Line 225: Changed from dynamic lookup to ROOTLESSKIT_VERSION=v2.3.5

Why it can be fixed: The latest stable release v2.3.5 should be compiled with a newer Go version that addresses the stdlib vulnerabilities. By pinning the version, we ensure reproducible builds and can track when newer versions are available.

Summary Table

Tool Status Action Taken Reason
istioctl ✅ Fixed Updated to v1.28.1 Latest stable includes security patches
rootlesskit ✅ Fixed Pinned to v2.3.5 Latest stable compiled with newer Go
image

Rootless kit remains same

image

Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Go vulnerabilities in the Cloud Shell base Docker image by updating two components: istioctl (from dynamic latest version to pinned v1.28.1) and rootlesskit (from dynamic latest to pinned v2.3.5). These updates resolve several CVEs including CVE-2019-14993, CVE-2021-39155, CVE-2021-39156, and CVE-2022-23635, along with stdlib vulnerabilities requiring Go 1.24.6+.

Key Changes:

  • Pinned istioctl to version 1.28.1 with direct GitHub release download
  • Pinned rootlesskit to version 2.3.5 (replacing dynamic version lookup)
  • Updated installation method for istioctl from legacy script to direct tarball download

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@priyaananthasankar priyaananthasankar merged commit 7d19c8d into master Dec 10, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@robins1212 robins1212 robins1212 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@priyaananthasankar @robins1212