fix: bump grpc 1.79.3 and go-jose 4.1.4 for CVE fixes#79
Merged
Conversation
Closes two Dependabot alerts: * google.golang.org/grpc 1.79.1 -> 1.79.3 closes CVE-2026-33186 (GHSA-p77j-4mvh-x3m3, gRPC-Go authz bypass via missing leading slash in :path). Docker-Sentinel's cluster gRPC server uses mTLS with no path-based authz interceptor, so the bypass is not exploitable here; this is a supply-chain hygiene bump. * github.com/go-jose/go-jose/v4 4.1.3 -> 4.1.4 (indirect, via coreos/go-oidc/v3) closes CVE-2026-34986 (GHSA-78h2-9frx-2jm8, panic in JWE decryption with key-wrap algs and empty encrypted_key). Sentinel's OIDC flow uses JWS-signed ID tokens not JWE, so the exploit path is low practical risk. bbolt 1.4.3 (CVE-2026-33817) has no upstream patch yet and is not addressed here. Local verification: go build + go vet clean, all tests passing.
5 tasks
Will-Luck
added a commit
that referenced
this pull request
Apr 17, 2026
Closes two Dependabot alerts: * google.golang.org/grpc 1.79.1 -> 1.79.3 closes CVE-2026-33186 (GHSA-p77j-4mvh-x3m3, gRPC-Go authz bypass via missing leading slash in :path). Docker-Sentinel's cluster gRPC server uses mTLS with no path-based authz interceptor, so the bypass is not exploitable here; this is a supply-chain hygiene bump. * github.com/go-jose/go-jose/v4 4.1.3 -> 4.1.4 (indirect, via coreos/go-oidc/v3) closes CVE-2026-34986 (GHSA-78h2-9frx-2jm8, panic in JWE decryption with key-wrap algs and empty encrypted_key). Sentinel's OIDC flow uses JWS-signed ID tokens not JWE, so the exploit path is low practical risk. bbolt 1.4.3 (CVE-2026-33817) has no upstream patch yet and is not addressed here. Local verification: go build + go vet clean, all tests passing. Co-authored-by: Will Luck <noreply@github.com>
Will-Luck
added a commit
that referenced
this pull request
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Close the two fixable Dependabot alerts on this repo with a clean 3-file dep bump. No source changes.
Alerts addressed
google.golang.org/grpcgithub.com/go-jose/go-jose/v4(indirect)Risk analysis
Neither CVE is exploitable on Docker-Sentinel in practice:
grpc/authzor custominfo.FullMethodmatching). The cluster gRPC server atinternal/cluster/server/server.go:217usesgrpc.NewServer(grpc.Creds(credentials.NewTLS(tlsCfg)))— mTLS at the handshake layer, no path-based authz. There is nothing to bypass.algand emptyencrypted_key. Sentinel's OIDC flow uses JWS-signed ID tokens (not JWE). The code path isn't reachable here.The bumps are still correct for supply-chain hygiene and to close the alert badges.
Not in this PR
go.etcd.io/bbolt1.4.3 (CVE-2026-33817) — no upstream patch yet (first_patched_version: null). Exploit requires a corrupted DB file, which Sentinel's local.dbisn't. Will re-evaluate when 1.4.4 ships.Test plan
go build ./...cleango vet ./...cleango test ./...— all packages passgo mod tidyidempotentFiles changed
go.mod— 2 lines (grpc + go-jose versions)go.sum— updated hashesCHANGELOG.md— new[Unreleased] / ### SecuritysectionRelated work
This PR was developed on the homelab Gitea mirror first (PR #70 on GiteaLN/Docker-Sentinel) where it passed CI and was merged to Gitea main. Because the two main branches have drifted (Gitea main and github main have diverged commit histories), the mirror here is a clean re-apply of just the 3 files rather than a cherry-pick of the Gitea squash commit.