Releases: PrPlanIT/HASteward
Releases · PrPlanIT/HASteward
latest-dev
📦 release — v0.1.0-dev+002373e
Release type: stable • Commit:
002373e
Downloads
| Platform | File | Size | SHA-256 |
|---|---|---|---|
linux/amd64 |
hasteward-0.1.0-dev+002373e-linux-amd64.tar.gz |
10.7 MB | 5ffa40f503b7… |
linux/arm64 |
hasteward-0.1.0-dev+002373e-linux-arm64.tar.gz |
9.4 MB | 263a1aeccf79… |
Full checksums
5ffa40f503b799e66314f5be619d23796a51f47166c00467f79d176041c3c7ec hasteward-0.1.0-dev+002373e-linux-amd64.tar.gz
263a1aeccf795f3eedf37aa13f2f6d29354def68673165355a9a15cb237eed20 hasteward-0.1.0-dev+002373e-linux-arm64.tar.gz
Notable Changes
Features
- triage/cnpg: recovery classification + universal disk breakdown (SoFMeRight)
Bug Fixes
- ci: gitignore generated .stagefreight artifacts (deps git-clean check) (SoFMeRight)
- deps: bump moby/spdystream 0.5.0 -> 0.5.1 (osv CRIT GO-2026-4958) (SoFMeRight)
- ci: restore current-schema .stagefreight.yml (governance preset config was unparseable) (SoFMeRight)
Documentation
- container-usage runbook + escrow-deadlock TODO (SoFMeRight)
- refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT) ×2
Maintenance
- deps: update managed dependencies (stagefreight)
- governance reconcile from PrPlanIT/MaintenancePolicy 928f9dbcf7f65387d30d3f73aaf65ea57c55ec55 (StageFreight-PrPlanIT)
Full changelog
- [
002373e] update managed dependencies (stagefreight) - [
b6c5b01] gitignore generated .stagefreight artifacts (deps git-clean check) (SoFMeRight) - [
45cbf4c] bump moby/spdystream 0.5.0 -> 0.5.1 (osv CRIT GO-2026-4958) (SoFMeRight) - [
0175358] restore current-schema .stagefreight.yml (governance preset config was unparseable) (SoFMeRight) - [
d5b7f94] recovery classification + universal disk breakdown (SoFMeRight) - [
2cafc99] container-usage runbook + escrow-deadlock TODO (SoFMeRight) - [
f8bbfaf] governance reconcile from PrPlanIT/MaintenancePolicy 928f9dbcf7f65387d30d3f73aaf65ea57c55ec55 (StageFreight-PrPlanIT) - [
bf5ee0c] refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT) - [
ed61da6] refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT)
dev-f10da15
📦 release — v0.1.0-dev+f10da15
Release type: stable • Commit:
f10da15
Security: 🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Image Availability
| Registry | Image | Tags |
|---|---|---|
| Docker Hub | docker.io/prplanit/hasteward |
dev-f10da15 latest-dev |
| cr.pcfae.com | cr.pcfae.com/prplanit/hasteward |
dev-f10da15 latest-dev |
Digest pull commands & supply chain artifacts
docker.io/prplanit/hasteward
docker pull docker.io/prplanit/hasteward@sha256:0405d5bed9619d178d9b74ec21ca05f1de45fb3c84d65d4f70a5a9906f328f2f
cr.pcfae.com/prplanit/hasteward
docker pull cr.pcfae.com/prplanit/hasteward@sha256:0405d5bed9619d178d9b74ec21ca05f1de45fb3c84d65d4f70a5a9906f328f2f
Downloads
| Platform | File | Size | SHA-256 |
|---|---|---|---|
linux/amd64 |
hasteward-0.1.0-dev+f10da15-linux-amd64.tar.gz |
10.8 MB | bcdec9ce4b0c… |
linux/arm64 |
hasteward-0.1.0-dev+f10da15-linux-arm64.tar.gz |
9.5 MB | 2a505b89fcb1… |
Full checksums
bcdec9ce4b0cdc004df6bdcbc0f76d2f6cc214cdb5abffbe73041a2d17313907 hasteward-0.1.0-dev+f10da15-linux-amd64.tar.gz
2a505b89fcb1934d323f028a9b5bc0a312ef0070db84e062671d03bac0eb59e3 hasteward-0.1.0-dev+f10da15-linux-arm64.tar.gz
Notable Changes
Features
- wire --unwedge flag + dry-run preview for the deadlock-breaker (SoFMeRight)
- CNPG deadlock-breaker PreAssess (repair Phase 0, --unwedge) (SoFMeRight)
- RecoveryProof typed gate for the deadlock-breaker (SoFMeRight)
- pre-capture escrow space guard (EstimateCaptureBytes + AvailableBytes) (SoFMeRight)
- storage-agnostic verified escrow (VolumeSnapshot + ResticPVC) (SoFMeRight)
- triage/cnpg: recovery classification + universal disk breakdown (SoFMeRight)
Bug Fixes
- repair: correct inverted reconcile-loop toggle that left clusters unreconciled (SoFMeRight)
- repair: acquire the heal PVC via reconcile-disable, not a delete race (SoFMeRight)
- unwedge re-clones the disposables it clears (end-to-end break) (SoFMeRight)
- unwedge dry-run stops cleanly + logs the plan in any output mode (SoFMeRight)
- drop misleading CNPG diskPct:0; derive disk notes from PVC probe (SoFMeRight)
- ci: gitignore generated .stagefreight artifacts (deps git-clean check) (SoFMeRight)
- deps: bump moby/spdystream 0.5.0 -> 0.5.1 (osv CRIT GO-2026-4958) (SoFMeRight)
- ci: restore current-schema .stagefreight.yml (governance preset config was unparseable) (SoFMeRight)
Refactoring
- engine: extract shared cnpgjob.Run primitive; prunewal inherits the reconcile fix (SoFMeRight)
Documentation
- refresh generated docs and badges [skip ci] (stagefreight) ×11
- container-usage runbook + escrow-deadlock TODO (SoFMeRight)
- refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT) ×2
Maintenance
- deps: update managed dependencies (stagefreight) ×2
- governance reconcile from PrPlanIT/MaintenancePolicy 928f9dbcf7f65387d30d3f73aaf65ea57c55ec55 (StageFreight-PrPlanIT)
Security
🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Vulnerability details (18 critical, 50 high, 79 medium, 6 low)
| Severity | CVE | Package | Installed | Fixed | Description |
|---|---|---|---|---|---|
| Critical | CVE-2024-45337 | golang.org/x/crypto | v0.24.0 | 0.31.0 | golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKey... |
| Critical | CVE-2026-33186 | google.golang.org/grpc | v1.64.1 | 1.79.3 | google.golang.org/grpc/grpc-go: google.golang.org/grpc/au... |
| Critical | CVE-2025-68121 | stdlib | v1.23.3 | 1.24.13, 1.25.7, 1.26.0-rc.3 | During session resumption in crypto/tls, if the underlyin... |
| Critical | GHSA-v778-237x-gjrc | golang.org/x/crypto | v0.24.0 | 0.31.0 | Misuse of ServerConfig.PublicKeyCallback may cause author... |
| Critical | GO-2024-3321 | golang.org/x/crypto | v0.24.0 | 0.31.0 | Applications and libraries which misuse connection.server... |
| Critical | GO-2025-3563 | stdlib | go1.23.3 | 1.23.8 | The net/http package improperly accepts a bare LF as a li... |
| Critical | GO-2026-5006 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When adding a key to a remote agent constraint extensions... |
| Critical | GO-2026-5023 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, CVE-2024-45337 fixed an authorization bypass ... |
| Critical | GO-2026-5017 | golang.org/x/crypto | v0.24.0 | 0.52.0 | A malicious SSH peer could send unsolicited global reques... |
| Critical | GO-2026-5020 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When writing data larger than 4GB in a single Write call ... |
| Critical | GO-2026-5026 | golang.org/x/net | v0.26.0 | 0.55.0 | The ToASCII and ToUnicode functions incorrectly accept Pu... |
| Critical | GO-2026-5005 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The in-memory keyring returned by NewKeyring() silently a... |
| Critical | GO-2026-5021 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, a revoked 'SignatureKey' belonging to a CA wa... |
| Critical | GO-2026-5019 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The Verify() method for FIDO/U2F security key types (sk-e... |
| Critical | CVE-2026-27143 | stdlib | go1.23.3 | 1.25.9 | Arithmetic over induction variables in loops were not cor... |
| Critical | GHSA-p77j-4mvh-x3m3 | google.golang.org/grpc | v1.64.1 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading s... |
| Critical | GO-2026-4762 | google.golang.org/grpc | v1.64.1 | 1.79.3 | Authorization bypass in gRPC-Go via missing leading slash... |
| Critical | GO-2026-4337 | stdlib | go1.23.3 | 1.24.13 | During session resumption in crypto/tls, if the underlyin... |
| High | CVE-2025-30204 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | golang-jwt/jwt: jwt-go allows excessive memory allocation... |
| High | CVE-2025-22869 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto/ssh: Denial of Service in the Key Exc... |
| High | CVE-2025-22868 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2/jws: Unexpected memory consumption du... |
| High | CVE-2025-61726 | stdlib | v1.23.3 | 1.24.12, 1.25.6 | The net/url package does not set a limit on the number of... |
| High | CVE-2025-61729 | stdlib | v1.23.3 | 1.24.11, 1.25.5 | crypto/x509: golang: Denial of Service due to excessive r... |
| High | CVE-2026-25679 | stdlib | v1.23.3 | 1.25.8, 1.26.1 | url.Parse insufficiently validated the host/authority com... |
| High | CVE-2026-32280 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | During chain building, the amount of work that is done is... |
| High | CVE-2026-32281 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | Validating certificate chains which use policies is unexp... |
| High | CVE-2026-32283 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | If one side of the TLS connection sends multiple key upda... |
| High | CVE-2026-33811 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When using LookupCNAME with the cgo DNS resolver, a very ... |
| High | CVE-2026-33814 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When processing HTTP/2 SETTINGS frames, transport will en... |
| High | CVE-2026-39820 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | CVE-2026-39823 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | CVE-2026-27142 fixed a vulnerability in which URLs were n... |
| High | CVE-2026-39825 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | ReverseProxy can forward queries containing parameters no... |
| High | CVE-2026-39836 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | The Dial and LookupPort functions panic on Windows when p... |
| High | CVE-2026-42499 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Pathological inputs could cause DoS through consumePhrase... |
| High | CVE-2026-42504 | stdlib | v1.23.3 | 1.25.11, 1.26.4 | Decoding a maliciously-crafted MIME header containing man... |
| High | GHSA-hcg3-q754-cr77 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto Vulnerable to Denial of Service (DoS)... |
| High | GO-2025-3487 | golang.org/x/crypto | v0.24.0 | 0.35.0 | SSH servers which implement file transfer protocols are v... |
| High | GHSA-6v2p-p543-phr9 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2 Improper Validation of Syntactic Corr... |
| High | GO-2025-3488 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | An attacker can pass a malicious malformed token which ca... |
| High | GHSA-mh63-6h87-95cp | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | jwt-go allows excessive memory allocation during header p... |
| High | GO-2025-3553 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | Excessive memory allocation during header parsing in gith... |
| High | GO-2025-3849 | stdlib | go1.23.3 | 1.23.12 | Cancelling a query (e.g. by cancelling the context passed... |
| High | GO-2026-4986 | stdlib | go1.23.3 | 1.25.10 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | GO-2026-5038 | stdlib | go1.23.3 | 1.25.11 | Decoding a maliciously-crafted MIME header containing man... |
| High | GO-2026-5013 | golang.org/x/crypto | v0.24.0 | 0.52.0 | An incorrectly placed cast from bytes to int allowed for ... |
| High | GO-2026-4341 | stdlib | go1.23.3 | 1.24.12 | The net/url package does not set a limit on the number of... |
| High | GO-2026-4601 | stdlib | go1.23.3 | 1.25.8 | url.Parse insufficiently validated the host/authority com... |
| High | GO-2025-4006 | stdlib | go1.23.3 | 1.24.8 | The ParseAddress function constructs domain-literal addre... |
| High | GO-2025-4009 | stdlib | go1... |
dev-6b40928
📦 release — v0.1.0-dev+6b40928
Release type: stable • Commit:
6b40928
Security: 🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Image Availability
| Registry | Image | Tags |
|---|---|---|
| Docker Hub | docker.io/prplanit/hasteward |
dev-6b40928 latest-dev |
| cr.pcfae.com | cr.pcfae.com/prplanit/hasteward |
dev-6b40928 latest-dev |
Digest pull commands & supply chain artifacts
docker.io/prplanit/hasteward
docker pull docker.io/prplanit/hasteward@sha256:0670a02ba72ef5ba8e55fb24f21ca856895a7ea6d4e876dd84246d14ee3ef813
cr.pcfae.com/prplanit/hasteward
docker pull cr.pcfae.com/prplanit/hasteward@sha256:0670a02ba72ef5ba8e55fb24f21ca856895a7ea6d4e876dd84246d14ee3ef813
Downloads
| Platform | File | Size | SHA-256 |
|---|---|---|---|
linux/amd64 |
hasteward-0.1.0-dev+6b40928-linux-amd64.tar.gz |
10.8 MB | 1335dfa76b08… |
linux/arm64 |
hasteward-0.1.0-dev+6b40928-linux-arm64.tar.gz |
9.5 MB | 91ed19a8fc0d… |
Full checksums
1335dfa76b084d4ab474b59b364b7de854ab210420bb8b1b9c6c23b4600c6e41 hasteward-0.1.0-dev+6b40928-linux-amd64.tar.gz
91ed19a8fc0d23e9dd0bb199fa624b72bec21ffcd3bf8b6feb752a7b864b7140 hasteward-0.1.0-dev+6b40928-linux-arm64.tar.gz
Notable Changes
Features
- wire --unwedge flag + dry-run preview for the deadlock-breaker (SoFMeRight)
- CNPG deadlock-breaker PreAssess (repair Phase 0, --unwedge) (SoFMeRight)
- RecoveryProof typed gate for the deadlock-breaker (SoFMeRight)
- pre-capture escrow space guard (EstimateCaptureBytes + AvailableBytes) (SoFMeRight)
- storage-agnostic verified escrow (VolumeSnapshot + ResticPVC) (SoFMeRight)
- triage/cnpg: recovery classification + universal disk breakdown (SoFMeRight)
Bug Fixes
- repair: correct inverted reconcile-loop toggle that left clusters unreconciled (SoFMeRight)
- repair: acquire the heal PVC via reconcile-disable, not a delete race (SoFMeRight)
- unwedge re-clones the disposables it clears (end-to-end break) (SoFMeRight)
- unwedge dry-run stops cleanly + logs the plan in any output mode (SoFMeRight)
- drop misleading CNPG diskPct:0; derive disk notes from PVC probe (SoFMeRight)
- ci: gitignore generated .stagefreight artifacts (deps git-clean check) (SoFMeRight)
- deps: bump moby/spdystream 0.5.0 -> 0.5.1 (osv CRIT GO-2026-4958) (SoFMeRight)
- ci: restore current-schema .stagefreight.yml (governance preset config was unparseable) (SoFMeRight)
Documentation
- refresh generated docs and badges [skip ci] (stagefreight) ×10
- container-usage runbook + escrow-deadlock TODO (SoFMeRight)
- refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT) ×2
Maintenance
- deps: update managed dependencies (stagefreight) ×2
- governance reconcile from PrPlanIT/MaintenancePolicy 928f9dbcf7f65387d30d3f73aaf65ea57c55ec55 (StageFreight-PrPlanIT)
Security
🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Vulnerability details (18 critical, 50 high, 79 medium, 6 low)
| Severity | CVE | Package | Installed | Fixed | Description |
|---|---|---|---|---|---|
| Critical | CVE-2024-45337 | golang.org/x/crypto | v0.24.0 | 0.31.0 | golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKey... |
| Critical | CVE-2026-33186 | google.golang.org/grpc | v1.64.1 | 1.79.3 | google.golang.org/grpc/grpc-go: google.golang.org/grpc/au... |
| Critical | CVE-2025-68121 | stdlib | v1.23.3 | 1.24.13, 1.25.7, 1.26.0-rc.3 | During session resumption in crypto/tls, if the underlyin... |
| Critical | GHSA-v778-237x-gjrc | golang.org/x/crypto | v0.24.0 | 0.31.0 | Misuse of ServerConfig.PublicKeyCallback may cause author... |
| Critical | GO-2024-3321 | golang.org/x/crypto | v0.24.0 | 0.31.0 | Applications and libraries which misuse connection.server... |
| Critical | GO-2025-3563 | stdlib | go1.23.3 | 1.23.8 | The net/http package improperly accepts a bare LF as a li... |
| Critical | GO-2026-5006 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When adding a key to a remote agent constraint extensions... |
| Critical | GO-2026-5023 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, CVE-2024-45337 fixed an authorization bypass ... |
| Critical | GO-2026-5017 | golang.org/x/crypto | v0.24.0 | 0.52.0 | A malicious SSH peer could send unsolicited global reques... |
| Critical | GO-2026-5020 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When writing data larger than 4GB in a single Write call ... |
| Critical | GO-2026-5026 | golang.org/x/net | v0.26.0 | 0.55.0 | The ToASCII and ToUnicode functions incorrectly accept Pu... |
| Critical | GO-2026-5005 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The in-memory keyring returned by NewKeyring() silently a... |
| Critical | GO-2026-5021 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, a revoked 'SignatureKey' belonging to a CA wa... |
| Critical | GO-2026-5019 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The Verify() method for FIDO/U2F security key types (sk-e... |
| Critical | CVE-2026-27143 | stdlib | go1.23.3 | 1.25.9 | Arithmetic over induction variables in loops were not cor... |
| Critical | GHSA-p77j-4mvh-x3m3 | google.golang.org/grpc | v1.64.1 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading s... |
| Critical | GO-2026-4762 | google.golang.org/grpc | v1.64.1 | 1.79.3 | Authorization bypass in gRPC-Go via missing leading slash... |
| Critical | GO-2026-4337 | stdlib | go1.23.3 | 1.24.13 | During session resumption in crypto/tls, if the underlyin... |
| High | CVE-2025-30204 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | golang-jwt/jwt: jwt-go allows excessive memory allocation... |
| High | CVE-2025-22869 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto/ssh: Denial of Service in the Key Exc... |
| High | CVE-2025-22868 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2/jws: Unexpected memory consumption du... |
| High | CVE-2025-61726 | stdlib | v1.23.3 | 1.24.12, 1.25.6 | The net/url package does not set a limit on the number of... |
| High | CVE-2025-61729 | stdlib | v1.23.3 | 1.24.11, 1.25.5 | crypto/x509: golang: Denial of Service due to excessive r... |
| High | CVE-2026-25679 | stdlib | v1.23.3 | 1.25.8, 1.26.1 | url.Parse insufficiently validated the host/authority com... |
| High | CVE-2026-32280 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | During chain building, the amount of work that is done is... |
| High | CVE-2026-32281 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | Validating certificate chains which use policies is unexp... |
| High | CVE-2026-32283 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | If one side of the TLS connection sends multiple key upda... |
| High | CVE-2026-33811 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When using LookupCNAME with the cgo DNS resolver, a very ... |
| High | CVE-2026-33814 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When processing HTTP/2 SETTINGS frames, transport will en... |
| High | CVE-2026-39820 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | CVE-2026-39823 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | CVE-2026-27142 fixed a vulnerability in which URLs were n... |
| High | CVE-2026-39825 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | ReverseProxy can forward queries containing parameters no... |
| High | CVE-2026-39836 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | The Dial and LookupPort functions panic on Windows when p... |
| High | CVE-2026-42499 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Pathological inputs could cause DoS through consumePhrase... |
| High | CVE-2026-42504 | stdlib | v1.23.3 | 1.25.11, 1.26.4 | Decoding a maliciously-crafted MIME header containing man... |
| High | GHSA-hcg3-q754-cr77 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto Vulnerable to Denial of Service (DoS)... |
| High | GO-2025-3487 | golang.org/x/crypto | v0.24.0 | 0.35.0 | SSH servers which implement file transfer protocols are v... |
| High | GHSA-6v2p-p543-phr9 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2 Improper Validation of Syntactic Corr... |
| High | GO-2025-3488 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | An attacker can pass a malicious malformed token which ca... |
| High | GHSA-mh63-6h87-95cp | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | jwt-go allows excessive memory allocation during header p... |
| High | GO-2025-3553 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | Excessive memory allocation during header parsing in gith... |
| High | GO-2025-3849 | stdlib | go1.23.3 | 1.23.12 | Cancelling a query (e.g. by cancelling the context passed... |
| High | GO-2026-4986 | stdlib | go1.23.3 | 1.25.10 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | GO-2026-5038 | stdlib | go1.23.3 | 1.25.11 | Decoding a maliciously-crafted MIME header containing man... |
| High | GO-2026-5013 | golang.org/x/crypto | v0.24.0 | 0.52.0 | An incorrectly placed cast from bytes to int allowed for ... |
| High | GO-2026-4341 | stdlib | go1.23.3 | 1.24.12 | The net/url package does not set a limit on the number of... |
| High | GO-2026-4601 | stdlib | go1.23.3 | 1.25.8 | url.Parse insufficiently validated the host/authority com... |
| High | GO-2025-4006 | stdlib | go1.23.3 | 1.24.8 | The ParseAddress function constructs domain-literal addre... |
| High | GO-2025-4009 | stdlib | go1.23.3 | 1.24.8 | The processing time for parsing some invalid inputs scale... |
| High | GO-2026-5018 | golang.org/x/cr... |
dev-4b4b3e9
📦 release — v0.1.0-dev+4b4b3e9
Release type: stable • Commit:
4b4b3e9
Security: 🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Image Availability
| Registry | Image | Tags |
|---|---|---|
| Docker Hub | docker.io/prplanit/hasteward |
dev-4b4b3e9 latest-dev |
| cr.pcfae.com | cr.pcfae.com/prplanit/hasteward |
dev-4b4b3e9 latest-dev |
Digest pull commands & supply chain artifacts
docker.io/prplanit/hasteward
docker pull docker.io/prplanit/hasteward@sha256:a29c3d5258fc8fa4b91f514851b9a0ca6789af44cbfc75238ce587b540fc434e
cr.pcfae.com/prplanit/hasteward
docker pull cr.pcfae.com/prplanit/hasteward@sha256:a29c3d5258fc8fa4b91f514851b9a0ca6789af44cbfc75238ce587b540fc434e
Downloads
| Platform | File | Size | SHA-256 |
|---|---|---|---|
linux/amd64 |
hasteward-0.1.0-dev+4b4b3e9-linux-amd64.tar.gz |
10.8 MB | 8ecc364d81b4… |
linux/arm64 |
hasteward-0.1.0-dev+4b4b3e9-linux-arm64.tar.gz |
9.5 MB | 785aba4a36f0… |
Full checksums
8ecc364d81b4e2a0fe7271993df22dd59ab38878181b9690bc22c61280ea6f3a hasteward-0.1.0-dev+4b4b3e9-linux-amd64.tar.gz
785aba4a36f0aab31447ed5da5dc62f5c15f5929635dde454c244d0354d1bb5d hasteward-0.1.0-dev+4b4b3e9-linux-arm64.tar.gz
Notable Changes
Features
- wire --unwedge flag + dry-run preview for the deadlock-breaker (SoFMeRight)
- CNPG deadlock-breaker PreAssess (repair Phase 0, --unwedge) (SoFMeRight)
- RecoveryProof typed gate for the deadlock-breaker (SoFMeRight)
- pre-capture escrow space guard (EstimateCaptureBytes + AvailableBytes) (SoFMeRight)
- storage-agnostic verified escrow (VolumeSnapshot + ResticPVC) (SoFMeRight)
- triage/cnpg: recovery classification + universal disk breakdown (SoFMeRight)
Bug Fixes
- repair: acquire the heal PVC via reconcile-disable, not a delete race (SoFMeRight)
- unwedge re-clones the disposables it clears (end-to-end break) (SoFMeRight)
- unwedge dry-run stops cleanly + logs the plan in any output mode (SoFMeRight)
- drop misleading CNPG diskPct:0; derive disk notes from PVC probe (SoFMeRight)
- ci: gitignore generated .stagefreight artifacts (deps git-clean check) (SoFMeRight)
- deps: bump moby/spdystream 0.5.0 -> 0.5.1 (osv CRIT GO-2026-4958) (SoFMeRight)
- ci: restore current-schema .stagefreight.yml (governance preset config was unparseable) (SoFMeRight)
Documentation
- refresh generated docs and badges [skip ci] (stagefreight) ×9
- container-usage runbook + escrow-deadlock TODO (SoFMeRight)
- refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT) ×2
Maintenance
- deps: update managed dependencies (stagefreight) ×2
- governance reconcile from PrPlanIT/MaintenancePolicy 928f9dbcf7f65387d30d3f73aaf65ea57c55ec55 (StageFreight-PrPlanIT)
Security
🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Vulnerability details (18 critical, 50 high, 79 medium, 6 low)
| Severity | CVE | Package | Installed | Fixed | Description |
|---|---|---|---|---|---|
| Critical | CVE-2024-45337 | golang.org/x/crypto | v0.24.0 | 0.31.0 | golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKey... |
| Critical | CVE-2026-33186 | google.golang.org/grpc | v1.64.1 | 1.79.3 | google.golang.org/grpc/grpc-go: google.golang.org/grpc/au... |
| Critical | CVE-2025-68121 | stdlib | v1.23.3 | 1.24.13, 1.25.7, 1.26.0-rc.3 | During session resumption in crypto/tls, if the underlyin... |
| Critical | GHSA-v778-237x-gjrc | golang.org/x/crypto | v0.24.0 | 0.31.0 | Misuse of ServerConfig.PublicKeyCallback may cause author... |
| Critical | GO-2024-3321 | golang.org/x/crypto | v0.24.0 | 0.31.0 | Applications and libraries which misuse connection.server... |
| Critical | GO-2025-3563 | stdlib | go1.23.3 | 1.23.8 | The net/http package improperly accepts a bare LF as a li... |
| Critical | GO-2026-5006 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When adding a key to a remote agent constraint extensions... |
| Critical | GO-2026-5023 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, CVE-2024-45337 fixed an authorization bypass ... |
| Critical | GO-2026-5017 | golang.org/x/crypto | v0.24.0 | 0.52.0 | A malicious SSH peer could send unsolicited global reques... |
| Critical | GO-2026-5020 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When writing data larger than 4GB in a single Write call ... |
| Critical | GO-2026-5026 | golang.org/x/net | v0.26.0 | 0.55.0 | The ToASCII and ToUnicode functions incorrectly accept Pu... |
| Critical | GO-2026-5005 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The in-memory keyring returned by NewKeyring() silently a... |
| Critical | GO-2026-5021 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, a revoked 'SignatureKey' belonging to a CA wa... |
| Critical | GO-2026-5019 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The Verify() method for FIDO/U2F security key types (sk-e... |
| Critical | CVE-2026-27143 | stdlib | go1.23.3 | 1.25.9 | Arithmetic over induction variables in loops were not cor... |
| Critical | GHSA-p77j-4mvh-x3m3 | google.golang.org/grpc | v1.64.1 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading s... |
| Critical | GO-2026-4762 | google.golang.org/grpc | v1.64.1 | 1.79.3 | Authorization bypass in gRPC-Go via missing leading slash... |
| Critical | GO-2026-4337 | stdlib | go1.23.3 | 1.24.13 | During session resumption in crypto/tls, if the underlyin... |
| High | CVE-2025-30204 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | golang-jwt/jwt: jwt-go allows excessive memory allocation... |
| High | CVE-2025-22869 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto/ssh: Denial of Service in the Key Exc... |
| High | CVE-2025-22868 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2/jws: Unexpected memory consumption du... |
| High | CVE-2025-61726 | stdlib | v1.23.3 | 1.24.12, 1.25.6 | The net/url package does not set a limit on the number of... |
| High | CVE-2025-61729 | stdlib | v1.23.3 | 1.24.11, 1.25.5 | crypto/x509: golang: Denial of Service due to excessive r... |
| High | CVE-2026-25679 | stdlib | v1.23.3 | 1.25.8, 1.26.1 | url.Parse insufficiently validated the host/authority com... |
| High | CVE-2026-32280 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | During chain building, the amount of work that is done is... |
| High | CVE-2026-32281 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | Validating certificate chains which use policies is unexp... |
| High | CVE-2026-32283 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | If one side of the TLS connection sends multiple key upda... |
| High | CVE-2026-33811 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When using LookupCNAME with the cgo DNS resolver, a very ... |
| High | CVE-2026-33814 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When processing HTTP/2 SETTINGS frames, transport will en... |
| High | CVE-2026-39820 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | CVE-2026-39823 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | CVE-2026-27142 fixed a vulnerability in which URLs were n... |
| High | CVE-2026-39825 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | ReverseProxy can forward queries containing parameters no... |
| High | CVE-2026-39836 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | The Dial and LookupPort functions panic on Windows when p... |
| High | CVE-2026-42499 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Pathological inputs could cause DoS through consumePhrase... |
| High | CVE-2026-42504 | stdlib | v1.23.3 | 1.25.11, 1.26.4 | Decoding a maliciously-crafted MIME header containing man... |
| High | GHSA-hcg3-q754-cr77 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto Vulnerable to Denial of Service (DoS)... |
| High | GO-2025-3487 | golang.org/x/crypto | v0.24.0 | 0.35.0 | SSH servers which implement file transfer protocols are v... |
| High | GHSA-6v2p-p543-phr9 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2 Improper Validation of Syntactic Corr... |
| High | GO-2025-3488 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | An attacker can pass a malicious malformed token which ca... |
| High | GHSA-mh63-6h87-95cp | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | jwt-go allows excessive memory allocation during header p... |
| High | GO-2025-3553 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | Excessive memory allocation during header parsing in gith... |
| High | GO-2025-3849 | stdlib | go1.23.3 | 1.23.12 | Cancelling a query (e.g. by cancelling the context passed... |
| High | GO-2026-4986 | stdlib | go1.23.3 | 1.25.10 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | GO-2026-5038 | stdlib | go1.23.3 | 1.25.11 | Decoding a maliciously-crafted MIME header containing man... |
| High | GO-2026-5013 | golang.org/x/crypto | v0.24.0 | 0.52.0 | An incorrectly placed cast from bytes to int allowed for ... |
| High | GO-2026-4341 | stdlib | go1.23.3 | 1.24.12 | The net/url package does not set a limit on the number of... |
| High | GO-2026-4601 | stdlib | go1.23.3 | 1.25.8 | url.Parse insufficiently validated the host/authority com... |
| High | GO-2025-4006 | stdlib | go1.23.3 | 1.24.8 | The ParseAddress function constructs domain-literal addre... |
| High | GO-2025-4009 | stdlib | go1.23.3 | 1.24.8 | The processing time for parsing some invalid inputs scale... |
| High | GO-2026-5018 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The RSA and DSA public key parsers did not enforce size l... |
| High | G... |
dev-4634ebf
📦 release — v0.1.0-dev+4634ebf
Release type: stable • Commit:
4634ebf
Security: 🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Image Availability
| Registry | Image | Tags |
|---|---|---|
| Docker Hub | docker.io/prplanit/hasteward |
dev-4634ebf latest-dev |
| cr.pcfae.com | cr.pcfae.com/prplanit/hasteward |
dev-4634ebf latest-dev |
Digest pull commands & supply chain artifacts
docker.io/prplanit/hasteward
docker pull docker.io/prplanit/hasteward@sha256:a7765e9960cedbb16b215601d4b5300a6a0369a1aefda0bb3ded2384f99bf924
cr.pcfae.com/prplanit/hasteward
docker pull cr.pcfae.com/prplanit/hasteward@sha256:a7765e9960cedbb16b215601d4b5300a6a0369a1aefda0bb3ded2384f99bf924
Downloads
| Platform | File | Size | SHA-256 |
|---|---|---|---|
linux/amd64 |
hasteward-0.1.0-dev+4634ebf-linux-amd64.tar.gz |
10.8 MB | 89b0f8e33d5e… |
linux/arm64 |
hasteward-0.1.0-dev+4634ebf-linux-arm64.tar.gz |
9.5 MB | 8c60c672dcec… |
Full checksums
89b0f8e33d5e281e1795872d73143005c2060ad1db2ec0d44738bf9956b52ebb hasteward-0.1.0-dev+4634ebf-linux-amd64.tar.gz
8c60c672dcec28be9458b1d59e1a76cd3d5bd92f4f95d656920c7d481f243b67 hasteward-0.1.0-dev+4634ebf-linux-arm64.tar.gz
Notable Changes
Features
- wire --unwedge flag + dry-run preview for the deadlock-breaker (SoFMeRight)
- CNPG deadlock-breaker PreAssess (repair Phase 0, --unwedge) (SoFMeRight)
- RecoveryProof typed gate for the deadlock-breaker (SoFMeRight)
- pre-capture escrow space guard (EstimateCaptureBytes + AvailableBytes) (SoFMeRight)
- storage-agnostic verified escrow (VolumeSnapshot + ResticPVC) (SoFMeRight)
- triage/cnpg: recovery classification + universal disk breakdown (SoFMeRight)
Bug Fixes
- unwedge re-clones the disposables it clears (end-to-end break) (SoFMeRight)
- unwedge dry-run stops cleanly + logs the plan in any output mode (SoFMeRight)
- drop misleading CNPG diskPct:0; derive disk notes from PVC probe (SoFMeRight)
- ci: gitignore generated .stagefreight artifacts (deps git-clean check) (SoFMeRight)
- deps: bump moby/spdystream 0.5.0 -> 0.5.1 (osv CRIT GO-2026-4958) (SoFMeRight)
- ci: restore current-schema .stagefreight.yml (governance preset config was unparseable) (SoFMeRight)
Documentation
- refresh generated docs and badges [skip ci] (stagefreight) ×8
- container-usage runbook + escrow-deadlock TODO (SoFMeRight)
- refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT) ×2
Maintenance
- deps: update managed dependencies (stagefreight) ×2
- governance reconcile from PrPlanIT/MaintenancePolicy 928f9dbcf7f65387d30d3f73aaf65ea57c55ec55 (StageFreight-PrPlanIT)
Security
🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Vulnerability details (18 critical, 50 high, 79 medium, 6 low)
| Severity | CVE | Package | Installed | Fixed | Description |
|---|---|---|---|---|---|
| Critical | CVE-2024-45337 | golang.org/x/crypto | v0.24.0 | 0.31.0 | golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKey... |
| Critical | CVE-2026-33186 | google.golang.org/grpc | v1.64.1 | 1.79.3 | google.golang.org/grpc/grpc-go: google.golang.org/grpc/au... |
| Critical | CVE-2025-68121 | stdlib | v1.23.3 | 1.24.13, 1.25.7, 1.26.0-rc.3 | During session resumption in crypto/tls, if the underlyin... |
| Critical | GHSA-v778-237x-gjrc | golang.org/x/crypto | v0.24.0 | 0.31.0 | Misuse of ServerConfig.PublicKeyCallback may cause author... |
| Critical | GO-2024-3321 | golang.org/x/crypto | v0.24.0 | 0.31.0 | Applications and libraries which misuse connection.server... |
| Critical | GO-2025-3563 | stdlib | go1.23.3 | 1.23.8 | The net/http package improperly accepts a bare LF as a li... |
| Critical | GO-2026-5006 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When adding a key to a remote agent constraint extensions... |
| Critical | GO-2026-5023 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, CVE-2024-45337 fixed an authorization bypass ... |
| Critical | GO-2026-5017 | golang.org/x/crypto | v0.24.0 | 0.52.0 | A malicious SSH peer could send unsolicited global reques... |
| Critical | GO-2026-5020 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When writing data larger than 4GB in a single Write call ... |
| Critical | GO-2026-5026 | golang.org/x/net | v0.26.0 | 0.55.0 | The ToASCII and ToUnicode functions incorrectly accept Pu... |
| Critical | GO-2026-5005 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The in-memory keyring returned by NewKeyring() silently a... |
| Critical | GO-2026-5021 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, a revoked 'SignatureKey' belonging to a CA wa... |
| Critical | GO-2026-5019 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The Verify() method for FIDO/U2F security key types (sk-e... |
| Critical | CVE-2026-27143 | stdlib | go1.23.3 | 1.25.9 | Arithmetic over induction variables in loops were not cor... |
| Critical | GHSA-p77j-4mvh-x3m3 | google.golang.org/grpc | v1.64.1 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading s... |
| Critical | GO-2026-4762 | google.golang.org/grpc | v1.64.1 | 1.79.3 | Authorization bypass in gRPC-Go via missing leading slash... |
| Critical | GO-2026-4337 | stdlib | go1.23.3 | 1.24.13 | During session resumption in crypto/tls, if the underlyin... |
| High | CVE-2025-30204 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | golang-jwt/jwt: jwt-go allows excessive memory allocation... |
| High | CVE-2025-22869 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto/ssh: Denial of Service in the Key Exc... |
| High | CVE-2025-22868 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2/jws: Unexpected memory consumption du... |
| High | CVE-2025-61726 | stdlib | v1.23.3 | 1.24.12, 1.25.6 | The net/url package does not set a limit on the number of... |
| High | CVE-2025-61729 | stdlib | v1.23.3 | 1.24.11, 1.25.5 | crypto/x509: golang: Denial of Service due to excessive r... |
| High | CVE-2026-25679 | stdlib | v1.23.3 | 1.25.8, 1.26.1 | url.Parse insufficiently validated the host/authority com... |
| High | CVE-2026-32280 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | During chain building, the amount of work that is done is... |
| High | CVE-2026-32281 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | Validating certificate chains which use policies is unexp... |
| High | CVE-2026-32283 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | If one side of the TLS connection sends multiple key upda... |
| High | CVE-2026-33811 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When using LookupCNAME with the cgo DNS resolver, a very ... |
| High | CVE-2026-33814 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When processing HTTP/2 SETTINGS frames, transport will en... |
| High | CVE-2026-39820 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | CVE-2026-39823 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | CVE-2026-27142 fixed a vulnerability in which URLs were n... |
| High | CVE-2026-39825 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | ReverseProxy can forward queries containing parameters no... |
| High | CVE-2026-39836 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | The Dial and LookupPort functions panic on Windows when p... |
| High | CVE-2026-42499 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Pathological inputs could cause DoS through consumePhrase... |
| High | CVE-2026-42504 | stdlib | v1.23.3 | 1.25.11, 1.26.4 | Decoding a maliciously-crafted MIME header containing man... |
| High | GHSA-hcg3-q754-cr77 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto Vulnerable to Denial of Service (DoS)... |
| High | GO-2025-3487 | golang.org/x/crypto | v0.24.0 | 0.35.0 | SSH servers which implement file transfer protocols are v... |
| High | GHSA-6v2p-p543-phr9 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2 Improper Validation of Syntactic Corr... |
| High | GO-2025-3488 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | An attacker can pass a malicious malformed token which ca... |
| High | GHSA-mh63-6h87-95cp | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | jwt-go allows excessive memory allocation during header p... |
| High | GO-2025-3553 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | Excessive memory allocation during header parsing in gith... |
| High | GO-2025-3849 | stdlib | go1.23.3 | 1.23.12 | Cancelling a query (e.g. by cancelling the context passed... |
| High | GO-2026-4986 | stdlib | go1.23.3 | 1.25.10 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | GO-2026-5038 | stdlib | go1.23.3 | 1.25.11 | Decoding a maliciously-crafted MIME header containing man... |
| High | GO-2026-5013 | golang.org/x/crypto | v0.24.0 | 0.52.0 | An incorrectly placed cast from bytes to int allowed for ... |
| High | GO-2026-4341 | stdlib | go1.23.3 | 1.24.12 | The net/url package does not set a limit on the number of... |
| High | GO-2026-4601 | stdlib | go1.23.3 | 1.25.8 | url.Parse insufficiently validated the host/authority com... |
| High | GO-2025-4006 | stdlib | go1.23.3 | 1.24.8 | The ParseAddress function constructs domain-literal addre... |
| High | GO-2025-4009 | stdlib | go1.23.3 | 1.24.8 | The processing time for parsing some invalid inputs scale... |
| High | GO-2026-5018 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The RSA and DSA public key parsers did not enforce size l... |
| High | GO-2026-4977 | stdlib | go1.23.3 | 1.25.10 | Pathological inputs could cause DoS through c... |
dev-43f2869
📦 release — v0.1.0-dev+43f2869
Release type: stable • Commit:
43f2869
Security: 🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Image Availability
| Registry | Image | Tags |
|---|---|---|
| Docker Hub | docker.io/prplanit/hasteward |
dev-43f2869 latest-dev |
| cr.pcfae.com | cr.pcfae.com/prplanit/hasteward |
dev-43f2869 latest-dev |
Digest pull commands & supply chain artifacts
docker.io/prplanit/hasteward
docker pull docker.io/prplanit/hasteward@sha256:aa3dac2abe945bd456ae051836c5d70699647130ff3c29bcae075447f6b3b1db
cr.pcfae.com/prplanit/hasteward
docker pull cr.pcfae.com/prplanit/hasteward@sha256:aa3dac2abe945bd456ae051836c5d70699647130ff3c29bcae075447f6b3b1db
Downloads
| Platform | File | Size | SHA-256 |
|---|---|---|---|
linux/amd64 |
hasteward-0.1.0-dev+43f2869-linux-amd64.tar.gz |
10.8 MB | 95bd82e0e388… |
linux/arm64 |
hasteward-0.1.0-dev+43f2869-linux-arm64.tar.gz |
9.5 MB | b30e2beb638a… |
Full checksums
95bd82e0e38801c59e5c1d5f1a68e4f0c73f874dbe9434a53de32adb7de652b6 hasteward-0.1.0-dev+43f2869-linux-amd64.tar.gz
b30e2beb638a096087f0d6ce62a0415b6906affb430ee41bd106831ae50d34b1 hasteward-0.1.0-dev+43f2869-linux-arm64.tar.gz
Notable Changes
Features
- engine: serialize cluster operations with a coordination Lease (SoFMeRight)
- wire --unwedge flag + dry-run preview for the deadlock-breaker (SoFMeRight)
- CNPG deadlock-breaker PreAssess (repair Phase 0, --unwedge) (SoFMeRight)
- RecoveryProof typed gate for the deadlock-breaker (SoFMeRight)
- pre-capture escrow space guard (EstimateCaptureBytes + AvailableBytes) (SoFMeRight)
- storage-agnostic verified escrow (VolumeSnapshot + ResticPVC) (SoFMeRight)
- triage/cnpg: recovery classification + universal disk breakdown (SoFMeRight)
Bug Fixes
- cnpgjob: harden reconcile restore — detached-ctx retry + re-enable before unfence (SoFMeRight)
- repair: correct inverted reconcile-loop toggle that left clusters unreconciled (SoFMeRight)
- repair: acquire the heal PVC via reconcile-disable, not a delete race (SoFMeRight)
- unwedge re-clones the disposables it clears (end-to-end break) (SoFMeRight)
- unwedge dry-run stops cleanly + logs the plan in any output mode (SoFMeRight)
- drop misleading CNPG diskPct:0; derive disk notes from PVC probe (SoFMeRight)
- ci: gitignore generated .stagefreight artifacts (deps git-clean check) (SoFMeRight)
- deps: bump moby/spdystream 0.5.0 -> 0.5.1 (osv CRIT GO-2026-4958) (SoFMeRight)
- ci: restore current-schema .stagefreight.yml (governance preset config was unparseable) (SoFMeRight)
Refactoring
- engine: extract shared cnpgjob.Run primitive; prunewal inherits the reconcile fix (SoFMeRight)
Documentation
- refresh generated docs and badges [skip ci] (stagefreight) ×13
- container-usage runbook + escrow-deadlock TODO (SoFMeRight)
- refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT) ×2
Maintenance
- deps: update managed dependencies (stagefreight) ×2
- governance reconcile from PrPlanIT/MaintenancePolicy 928f9dbcf7f65387d30d3f73aaf65ea57c55ec55 (StageFreight-PrPlanIT)
Security
🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Vulnerability details (18 critical, 50 high, 79 medium, 6 low)
| Severity | CVE | Package | Installed | Fixed | Description |
|---|---|---|---|---|---|
| Critical | CVE-2024-45337 | golang.org/x/crypto | v0.24.0 | 0.31.0 | golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKey... |
| Critical | CVE-2026-33186 | google.golang.org/grpc | v1.64.1 | 1.79.3 | google.golang.org/grpc/grpc-go: google.golang.org/grpc/au... |
| Critical | CVE-2025-68121 | stdlib | v1.23.3 | 1.24.13, 1.25.7, 1.26.0-rc.3 | During session resumption in crypto/tls, if the underlyin... |
| Critical | GHSA-v778-237x-gjrc | golang.org/x/crypto | v0.24.0 | 0.31.0 | Misuse of ServerConfig.PublicKeyCallback may cause author... |
| Critical | GO-2024-3321 | golang.org/x/crypto | v0.24.0 | 0.31.0 | Applications and libraries which misuse connection.server... |
| Critical | GO-2025-3563 | stdlib | go1.23.3 | 1.23.8 | The net/http package improperly accepts a bare LF as a li... |
| Critical | GO-2026-5006 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When adding a key to a remote agent constraint extensions... |
| Critical | GO-2026-5023 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, CVE-2024-45337 fixed an authorization bypass ... |
| Critical | GO-2026-5017 | golang.org/x/crypto | v0.24.0 | 0.52.0 | A malicious SSH peer could send unsolicited global reques... |
| Critical | GO-2026-5020 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When writing data larger than 4GB in a single Write call ... |
| Critical | GO-2026-5026 | golang.org/x/net | v0.26.0 | 0.55.0 | The ToASCII and ToUnicode functions incorrectly accept Pu... |
| Critical | GO-2026-5005 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The in-memory keyring returned by NewKeyring() silently a... |
| Critical | GO-2026-5021 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, a revoked 'SignatureKey' belonging to a CA wa... |
| Critical | GO-2026-5019 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The Verify() method for FIDO/U2F security key types (sk-e... |
| Critical | CVE-2026-27143 | stdlib | go1.23.3 | 1.25.9 | Arithmetic over induction variables in loops were not cor... |
| Critical | GHSA-p77j-4mvh-x3m3 | google.golang.org/grpc | v1.64.1 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading s... |
| Critical | GO-2026-4762 | google.golang.org/grpc | v1.64.1 | 1.79.3 | Authorization bypass in gRPC-Go via missing leading slash... |
| Critical | GO-2026-4337 | stdlib | go1.23.3 | 1.24.13 | During session resumption in crypto/tls, if the underlyin... |
| High | CVE-2025-30204 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | golang-jwt/jwt: jwt-go allows excessive memory allocation... |
| High | CVE-2025-22869 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto/ssh: Denial of Service in the Key Exc... |
| High | CVE-2025-22868 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2/jws: Unexpected memory consumption du... |
| High | CVE-2025-61726 | stdlib | v1.23.3 | 1.24.12, 1.25.6 | The net/url package does not set a limit on the number of... |
| High | CVE-2025-61729 | stdlib | v1.23.3 | 1.24.11, 1.25.5 | crypto/x509: golang: Denial of Service due to excessive r... |
| High | CVE-2026-25679 | stdlib | v1.23.3 | 1.25.8, 1.26.1 | url.Parse insufficiently validated the host/authority com... |
| High | CVE-2026-32280 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | During chain building, the amount of work that is done is... |
| High | CVE-2026-32281 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | Validating certificate chains which use policies is unexp... |
| High | CVE-2026-32283 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | If one side of the TLS connection sends multiple key upda... |
| High | CVE-2026-33811 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When using LookupCNAME with the cgo DNS resolver, a very ... |
| High | CVE-2026-33814 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When processing HTTP/2 SETTINGS frames, transport will en... |
| High | CVE-2026-39820 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | CVE-2026-39823 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | CVE-2026-27142 fixed a vulnerability in which URLs were n... |
| High | CVE-2026-39825 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | ReverseProxy can forward queries containing parameters no... |
| High | CVE-2026-39836 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | The Dial and LookupPort functions panic on Windows when p... |
| High | CVE-2026-42499 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Pathological inputs could cause DoS through consumePhrase... |
| High | CVE-2026-42504 | stdlib | v1.23.3 | 1.25.11, 1.26.4 | Decoding a maliciously-crafted MIME header containing man... |
| High | GHSA-hcg3-q754-cr77 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto Vulnerable to Denial of Service (DoS)... |
| High | GO-2025-3487 | golang.org/x/crypto | v0.24.0 | 0.35.0 | SSH servers which implement file transfer protocols are v... |
| High | GHSA-6v2p-p543-phr9 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2 Improper Validation of Syntactic Corr... |
| High | GO-2025-3488 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | An attacker can pass a malicious malformed token which ca... |
| High | GHSA-mh63-6h87-95cp | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | jwt-go allows excessive memory allocation during header p... |
| High | GO-2025-3553 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | Excessive memory allocation during header parsing in gith... |
| High | GO-2025-3849 | stdlib | go1.23.3 | 1.23.12 | Cancelling a query (e.g. by cancelling the context passed... |
| High | GO-2026-4986 | stdlib | go1.23.3 | 1.25.10 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | GO-2026-5038 | stdlib | go1.23.3 | 1.25.11 | Decoding a maliciously-crafted MIME header containing man... |
| High | GO-2026-5013 | golang.org/x/crypto | v0.24.0 | 0.52.0 | An incorrectly placed cast from bytes to int allowed for ... |
| High | GO-2026-4341 | stdlib | go1.23.3 | 1.24.12 | The net/url package does not set a limit on the number of... |
| High | GO-2026-4601 | stdlib | go1.23.3 | 1.25.8 | url.Parse insufficiently validat... |
dev-38c0624
📦 release — v0.1.0-dev+38c0624
Release type: stable • Commit:
38c0624
Security: 🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Image Availability
| Registry | Image | Tags |
|---|---|---|
| Docker Hub | docker.io/prplanit/hasteward |
dev-38c0624 latest-dev |
| cr.pcfae.com | cr.pcfae.com/prplanit/hasteward |
dev-38c0624 latest-dev |
Digest pull commands & supply chain artifacts
docker.io/prplanit/hasteward
docker pull docker.io/prplanit/hasteward@sha256:fe85e46a71da75c562fd7c18278baebb4aa18f426d7ae142df7fe97ad70575a7
cr.pcfae.com/prplanit/hasteward
docker pull cr.pcfae.com/prplanit/hasteward@sha256:fe85e46a71da75c562fd7c18278baebb4aa18f426d7ae142df7fe97ad70575a7
Downloads
| Platform | File | Size | SHA-256 |
|---|---|---|---|
linux/amd64 |
hasteward-0.1.0-dev+38c0624-linux-amd64.tar.gz |
10.8 MB | 7a24a6fa2fc9… |
linux/arm64 |
hasteward-0.1.0-dev+38c0624-linux-arm64.tar.gz |
9.5 MB | 42c578522242… |
Full checksums
7a24a6fa2fc9aed0b61bb0126f666d17950745739783415213e3ab0a785dbd23 hasteward-0.1.0-dev+38c0624-linux-amd64.tar.gz
42c5785222420dcb88c19ba271c8e2562f54e64162174e4343a23dd6faa18e6b hasteward-0.1.0-dev+38c0624-linux-arm64.tar.gz
Notable Changes
Features
- wire --unwedge flag + dry-run preview for the deadlock-breaker (SoFMeRight)
- CNPG deadlock-breaker PreAssess (repair Phase 0, --unwedge) (SoFMeRight)
- RecoveryProof typed gate for the deadlock-breaker (SoFMeRight)
- pre-capture escrow space guard (EstimateCaptureBytes + AvailableBytes) (SoFMeRight)
- storage-agnostic verified escrow (VolumeSnapshot + ResticPVC) (SoFMeRight)
- triage/cnpg: recovery classification + universal disk breakdown (SoFMeRight)
Bug Fixes
- cnpgjob: harden reconcile restore — detached-ctx retry + re-enable before unfence (SoFMeRight)
- repair: correct inverted reconcile-loop toggle that left clusters unreconciled (SoFMeRight)
- repair: acquire the heal PVC via reconcile-disable, not a delete race (SoFMeRight)
- unwedge re-clones the disposables it clears (end-to-end break) (SoFMeRight)
- unwedge dry-run stops cleanly + logs the plan in any output mode (SoFMeRight)
- drop misleading CNPG diskPct:0; derive disk notes from PVC probe (SoFMeRight)
- ci: gitignore generated .stagefreight artifacts (deps git-clean check) (SoFMeRight)
- deps: bump moby/spdystream 0.5.0 -> 0.5.1 (osv CRIT GO-2026-4958) (SoFMeRight)
- ci: restore current-schema .stagefreight.yml (governance preset config was unparseable) (SoFMeRight)
Refactoring
- engine: extract shared cnpgjob.Run primitive; prunewal inherits the reconcile fix (SoFMeRight)
Documentation
- refresh generated docs and badges [skip ci] (stagefreight) ×12
- container-usage runbook + escrow-deadlock TODO (SoFMeRight)
- refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT) ×2
Maintenance
- deps: update managed dependencies (stagefreight) ×2
- governance reconcile from PrPlanIT/MaintenancePolicy 928f9dbcf7f65387d30d3f73aaf65ea57c55ec55 (StageFreight-PrPlanIT)
Security
🛡️ ❌ Critical — 18 critical and 50 high vulnerabilities detected
Vulnerability details (18 critical, 50 high, 79 medium, 6 low)
| Severity | CVE | Package | Installed | Fixed | Description |
|---|---|---|---|---|---|
| Critical | CVE-2024-45337 | golang.org/x/crypto | v0.24.0 | 0.31.0 | golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKey... |
| Critical | CVE-2026-33186 | google.golang.org/grpc | v1.64.1 | 1.79.3 | google.golang.org/grpc/grpc-go: google.golang.org/grpc/au... |
| Critical | CVE-2025-68121 | stdlib | v1.23.3 | 1.24.13, 1.25.7, 1.26.0-rc.3 | During session resumption in crypto/tls, if the underlyin... |
| Critical | GHSA-v778-237x-gjrc | golang.org/x/crypto | v0.24.0 | 0.31.0 | Misuse of ServerConfig.PublicKeyCallback may cause author... |
| Critical | GO-2024-3321 | golang.org/x/crypto | v0.24.0 | 0.31.0 | Applications and libraries which misuse connection.server... |
| Critical | GO-2025-3563 | stdlib | go1.23.3 | 1.23.8 | The net/http package improperly accepts a bare LF as a li... |
| Critical | GO-2026-5006 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When adding a key to a remote agent constraint extensions... |
| Critical | GO-2026-5023 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, CVE-2024-45337 fixed an authorization bypass ... |
| Critical | GO-2026-5017 | golang.org/x/crypto | v0.24.0 | 0.52.0 | A malicious SSH peer could send unsolicited global reques... |
| Critical | GO-2026-5020 | golang.org/x/crypto | v0.24.0 | 0.52.0 | When writing data larger than 4GB in a single Write call ... |
| Critical | GO-2026-5026 | golang.org/x/net | v0.26.0 | 0.55.0 | The ToASCII and ToUnicode functions incorrectly accept Pu... |
| Critical | GO-2026-5005 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The in-memory keyring returned by NewKeyring() silently a... |
| Critical | GO-2026-5021 | golang.org/x/crypto | v0.24.0 | 0.52.0 | Previously, a revoked 'SignatureKey' belonging to a CA wa... |
| Critical | GO-2026-5019 | golang.org/x/crypto | v0.24.0 | 0.52.0 | The Verify() method for FIDO/U2F security key types (sk-e... |
| Critical | CVE-2026-27143 | stdlib | go1.23.3 | 1.25.9 | Arithmetic over induction variables in loops were not cor... |
| Critical | GHSA-p77j-4mvh-x3m3 | google.golang.org/grpc | v1.64.1 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading s... |
| Critical | GO-2026-4762 | google.golang.org/grpc | v1.64.1 | 1.79.3 | Authorization bypass in gRPC-Go via missing leading slash... |
| Critical | GO-2026-4337 | stdlib | go1.23.3 | 1.24.13 | During session resumption in crypto/tls, if the underlyin... |
| High | CVE-2025-30204 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | golang-jwt/jwt: jwt-go allows excessive memory allocation... |
| High | CVE-2025-22869 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto/ssh: Denial of Service in the Key Exc... |
| High | CVE-2025-22868 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2/jws: Unexpected memory consumption du... |
| High | CVE-2025-61726 | stdlib | v1.23.3 | 1.24.12, 1.25.6 | The net/url package does not set a limit on the number of... |
| High | CVE-2025-61729 | stdlib | v1.23.3 | 1.24.11, 1.25.5 | crypto/x509: golang: Denial of Service due to excessive r... |
| High | CVE-2026-25679 | stdlib | v1.23.3 | 1.25.8, 1.26.1 | url.Parse insufficiently validated the host/authority com... |
| High | CVE-2026-32280 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | During chain building, the amount of work that is done is... |
| High | CVE-2026-32281 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | Validating certificate chains which use policies is unexp... |
| High | CVE-2026-32283 | stdlib | v1.23.3 | 1.25.9, 1.26.2 | If one side of the TLS connection sends multiple key upda... |
| High | CVE-2026-33811 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When using LookupCNAME with the cgo DNS resolver, a very ... |
| High | CVE-2026-33814 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | When processing HTTP/2 SETTINGS frames, transport will en... |
| High | CVE-2026-39820 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | CVE-2026-39823 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | CVE-2026-27142 fixed a vulnerability in which URLs were n... |
| High | CVE-2026-39825 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | ReverseProxy can forward queries containing parameters no... |
| High | CVE-2026-39836 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | The Dial and LookupPort functions panic on Windows when p... |
| High | CVE-2026-42499 | stdlib | v1.23.3 | 1.25.10, 1.26.3 | Pathological inputs could cause DoS through consumePhrase... |
| High | CVE-2026-42504 | stdlib | v1.23.3 | 1.25.11, 1.26.4 | Decoding a maliciously-crafted MIME header containing man... |
| High | GHSA-hcg3-q754-cr77 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto Vulnerable to Denial of Service (DoS)... |
| High | GO-2025-3487 | golang.org/x/crypto | v0.24.0 | 0.35.0 | SSH servers which implement file transfer protocols are v... |
| High | GHSA-6v2p-p543-phr9 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2 Improper Validation of Syntactic Corr... |
| High | GO-2025-3488 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | An attacker can pass a malicious malformed token which ca... |
| High | GHSA-mh63-6h87-95cp | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | jwt-go allows excessive memory allocation during header p... |
| High | GO-2025-3553 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | Excessive memory allocation during header parsing in gith... |
| High | GO-2025-3849 | stdlib | go1.23.3 | 1.23.12 | Cancelling a query (e.g. by cancelling the context passed... |
| High | GO-2026-4986 | stdlib | go1.23.3 | 1.25.10 | Well-crafted inputs reaching ParseAddress, ParseAddressLi... |
| High | GO-2026-5038 | stdlib | go1.23.3 | 1.25.11 | Decoding a maliciously-crafted MIME header containing man... |
| High | GO-2026-5013 | golang.org/x/crypto | v0.24.0 | 0.52.0 | An incorrectly placed cast from bytes to int allowed for ... |
| High | GO-2026-4341 | stdlib | go1.23.3 | 1.24.12 | The net/url package does not set a limit on the number of... |
| High | GO-2026-4601 | stdlib | go1.23.3 | 1.25.8 | url.Parse insufficiently validated the host/authority com... |
| High | GO-2025-4006 | stdlib | go1.23.3 | 1.24.8 ... |
v0.1.0
📦 HASteward — v0.1.0
Release type: stable • Commit:
1884d25
Security: 🛡️ ❌ Critical — 5 critical and 15 high vulnerabilities detected
Image Availability
| Registry | Image | Tags |
|---|---|---|
| Docker Hub | docker.io/prplanit/hasteward |
latest v0.1.0 |
| Harbor | cr.pcfae.com/prplanit/hasteward |
latest v0.1.0 |
Digest pull commands & supply chain artifacts
docker.io/prplanit/hasteward
docker pull docker.io/prplanit/hasteward@sha256:32801a9402b6788dfe9ef172f7f4a212f47ed727429e33a95abc9d777b0ab81a
cr.pcfae.com/prplanit/hasteward
docker pull cr.pcfae.com/prplanit/hasteward@sha256:32801a9402b6788dfe9ef172f7f4a212f47ed727429e33a95abc9d777b0ab81a
Highlights
- ci: add Harbor registry targets, fix release alias v-prefix
Notable Changes
Documentation
- refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT) ×2
CI/CD
- add Harbor registry targets, fix release alias v-prefix (SoFMeRight)
Security
🛡️ ❌ Critical — 5 critical and 15 high vulnerabilities detected
Vulnerability details (5 critical, 15 high, 28 medium, 1 low)
| Severity | CVE | Package | Installed | Fixed | Description |
|---|---|---|---|---|---|
| Critical | CVE-2024-45337 | golang.org/x/crypto | v0.24.0 | 0.31.0 | golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKey... |
| Critical | CVE-2026-33186 | google.golang.org/grpc | v1.64.1 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading s... |
| Critical | CVE-2025-68121 | stdlib | v1.23.3 | 1.24.13, 1.25.7, 1.26.0-rc.3 | During session resumption in crypto/tls, if the underlyin... |
| Critical | GHSA-v778-237x-gjrc | golang.org/x/crypto | v0.24.0 | 0.31.0 | Misuse of ServerConfig.PublicKeyCallback may cause author... |
| Critical | GHSA-p77j-4mvh-x3m3 | google.golang.org/grpc | v1.64.1 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading s... |
| High | CVE-2025-30204 | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | golang-jwt/jwt: jwt-go allows excessive memory allocation... |
| High | CVE-2025-22869 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto/ssh: Denial of Service in the Key Exc... |
| High | CVE-2025-22868 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2/jws: Unexpected memory consumption du... |
| High | CVE-2025-47907 | stdlib | v1.23.3 | 1.23.12, 1.24.6 | Cancelling a query (e.g. by cancelling the context passed... |
| High | CVE-2025-58183 | stdlib | v1.23.3 | 1.24.8, 1.25.2 | tar.Reader does not set a maximum size on the number of s... |
| High | CVE-2025-61726 | stdlib | v1.23.3 | 1.24.12, 1.25.6 | The net/url package does not set a limit on the number of... |
| High | CVE-2025-61728 | stdlib | v1.23.3 | 1.24.12, 1.25.6 | archive/zip uses a super-linear file name indexing algori... |
| High | CVE-2025-61729 | stdlib | v1.23.3 | 1.24.11, 1.25.5 | crypto/x509: golang: Denial of Service due to excessive r... |
| High | CVE-2026-25679 | stdlib | v1.23.3 | 1.25.8, 1.26.1 | url.Parse insufficiently validated the host/authority com... |
| High | GHSA-hcg3-q754-cr77 | golang.org/x/crypto | v0.24.0 | 0.35.0 | golang.org/x/crypto Vulnerable to Denial of Service (DoS)... |
| High | GHSA-6v2p-p543-phr9 | golang.org/x/oauth2 | v0.21.0 | 0.27.0 | golang.org/x/oauth2 Improper Validation of Syntactic Corr... |
| High | GHSA-mh63-6h87-95cp | github.com/golang-jwt/jwt/v5 | v5.2.1 | 5.2.2 | jwt-go allows excessive memory allocation during header p... |
| High | CVE-2025-61731 | stdlib | go1.23.3 | 1.24.12 | Building a malicious file with cmd/go can cause can cause... |
| High | CVE-2025-61732 | stdlib | go1.23.3 | 1.24.13 | A discrepancy between how Go and C/C++ comments were pars... |
| High | CVE-2025-4674 | stdlib | go1.23.3 | 1.23.11 | The go command may execute unexpected commands when opera... |
| Medium | CVE-2025-47914 | golang.org/x/crypto | v0.24.0 | 0.45.0 | golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial ... |
| Medium | CVE-2025-58181 | golang.org/x/crypto | v0.24.0 | 0.45.0 | golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial ... |
| Medium | CVE-2025-22870 | golang.org/x/net | v0.26.0 | 0.36.0 | golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: ... |
| Medium | CVE-2025-22872 | golang.org/x/net | v0.26.0 | 0.38.0 | golang.org/x/net/html: Incorrect Neutralization of Input ... |
| Medium | CVE-2024-45336 | stdlib | v1.23.3 | 1.22.11, 1.23.5, 1.24.0-rc.2 | The HTTP client drops sensitive headers after following a... |
| Medium | CVE-2024-45341 | stdlib | v1.23.3 | 1.22.11, 1.23.5, 1.24.0-rc.2 | A certificate with a URI which has a IPv6 address with a ... |
| Medium | CVE-2025-0913 | stdlib | v1.23.3 | 1.23.10, 1.24.4 | os.OpenFile(path, os.O_CREATE |
| Medium | CVE-2025-22866 | stdlib | v1.23.3 | 1.22.12, 1.23.6, 1.24.0-rc.3 | Due to the usage of a variable time instruction in the as... |
| Medium | CVE-2025-22871 | stdlib | v1.23.3 | 1.23.8, 1.24.2 | The net/http package improperly accepts a bare LF as a li... |
| Medium | CVE-2025-22873 | stdlib | v1.23.3 | 1.23.9, 1.24.3 | It was possible to improperly access the parent directory... |
| Medium | CVE-2025-4673 | stdlib | v1.23.3 | 1.23.10, 1.24.4 | Proxy-Authorization and Proxy-Authenticate headers persis... |
| Medium | CVE-2025-47906 | stdlib | v1.23.3 | 1.23.12, 1.24.6 | If the PATH environment variable contains paths which are... |
| Medium | CVE-2025-47912 | stdlib | v1.23.3 | 1.24.8, 1.25.2 | The Parse function permits values other than IPv6 address... |
| Medium | CVE-2025-58185 | stdlib | v1.23.3 | 1.24.8, 1.25.2 | Parsing a maliciously crafted DER payload could allocate ... |
| Medium | CVE-2025-58186 | stdlib | v1.23.3 | 1.24.8, 1.25.2 | Despite HTTP headers having a default limit of 1MB, the n... |
| Medium | CVE-2025-58187 | stdlib | v1.23.3 | 1.24.9, 1.25.3 | Due to the design of the name constraint checking algorit... |
| Medium | CVE-2025-58188 | stdlib | v1.23.3 | 1.24.8, 1.25.2 | Validating certificate chains which contain DSA public ke... |
| Medium | CVE-2025-58189 | stdlib | v1.23.3 | 1.24.8, 1.25.2 | When Conn.Handshake fails during ALPN negotiation the err... |
| Medium | CVE-2025-61723 | stdlib | v1.23.3 | 1.24.8, 1.25.2 | The processing time for parsing some invalid inputs scale... |
| Medium | CVE-2025-61724 | stdlib | v1.23.3 | 1.24.8, 1.25.2 | The Reader.ReadResponse function constructs a response st... |
| Medium | CVE-2025-61725 | stdlib | v1.23.3 | 1.24.8, 1.25.2 | The ParseAddress function constructs domain-literal addre... |
| Medium | CVE-2025-61727 | stdlib | v1.23.3 | 1.24.11, 1.25.5 | An excluded subdomain constraint in a certificate chain d... |
| Medium | CVE-2025-61730 | stdlib | v1.23.3 | 1.24.12, 1.25.6 | During the TLS 1.3 handshake if multiple messages are sen... |
| Medium | CVE-2026-27142 | stdlib | v1.23.3 | 1.25.8, 1.26.1 | Actions which insert URLs into the content attribute of H... |
| Medium | GHSA-vvgc-356p-c3xw | golang.org/x/net | v0.26.0 | 0.38.0 | golang.org/x/net vulnerable to Cross-site Scripting |
| Medium | GHSA-j5w8-q4qc-rx2x | golang.org/x/crypto | v0.24.0 | 0.45.0 | golang.org/x/crypto/ssh allows an attacker to cause unbou... |
| Medium | GHSA-qxp5-gwg8-xv66 | golang.org/x/net | v0.26.0 | 0.36.0 | HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net |
| Medium | GHSA-f6x5-jh6r-wrfv | golang.org/x/crypto | v0.24.0 | 0.45.0 | golang.org/x/crypto/ssh/agent vulnerable to panic if mess... |
| Low | CVE-2026-27139 | stdlib | v1.23.3 | 1.25.8, 1.26.1 | On Unix platforms, when listing the contents of a directo... |
Full changelog
- [
1884d25] add Harbor registry targets, fix release alias v-prefix (SoFMeRight) - [
54db45f] refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT) - [
fda02a2] refresh generated docs and badges [skip ci] (StageFreight-PrPlanIT)
v0.0.1
🌎 hasteward — v0.0.1
Release type: stable • Commit:
872cf22
Highlights
- build: exclude credentials and key patterns from docker context
Notable Changes
Features
- security: add threat model docs, least-privilege RBAC, and TODO (SoFMeRight)
- v2: rewrite hasteward as Go CLI + Kubernetes operator (SoFMeRight)
- hasteward: add backup, restore, and repair escrow modes (SoFMeRight)
- cephfs: add hasteward backups init job on CephFS HDD (SoFMeRight)
- hasteward: add unified HA database steward with galera engine (SoFMeRight)
- grafana: add datasource and dashboard provisioning via GitOps (SoFMeRight)
Bug Fixes
- repair: select escrow donor from primary component and stabilize re-triage (SoFMeRight)
- job: fetch playbooks from hasteward repo instead of Flux source-controller (SoFMeRight)
- hasteward-job: use static CephFS PV/PVC and fix source-controller URL (SoFMeRight)
- penpot: add missing PENPOT_SECRET_KEY to exporter (SoFMeRight)
- cnpg-heal: ignore lost+found permission error (SoFMeRight)
Documentation
- add comprehensive README with usage, parameters, and examples (SoFMeRight)
CI/CD
- exclude go.sum from secrets scanner — hash false positives (SoFMeRight)
- full lint + security detail in stagefreight config (SoFMeRight)
- migrate to StageFreight v1 config schema (SoFMeRight)
Other Changes
- maintenance: cnpg replica heal script (SoFMeRight)
- exclude credentials and key patterns from docker context (SoFMeRight)
- bump base images, add .dockerignore (SoFMeRight)
- update all dependencies — fix CVEs in x/net, x/oauth2, bump k8s to v0.35.2 (SoFMeRight)
- Fix management port from 443 to 80 (matches actual server) (SoFMeRight)
- add cnpg-steward: unified CNPG triage + repair playbook (SoFMeRight)
- add CNPG triage playbook, rewrite heal playbook to match bash script (SoFMeRight)
- Fix penpot OIDC config and use docker.io (SoFMeRight)
- Update vaultwarden domain to vw.prplanit.com and add DNS entry (SoFMeRight)
Full changelog
- [
872cf22] exclude credentials and key patterns from docker context (SoFMeRight) - [
b97f0ac] update all dependencies — fix CVEs in x/net, x/oauth2, bump k8s to v0.35.2 (SoFMeRight) - [
604384e] bump base images, add .dockerignore (SoFMeRight) - [
2703dce] exclude go.sum from secrets scanner — hash false positives (SoFMeRight) - [
53c9849] full lint + security detail in stagefreight config (SoFMeRight) - [
16cb64f] migrate to StageFreight v1 config schema (SoFMeRight) - [
644106c] add threat model docs, least-privilege RBAC, and TODO (SoFMeRight) - [
ef6457e] rewrite hasteward as Go CLI + Kubernetes operator (SoFMeRight) - [
14c57b4] select escrow donor from primary component and stabilize re-triage (SoFMeRight) - [
3cc4ca4] fetch playbooks from hasteward repo instead of Flux source-controller (SoFMeRight) - [
9c1ccda] add comprehensive README with usage, parameters, and examples (SoFMeRight) - [
6837035] use static CephFS PV/PVC and fix source-controller URL (SoFMeRight) - [
b033257] add backup, restore, and repair escrow modes (SoFMeRight) - [
57d7ea3] add hasteward backups init job on CephFS HDD (SoFMeRight) - [
e1c0b40] add unified HA database steward with galera engine (SoFMeRight) - [
3218bb0] add cnpg-steward: unified CNPG triage + repair playbook (SoFMeRight) - [
d40fb8b] add CNPG triage playbook, rewrite heal playbook to match bash script (SoFMeRight) - [
947906c] add datasource and dashboard provisioning via GitOps (SoFMeRight) - [
21b1c91] add missing PENPOT_SECRET_KEY to exporter (SoFMeRight) - [
6d6e5be] ignore lost+found permission error (SoFMeRight) - [
e5891ae] Fix penpot OIDC config and use docker.io (SoFMeRight) - [
eff8855] Fix management port from 443 to 80 (matches actual server) (SoFMeRight) - [
638d63f] Update vaultwarden domain to vw.prplanit.com and add DNS entry (SoFMeRight) - [
36669a1] cnpg replica heal script (SoFMeRight)