Crossplane
v1.20.8Orchestration & Managementv1.20.8 is a security-only patch for the v1.20 line, bumping Go to 1.25.10 and patching multiple dependency CVEs across go-git, golang.org/x/net, x/crypto, and docker/cli.
securityUpgrade v1.20 clusters to v1.20.8 now — multiple CVEs addressed
This patch covers a broad sweep of dependency CVEs: go-git (two separate fixes), golang.org/x/net, golang.org/x/crypto, docker/cli, and in-toto-golang, plus Go stdlib CVEs via the 1.25.10 runtime bump. If you're running any v1.20.x version below this, you're exposed. The go-git and x/crypto vulnerabilities are particularly relevant if your Crossplane setup pulls packages from Git repositories. Plan the upgrade soon — this is not a 'schedule it next sprint' situation.
enhancementConsider moving to v1.21+ if still on v1.20
The v1.20 line is receiving security backports, but it won't get feature improvements. If you've been holding on v1.20 for stability reasons, this patch is a good opportunity to audit your upgrade blockers. The v1.21 line has been out long enough to be considered stable, and staying on an older minor version means you'll keep chasing security patches like this one.
Key changes (5)
- Go runtime bumped to 1.25.10 to address stdlib CVEs
- go-git/go-git updated to v5.19.1 (two sequential security fixes in this release)
- golang.org/x/net updated to v0.53.0 for security fixes
- golang.org/x/crypto updated to v0.52.0 for security fixes
- docker/cli and in-toto-golang also patched for security issues