Crossplane
v2.1.6Orchestration & Managementv2.1.6 is a security-focused patch for the v2.1 line, bumping Go to 1.25.10 and patching several vulnerable dependencies including go-git, golang.org/x/crypto, and OpenTelemetry.
securityUpgrade to v2.1.6 immediately if running v2.1.x
This release patches multiple CVEs across Go stdlib, go-git, x/crypto, and x/net. These aren't theoretical risks — go-git vulnerabilities can affect package fetching behavior, and x/crypto/x/net issues can expose TLS and HTTP handling. If you're on any v2.1.x release, upgrade now. No API or behavioral changes are included, so the upgrade is low-risk.
securityCheck your provider images for the same vulnerable dependencies
Crossplane core is patched, but your installed providers (AWS, GCP, Azure, etc.) are separate images with their own dependency trees. Run a container image scan (Trivy, Grype) against your active provider pods to check if they carry the same vulnerable versions of go-git or x/crypto. Provider maintainers will need to release their own patches.
主な変更 (5)
- Go runtime bumped to 1.25.10 to address stdlib CVEs
- go-git updated twice (v5.19.0 → v5.19.1) to resolve security issues in git operations
- golang.org/x/crypto and golang.org/x/net updated for security fixes
- OpenTelemetry otel updated to v1.41.0 with security patches
- in-toto-golang updated to v0.11.0 for supply chain security fixes