chore(deps): update module go.opentelemetry.io/otel/sdk to v1.43.0 [security] (main)

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
go.opentelemetry.io/otel/sdk	v1.40.0 → v1.43.0

---

opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

CVE-2026-39883 / GHSA-hfvc-g4fc-pqhx

More information

Details

Summary

The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.

Root Cause

sdk/resource/host_id.go line 42:

if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {

Compare with the fixed Darwin path at line 58:

result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")

The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.

Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.

The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.

Attack

1. Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
2. Attacker places a malicious kenv binary earlier in $PATH
3. Application initializes OpenTelemetry resource detection at startup
4. hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
5. Arbitrary code executes in the context of the application

Same attack vector and impact as CVE-2026-24051.

Suggested Fix

Use the absolute path:

if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {

On FreeBSD, kenv is located at /bin/kenv.

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx
• https://nvd.nist.gov/vuln/detail/CVE-2026-39883
• https://github.com/open-telemetry/opentelemetry-go
• http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/sdk)

v1.43.0

Compare Source

v1.42.0: /v0.64.0/v0.18.0/v0.0.16

Compare Source

Added

• Add go.opentelemetry.io/otel/semconv/v1.40.0 package.
  The package contains semantic conventions from the v1.40.0 version of the OpenTelemetry Semantic Conventions.
  See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.39.0. (#​7985)
• Add Err and SetErr on Record in go.opentelemetry.io/otel/log to attach an error and set record exception attributes in go.opentelemetry.io/otel/log/sdk. (#​7924)

Changed

• TracerProvider.ForceFlush in go.opentelemetry.io/otel/sdk/trace joins errors together and continues iteration through SpanProcessors as opposed to returning the first encountered error without attempting exports on subsequent SpanProcessors. (#​7856)

Fixed

• Fix missing request.GetBody in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to correctly handle HTTP2 GOAWAY frame. (#​7931)
• Fix semconv v1.39.0 generated metric helpers skipping required attributes when extra attributes were empty. (#​7964)
• Preserve W3C TraceFlags bitmask (including the random Trace ID flag) during trace context extraction and injection in go.opentelemetry.io/otel/propagation. (#​7834)

Removed

• Drop support for [Go 1.24]. (#​7984)

What's Changed

• fix changelog protection marker by @​pellared in #​7986
• Drop support for Go 1.24 by @​MrAlias in #​7984
• fix(deps): update golang.org/x by @​renovate[bot] in #​7907
• chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.53.0 by @​renovate[bot] in #​7981
• chore(deps): update benchmark-action/github-action-benchmark action to v1.21.0 by @​renovate[bot] in #​7989
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.53.0 by @​renovate[bot] in #​7982
• Revert "Revert "Generate semconv/v1.40.0"" by @​MrAlias in #​7985
• support stdlib request.GetBody on metrics by @​marifari-hue in #​7931
• attribute: add TestNotEquivalence and equality operator tests by @​pellared in #​7979
• Refactor benchmark CI by @​XSAM in #​7873
• chore(deps): update module github.com/securego/gosec/v2 to v2.24.7 by @​renovate[bot] in #​7988
• chore(deps): pin codspeedhq/action action to df47568 by @​renovate[bot] in #​7996
• chore(deps): update actions/checkout action to v6.0.2 by @​renovate[bot] in #​7997
• chore(deps): update codspeedhq/action action to v4.11.0 by @​renovate[bot] in #​7999
• Upgrade to semconv/v1.40.0 by @​MrAlias in #​7991
• Regenerate semconv/v1.40.0/MIGRATION.md by @​MrAlias in #​7992
• fix: generated semconv helpers skipping attributes by @​victoraugustolls in #​7964
• Feat: Have SpanContext support the new W3C random flag. by @​nikhilmantri0902 in #​7834
• Semconv metric helper caller-slice mutation fix by @​MrAlias in #​7993
• Fix semconv generated error type to check error chain for custom type declaration by @​MrAlias in #​7994
• refactor: replace uint64 and int32 with atomic types in tests by @​alexandear in #​7941
• chore(deps): update golang.org/x/telemetry digest to 18da590 by @​renovate[bot] in #​8000
• TracerProvider ForceFlush() Error Fix by @​sawamurataxman in #​7856
• log: add error field to Record and make SDK to emit exception attributes by @​iblancasa in #​7924
• chore(deps): update dependency codespell to v2.4.2 by @​renovate[bot] in #​8003
• chore(deps): update github/codeql-action action to v4.32.6 by @​renovate[bot] in #​8004
• chore(deps): update codspeedhq/action action to v4.11.1 by @​renovate[bot] in #​8001
• fix(deps): update module google.golang.org/grpc to v1.79.2 by @​renovate[bot] in #​8007
• chore(deps): update module github.com/mgechev/revive to v1.15.0 by @​renovate[bot] in #​8009
• chore(deps): update golang.org/x/telemetry digest to e526e8a by @​renovate[bot] in #​8010
• Release v1.42.0/v0.64.0/v0.18.0/v0.0.16 by @​pellared in #​8006

New Contributors

• @​marifari-hue made their first contribution in #​7931
• @​victoraugustolls made their first contribution in #​7964
• @​sawamurataxman made their first contribution in #​7856
• @​iblancasa made their first contribution in #​7924

Full Changelog: open-telemetry/opentelemetry-go@v1.41.0...v1.42.0

v1.41.0: /v0.63.0/v0.17.0/v0.0.15

Compare Source

This release is the last to support Go 1.24. The next release will require at least Go 1.25.

Added

• Support testing of Go 1.26. (#​7902)

Fixed

• Update Baggage in go.opentelemetry.io/otel/propagation and Parse and New in go.opentelemetry.io/otel/baggage to comply with W3C Baggage specification limits. New and Parse now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. (#​7880)

What's Changed

• fix(deps): update googleapis to ce8ad4c by @​renovate[bot] in #​7860
• chore(deps): update otel/weaver docker tag to v0.21.0 by @​renovate[bot] in #​7865
• fix(deps): update module go.opentelemetry.io/collector/pdata to v1.51.0 by @​renovate[bot] in #​7863
• chore(deps): update golang.org/x/telemetry digest to fe4bb1c by @​renovate[bot] in #​7861
• chore(deps): update golang.org/x/telemetry digest to aaaaaa5 by @​renovate[bot] in #​7869
• sdk/log/observ: guard LogProcessed with Enabled by @​NesterovYehor in #​7848
• stdouttrace observability: skip metric work when instruments are disabled by @​NesterovYehor in #​7853
• chore(deps): update otel/weaver docker tag to v0.21.2 by @​renovate[bot] in #​7870
• fix(deps): update googleapis to 546029d by @​renovate[bot] in #​7871
• stdoutmetric observ: skip metric work when instruments are disabled by @​NesterovYehor in #​7868
• chore(deps): update fossas/fossa-action action to v1.8.0 by @​renovate[bot] in #​7879
• chore(deps): update github/codeql-action action to v4.32.2 by @​renovate[bot] in #​7878
• chore(deps): update module github.com/ghostiam/protogetter to v0.3.20 by @​renovate[bot] in #​7877
• chore(deps): update golang.org/x/telemetry digest to 86a5c4b by @​renovate[bot] in #​7876
• fix(deps): update module golang.org/x/sys to v0.41.0 by @​renovate[bot] in #​7885
• chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.6.0 by @​renovate[bot] in #​7884
• Checked if instrument enabled before measuring in prometheus by @​itssaharsh in #​7866
• exporter/otlploghttp: guard observ metrics with Enabled checks by @​NesterovYehor in #​7813
• chore(deps): update module github.com/go-git/go-git/v5 to v5.16.5 by @​renovate[bot] in #​7886
• chore(deps): update golang.org/x by @​renovate[bot] in #​7887
• fix(deps): update golang.org/x by @​renovate[bot] in #​7890
• fix(deps): update golang.org/x to 2842357 by @​renovate[bot] in #​7891
• fix(deps): update googleapis to 4cfbd41 by @​renovate[bot] in #​7889
• Checked if instrument enabled before measuring in oteltracegrpc by @​itssaharsh in #​7825
• Checked if Instrument Enabled before measuring in otlpgrpc by @​itssaharsh in #​7824
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27.8 by @​renovate[bot] in #​7892
• chore(deps): update module github.com/golangci/golines to v0.15.0 by @​renovate[bot] in #​7893
• chore(deps): update module github.com/golangci/misspell to v0.8.0 by @​renovate[bot] in #​7894
• chore(deps): update golang.org/x/telemetry digest to 9f66fae by @​renovate[bot] in #​7898
• fix(deps): update module google.golang.org/grpc to v1.79.0 by @​renovate[bot] in #​7906
• Support Go 1.26 by @​dmathieu in #​7902
• fix(deps): update module google.golang.org/grpc to v1.79.1 by @​renovate[bot] in #​7908
• chore(deps): update github/codeql-action action to v4.32.3 by @​renovate[bot] in #​7909
• chore(deps): update module github.com/kevinburke/ssh_config to v1.5.0 by @​renovate[bot] in #​7911
• chore(deps): update module github.com/kevinburke/ssh_config to v1.6.0 by @​renovate[bot] in #​7913
• chore(deps): update actions/stale action to v10.2.0 by @​renovate[bot] in #​7917
• chore(deps): update module github.com/godoc-lint/godoc-lint to v0.11.2 by @​renovate[bot] in #​7916
• chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.7.0 by @​renovate[bot] in #​7915
• chore(deps): update module github.com/mattn/go-runewidth to v0.0.20 by @​renovate[bot] in #​7918
• chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.28.0 by @​renovate[bot] in #​7921
• Checked if Operation Enabled in otlptracehttp before performing operation by @​itssaharsh in #​7881
• chore(deps): update github/codeql-action action to v4.32.4 by @​renovate[bot] in #​7936
• chore(deps): update module github.com/mirrexone/unqueryvet to v1.5.4 by @​renovate[bot] in #​7939
• chore(deps): update module github.com/uudashr/gocognit to v1.2.1 by @​renovate[bot] in #​7947
• chore(deps): update module github.com/alexkohler/prealloc to v1.0.3 by @​renovate[bot] in #​7950
• chore(deps): update module github.com/go-git/go-billy/v5 to v5.8.0 by @​renovate[bot] in #​7953
• chore(deps): update lycheeverse/lychee-action action to v2.8.0 by @​renovate[bot] in #​7959
• chore(deps): update module github.com/go-git/go-git/v5 to v5.17.0 by @​renovate[bot] in #​7960
• chore(deps): update actions/setup-go action to v6.3.0 by @​renovate[bot] in #​7962
• Document metric api interfaces that methods need to be safe to be called concurrently by @​dashpole in #​7952
• ci: add govulncheck job to CI workflow and update lint target by @​pellared in #​7971
• Comply with W3C Baggage specification limits by @​XSAM in #​7880
• chore(deps): update module github.com/mgechev/revive to v1.14.0 by @​renovate[bot] in #​7895
• chore(deps): update github artifact actions (major) by @​renovate[bot] in #​7963
• chore(deps): update module github.com/kisielk/errcheck to v1.10.0 by @​renovate[bot] in #​7967
• chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 by @​renovate[bot] in #​7969
• fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to d566b4d by @​renovate[bot] in #​7972
• chore(deps): update module github.com/sonatard/noctx to v0.5.0 by @​renovate[bot] in #​7968
• chore(deps): update module github.com/daixiang0/gci to v0.14.0 by @​renovate[bot] in #​7973
• chore(deps): update module github.com/securego/gosec/v2 to v2.23.0 by @​renovate[bot] in #​7899
• Generate semconv/v1.40.0 by @​ChrsMark in #​7929
• Revert "Generate semconv/v1.40.0" by @​dmathieu in #​7978
• chore(deps): update github/codeql-action action to v4.32.5 by @​renovate[bot] in #​7980
• fix: add error handling for insecure HTTP endpoints with TLS client configuration by @​sandy2008 in #​7914
• Release 1.41.0/0.63.0/0.17.0/0.0.15 by @​pellared in #​7977

New Contributors

• @​NesterovYehor made their first contribution in #​7848
• @​sandy2008 made their first contribution in #​7914

Full Changelog: open-telemetry/opentelemetry-go@v1.40.0...v1.41.0

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
go.opentelemetry.io/otel	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/metric	v1.40.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.40.0 -> v1.43.0
golang.org/x/sys	v0.40.0 -> v0.42.0

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign ginxo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @red-hat-konflux[bot]. Thanks for your PR.

I'm waiting for a stolostron member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud