With the upcoming end-of-life (EOL) of MSR 3.1.x, Mirantis encourages you to upgrade to the latest supported version to ensure continued support and security updates.

Security information

Updated the following middleware component versions to resolve vulnerabilities in MSR:

  • [ENGDTR-4405] Golang 1.23.8

Resolved CVEs, as detailed:

CVE

Status

Problem details from upstream

CVE-2025-26519

Resolved

musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.

CVE-2024-34155

Resolved

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

CVE-2024-34156

Resolved

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.