Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump go-version to 1.21.9 for release-3.5 due to CVE-2023-45288 #17708

Merged
merged 2 commits into from
Apr 4, 2024
Merged

Bump go-version to 1.21.9 for release-3.5 due to CVE-2023-45288 #17708

merged 2 commits into from
Apr 4, 2024

Conversation

henrybear327
Copy link
Contributor

@k8s-ci-robot
Copy link

Hi @henrybear327. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@henrybear327 henrybear327 marked this pull request as draft April 4, 2024 08:16
@henrybear327 henrybear327 marked this pull request as ready for review April 4, 2024 08:21
@henrybear327
Bump go-version to 1.21.9 for release-3.5 due to CVE-2023-45288
5776e21 
Reference:
- PR etcd-io#17703

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
@henrybear327
Bump golang.org/x/net to v0.23.0
600b6bf 
Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
@ahrtr
Copy link
Member

ahrtr commented Apr 4, 2024

Question: why bump golang.org/x/net to v0.23.0 in the second commit? Did you see any issue if not bumping it?

@henrybear327
Copy link
Contributor Author

henrybear327 commented Apr 4, 2024
edited
Loading

Sorry for not being clear on this second commit.

The vulnerability scan on CI will report an error, thus, I decided to upgrade to the version specified up there.

Log extract:

go: downloading golang.org/x/vuln v1.0.4
go: downloading golang.org/x/mod v0.14.0
go: downloading golang.org/x/tools v0.1[7](https://github.com/etcd-io/etcd/actions/runs/8551422689/job/23430401128#step:6:8).0
go: downloading golang.org/x/sync v0.6.0
Scanning your code and 504 packages across 77 dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-26[8](https://github.com/etcd-io/etcd/actions/runs/8551422689/job/23430401128#step:6:9)7
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0

@ahrtr
Copy link
Member

ahrtr commented Apr 4, 2024

Thanks for the clarification.

ahrtr
ahrtr approved these changes Apr 4, 2024
View reviewed changes
Copy link
Member

@ahrtr ahrtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Thanks.

@ahrtr ahrtr merged commit 01851da into etcd-io:release-3.5 Apr 4, 2024
18 checks passed
@ivanvc ivanvc mentioned this pull request Apr 4, 2024
Closed
10 tasks
@henrybear327 henrybear327 deleted the cve/3.5-bump-go-1.21.9 branch April 4, 2024 18:30
henrybear327 added a commit to henrybear327/etcd that referenced this pull request Jun 13, 2024
@henrybear327
dependency: bump golang.org/x/net from 0.17.0 to 0.23.0
8113601 
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.17.0
    Fixed in: golang.org/x/net@v0.23.0

Reference:
- etcd-io#17708

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
henrybear327 added a commit to henrybear327/etcd that referenced this pull request Jun 13, 2024
@henrybear327
dependency: bump golang.org/x/net from 0.17.0 to 0.23.0
274d804 
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.17.0
    Fixed in: golang.org/x/net@v0.23.0

Reference:
- etcd-io#17708

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
henrybear327 added a commit to henrybear327/etcd that referenced this pull request Jun 14, 2024
@henrybear327
dependency: bump golang.org/x/net from 0.17.0 to 0.23.0
12fe247 
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.17.0
    Fixed in: golang.org/x/net@v0.23.0

Reference:
- etcd-io#17708

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
henrybear327 added a commit to henrybear327/etcd that referenced this pull request Jun 14, 2024
@henrybear327
dependency: bump golang.org/x/net from 0.17.0 to 0.23.0
2676975 
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.17.0
    Fixed in: golang.org/x/net@v0.23.0

Reference:
- etcd-io#17708

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Sep 24, 2024
@henrybear327 @aneesh1
dependency: bump golang.org/x/net from 0.17.0 to 0.23.0
43d1e03 
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.17.0
    Fixed in: golang.org/x/net@v0.23.0

Reference:
- etcd-io#17708

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serathius serathius serathius approved these changes

@ahrtr ahrtr ahrtr approved these changes

Assignees
No one assigned
Labels
ok-to-test
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@henrybear327 @k8s-ci-robot @ahrtr @serathius @jmhbnz