Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Upgrade shipped version of Redis to 7.0.5 to fix CVE-2022-35951 #10702

Merged
merged 5 commits into from Oct 1, 2022
Merged

chore: Upgrade shipped version of Redis to 7.0.5 to fix CVE-2022-35951 #10702

merged 5 commits into from Oct 1, 2022

Conversation

jannfis
Copy link
Member

@jannfis jannfis commented Sep 26, 2022
edited

Update shipped version of Redis to 7.0.5 to fix CVE-2022-35951

CVE only affects Redis version >7.0.0, so this only needs to be cherry-picked into release-2.4, as other Argo CD versions do not yet ship 7.x versions of Redis.

Refer to GHSA-5gc4-76rx-22c9 for more details.

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • Optional. My organization is added to USERS.md.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).

@jannfis
chore: Upgrade redis to 7.0.5
fc96d98 
Signed-off-by: jannfis <jann@mistrust.net>
@jannfis
Also update Redis version in containerized toolchain
a35f431 
Signed-off-by: jannfis <jann@mistrust.net>
@jannfis jannfis added the cherry-pick/2.4 Candidate for cherry picking into the 2.4 release branch label Sep 26, 2022
@codecov
Copy link

codecov bot commented Sep 26, 2022
edited

Codecov Report

Base: 45.68% // Head: 45.70% // Increases project coverage by +0.01% 🎉

Coverage data is based on head (14dfa8f) compared to base (856ba52).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #10702      +/-   ##
==========================================
+ Coverage   45.68%   45.70%   +0.01%     
==========================================
  Files         236      236              
  Lines       28668    28668              
==========================================
+ Hits        13097    13102       +5     
+ Misses      13779    13772       -7     
- Partials     1792     1794       +2
Impacted Files Coverage Δ
pkg/apis/application/v1alpha1/types.go 54.84% <ø> (ø)
cmd/util/applicationset.go 19.23% <0.00%> (+19.23%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

34fathombelow
34fathombelow requested changes Sep 26, 2022
View reviewed changes
Copy link
Member

@34fathombelow 34fathombelow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need to update redis in .github/workflows/CI-build.yaml L#411

If you don't mind while your in there I just noticed dex also needs to be updated on L#409. If you feel that we should open a separate PR for this, im more than happy to take care of it.

@jannfis
Update Redis and Dex in CI
f05af6f 
Signed-off-by: jannfis <jann@mistrust.net>
@jannfis
Copy link
Member Author

jannfis commented Sep 26, 2022

Good catch, @34fathombelow, thanks.

I've updated the images in the CI workflow.

@jannfis
Fix Dex image path
19915ed 
Signed-off-by: jannfis <jann@mistrust.net>
34fathombelow
34fathombelow approved these changes Sep 26, 2022
View reviewed changes
Copy link
Member

@34fathombelow 34fathombelow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@crenshaw-dev
Merge branch 'master' into chore/upgrade-redis
14dfa8f 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
crenshaw-dev
crenshaw-dev approved these changes Sep 30, 2022
View reviewed changes
Copy link
Collaborator

@crenshaw-dev crenshaw-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@crenshaw-dev crenshaw-dev enabled auto-merge (squash) September 30, 2022 23:06
@crenshaw-dev crenshaw-dev merged commit 66d82fc into argoproj:master Oct 1, 2022
ashutosh16 pushed a commit to ashutosh16/argo-cd that referenced this pull request Oct 7, 2022
@jannfis @crenshaw-dev @ashutosh16
chore: Upgrade shipped version of Redis to 7.0.5 to fix CVE-2022-35951 (
f561b92 
argoproj#10702)

* chore: Upgrade redis to 7.0.5

Signed-off-by: jannfis <jann@mistrust.net>

* Also update Redis version in containerized toolchain

Signed-off-by: jannfis <jann@mistrust.net>

* Update Redis and Dex in CI

Signed-off-by: jannfis <jann@mistrust.net>

* Fix Dex image path

Signed-off-by: jannfis <jann@mistrust.net>

Signed-off-by: jannfis <jann@mistrust.net>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
@yu-croco yu-croco mentioned this pull request Oct 8, 2022
Merged
6 tasks
crenshaw-dev added a commit that referenced this pull request Jan 10, 2023
@jannfis @crenshaw-dev
chore: Upgrade shipped version of Redis to 7.0.5 to fix CVE-2022-35951 (
556565f 
#10702)

* chore: Upgrade redis to 7.0.5

Signed-off-by: jannfis <jann@mistrust.net>

* Also update Redis version in containerized toolchain

Signed-off-by: jannfis <jann@mistrust.net>

* Update Redis and Dex in CI

Signed-off-by: jannfis <jann@mistrust.net>

* Fix Dex image path

Signed-off-by: jannfis <jann@mistrust.net>

Signed-off-by: jannfis <jann@mistrust.net>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
@crenshaw-dev
Copy link
Collaborator

Looks like I forgot to cherry-pick this? Anyway, it's now on release-2.4 for 2.4.19.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crenshaw-dev crenshaw-dev crenshaw-dev approved these changes

@34fathombelow 34fathombelow 34fathombelow approved these changes

@alexmt alexmt Awaiting requested review from alexmt

@pasha-codefresh pasha-codefresh Awaiting requested review from pasha-codefresh

Assignees
No one assigned
Labels
cherry-pick/2.4 Candidate for cherry picking into the 2.4 release branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jannfis @crenshaw-dev @34fathombelow