Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: upgrade net/http2 to avoid CVE-2022-41717 #11616

Merged
merged 6 commits into from Jan 17, 2023
Merged

chore: upgrade net/http2 to avoid CVE-2022-41717 #11616

merged 6 commits into from Jan 17, 2023

Conversation

crenshaw-dev
Copy link
Collaborator

Signed-off-by: Michael Crenshaw 350466+crenshaw-dev@users.noreply.github.com

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • Optional. My organization is added to USERS.md.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).

@crenshaw-dev
chore: upgrade net/http2 to avoid CVE-2022-41717
4a07767 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
@crenshaw-dev crenshaw-dev added cherry-pick/2.3 Candidate for cherry picking into the 2.3 release branch cherry-pick/2.4 Candidate for cherry picking into the 2.4 release branch cherry-pick/2.5 labels Dec 8, 2022
@crenshaw-dev
tidy
eb77fa5 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
@codecov
Copy link

codecov bot commented Dec 8, 2022
edited

Codecov Report

Base: 47.29% // Head: 47.29% // Increases project coverage by +0.00% 🎉

Coverage data is based on head (727d61a) compared to base (2358669).
Patch coverage: 0.00% of modified lines in pull request are covered.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #11616   +/-   ##
=======================================
  Coverage   47.29%   47.29%           
=======================================
  Files         245      245           
  Lines       41670    41669    -1     
=======================================
  Hits        19707    19707           
+ Misses      19978    19977    -1     
  Partials     1985     1985
Impacted Files Coverage Δ
cmd/argocd/commands/admin/cluster.go 0.00% <0.00%> (ø)
util/settings/settings.go 48.42% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@crenshaw-dev
merge upstream
b9d0dfc 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
@crenshaw-dev
ugprade net
056e9d5 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
@crenshaw-dev
go mod tidy
1bbeccc 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
@crenshaw-dev
Merge branch 'master' into upgrade-net-http2
727d61a
@crenshaw-dev crenshaw-dev merged commit 15b284b into argoproj:master Jan 17, 2023
@crenshaw-dev crenshaw-dev deleted the upgrade-net-http2 branch January 17, 2023 23:41
crenshaw-dev added a commit that referenced this pull request Jan 17, 2023
@crenshaw-dev
chore: upgrade net/http2 to avoid CVE-2022-41717 (#11616)
25d1d7a 
* chore: upgrade net/http2 to avoid CVE-2022-41717

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* tidy

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* ugprade net

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* go mod tidy

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
@crenshaw-dev
Copy link
Collaborator Author

Cherry-picked onto release-2.6 for 2.6.0-rc4, release-2.5 for 2.5.6, release-2.4 for 2.4.19, and release-2.3 for 2.3.13.

@crenshaw-dev crenshaw-dev added cherry-pick/2.6 and removed cherry-pick/2.3 Candidate for cherry picking into the 2.3 release branch cherry-pick/2.4 Candidate for cherry picking into the 2.4 release branch cherry-pick/2.5 labels Jan 17, 2023
@crenshaw-dev
Copy link
Collaborator Author

Actually, this is only a medium-severity CVE, so the fix is only going to 2.6. Reverted the changes in other release branches.

emirot pushed a commit to emirot/argo-cd that referenced this pull request Jan 27, 2023
@crenshaw-dev @emirot
chore: upgrade net/http2 to avoid CVE-2022-41717 (argoproj#11616)
cc410d6 
* chore: upgrade net/http2 to avoid CVE-2022-41717

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* tidy

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* ugprade net

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* go mod tidy

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Signed-off-by: emirot <emirot.nolan@gmail.com>
schakrad pushed a commit to schakrad/argo-cd that referenced this pull request Mar 14, 2023
@crenshaw-dev @schakrad
chore: upgrade net/http2 to avoid CVE-2022-41717 (argoproj#11616)
5f1e0cb 
* chore: upgrade net/http2 to avoid CVE-2022-41717

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* tidy

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* ugprade net

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* go mod tidy

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Signed-off-by: schakrad <chakradari.sindhu@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wanghong230 wanghong230 wanghong230 approved these changes

@leoluz leoluz Awaiting requested review from leoluz

Assignees
No one assigned
Labels
cherry-pick/2.6
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@crenshaw-dev @wanghong230