Bump golang/x/net to 0.7.0 and golang/x/text to v0.3.8 for CoreDNS 1.22-1.27 #2007
Conversation
github-actions
bot
added
patch
zafs23
changed the title
| -go 1.16 | ||
| +go 1.17 |
There was a problem hiding this comment.
I don't think this will cause issues because newer versions are backwards compatible.
| + go.uber.org/multierr v1.6.0 // indirect | ||
| + go.uber.org/zap v1.17.0 // indirect | ||
| + golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect | ||
| + golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect |
There was a problem hiding this comment.
Not sure this will work according to https://go.dev/ref/mod#go-mod-file-replace.
Note that a replace directive alone does not add a module to the module graph. A require directive that refers to a replaced module version is also needed, either in the main module’s go.mod file or a dependency’s go.mod file. A replace directive has no effect if the module version on the left side is not required.
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: zafs23 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…22-1.27 (aws#2007) * Bump golang/x/net to 0.7.0 and golang/x/text to v0.3.8 for 1.22-1.27 in CoreDNS * update checksums * update golang to 1.17 for 1.22-1.24 * update checksums 1.22-1.24 * add patch description * update checksums
Issue #, if available:
*Description of changes:*Fixes CVE 41723. Any
golang/x/netdependency < 0.7.0 is vulnerable to this CVE.Fixes CVE-2022-32149 by bumping golang/x/text to v0.3.8
These patches are temporary fix until EKS update to the latest release where these CVEs are fixed.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.