-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump golang/x/net to 0.7.0 and golang/x/text to v0.3.8 for CoreDNS 1.22-1.27 #2007
Conversation
-go 1.16 | ||
+go 1.17 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this will cause issues because newer versions are backwards compatible.
+ go.uber.org/multierr v1.6.0 // indirect | ||
+ go.uber.org/zap v1.17.0 // indirect | ||
+ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect | ||
+ golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure this will work according to https://go.dev/ref/mod#go-mod-file-replace.
Note that a replace directive alone does not add a module to the module graph. A require directive that refers to a replaced module version is also needed, either in the main module’s go.mod file or a dependency’s go.mod file. A replace directive has no effect if the module version on the left side is not required.
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: zafs23 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…22-1.27 (aws#2007) * Bump golang/x/net to 0.7.0 and golang/x/text to v0.3.8 for 1.22-1.27 in CoreDNS * update checksums * update golang to 1.17 for 1.22-1.24 * update checksums 1.22-1.24 * add patch description * update checksums
Issue #, if available:
*Description of changes:*Fixes CVE 41723. Any
golang/x/net
dependency < 0.7.0 is vulnerable to this CVE.Fixes CVE-2022-32149 by bumping golang/x/text to v0.3.8
These patches are temporary fix until EKS update to the latest release where these CVEs are fixed.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.