Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update packages for http v2x/net CVE #3581

Merged
merged 6 commits into from
Nov 8, 2023
Merged

Update packages for http v2x/net CVE #3581

merged 6 commits into from
Nov 8, 2023

Conversation

vyaghras
Copy link
Contributor

@vyaghras vyaghras commented Nov 7, 2023
edited

Issue number:

Closes #

Description of changes:
This update is required to mitigate HTTP V2 x/net (CVE-2023-39325) in Kubernetes packages

packages: Add patches for CVE-2023-39325 
packages: update kubernetes 1.24 to 1.24.17 
packages: update kubernetes 1.25 to 1.25.15 
packages: update kubernetes 1.26 to 1.26.10 
packages: update kubernetes 1.27 to 1.27.7 
packages: update kubernetes 1.28 to 1.28.3

Testing done:

  • aws-k8s-1.23
 NAME                               TYPE               STATE                       PASSED           FAILED           SKIPPED   BUILD ID          LAST UPDATE
 x86-64-aws-k8s-123-quick           Test               passed                           1                0              7051   9c505403          2023-11-08T15:22:58Z
 x86-64-aws-k8s-123                 Resource           completed                                                               9c505403          2023-11-08T15:17:02Z
  • aws-k8s-1.24
NAME                                       TYPE              STATE                     PASSED          FAILED         SKIPPED   BUILD ID         LAST UPDATE
 x86-64-aws-k8s-124-quick                   Test              passed                         1               0            6972   9c505403         2023-11-08T07:45:51Z
 x86-64-aws-k8s-124                         Resource          completed                                                          9c505403         2023-11-08T07:43:35Z
  • aws-k8s-1.25
 NAME                                       TYPE              STATE                     PASSED          FAILED         SKIPPED   BUILD ID         LAST UPDATE
 x86-64-aws-k8s-125-quick                   Test              passed                         4               0            7065   9c505403         2023-11-08T15:59:15Z
 x86-64-aws-k8s-125                         Resource          completed                                                          9c505403         2023-11-08T15:57:38Z
  • aws-k8s-1.26
 NAME                                       TYPE              STATE                     PASSED          FAILED         SKIPPED   BUILD ID         LAST UPDATE
 x86-64-aws-k8s-126-quick                   Test              passed                         4               0            7068   9c505403         2023-11-08T16:37:06Z
 x86-64-aws-k8s-126                         Resource          completed                                                          9c505403         2023-11-08T16:32:33Z
  • aws-k8s-1.27
NAME                                       TYPE              STATE                     PASSED          FAILED         SKIPPED   BUILD ID         LAST UPDATE
 x86-64-aws-k8s-127-quick                   Test              passed                         5               0            7206   9c505403         2023-11-08T18:14:05Z
 x86-64-aws-k8s-127                         Resource          completed                                                          9c505403         2023-11-08T18:10:26Z
 x86-64-aws-k8s-127-instances-obyp          Resource          running                                                            9c505403         2023-11-08T18:14:16Z
  • aws-k8s-1.28 : Nodes join the cluster.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@vyaghras
packages: update kubernetes 1.28 to 1.28.3
75fcfc0 
This update is required to mitigate HTTP V2 x/net (CVE-2023-39325)
@vyaghras
packages: update kubernetes 1.27 to 1.27.7
c336833 
This update is required to mitigate HTTP V2 x/net (CVE-2023-39325)
@vyaghras
packages: update kubernetes 1.26 to 1.26.10
16d7307 
This update is required to mitigate HTTP V2 x/net (CVE-2023-39325)
@vyaghras
packages: update kubernetes 1.25 to 1.25.15
7719f45 
This update is required to mitigate HTTP V2 x/net (CVE-2023-39325)
@vyaghras
packages: update kubernetes 1.24 to 1.24.17
953694c 
This update is required to mitigate HTTP V2 x/net (CVE-2023-39325)
@vyaghras vyaghras force-pushed the update_packages_for_Http_v2x/net_cve branch from f82baa8 to ee84627 Compare November 7, 2023 23:16
@vyaghras vyaghras force-pushed the update_packages_for_Http_v2x/net_cve branch from ee84627 to 9c50540 Compare November 8, 2023 05:34
@vyaghras
Copy link
Contributor Author

vyaghras commented Nov 8, 2023

⬆️ Remove the static patch files from Kubernetes 1.23, and put the files in lookaside cache.

yeazelm
yeazelm approved these changes Nov 8, 2023
View reviewed changes
Copy link
Contributor

@yeazelm yeazelm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

bcressey
bcressey approved these changes Nov 8, 2023
View reviewed changes
packages/kubernetes-1.23/Cargo.toml Outdated Show resolved Hide resolved
@bcressey bcressey self-requested a review November 8, 2023 18:03
@vyaghras
packages: Add patches for CVE-2023-39325
b69de58 
pick 821a6417 packages: update ecs-agent to 1.77.0
@vyaghras vyaghras force-pushed the update_packages_for_Http_v2x/net_cve branch from 9c50540 to b69de58 Compare November 8, 2023 19:03
@vyaghras
Copy link
Contributor Author

vyaghras commented Nov 8, 2023

⬆️ Change to raw.githubusercontent.com url for 0026-EKS-PATCH-Cherry-pick-119832-Fix-the-problem-Pod-ter.patch and upload the patch in Lookaside cache instead of .bz2.

@vyaghras vyaghras merged commit 9b2aacd into bottlerocket-os:develop Nov 8, 2023
46 checks passed
@vyaghras vyaghras deleted the update_packages_for_Http_v2x/net_cve branch November 8, 2023 20:16
@vyaghras vyaghras mentioned this pull request Nov 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcressey bcressey bcressey approved these changes

@etungsten etungsten etungsten approved these changes

@yeazelm yeazelm yeazelm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@vyaghras @bcressey @etungsten @yeazelm