chore(deps): Update deps due to CVEs

[merkata]

Security tools such as trivy report known CVEs against the dependencies in the go.mod that can be fixed. This PR updates the deps to the suggested patched version. Below is the report of the found vulnerabilities and a successful go test ./... afterwards.

go.mod (gomod)

Total: 14 (UNKNOWN: 0, LOW: 1, MEDIUM: 3, HIGH: 10, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬───────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │         Installed Version         │           Fixed Version           │                            Title                             │
├─────────────────────┼────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2021-43565 │ HIGH     │ 0.0.0-20201221181555-eec23a3978ad │ 0.0.0-20211202192323-5770296d904e │ golang.org/x/crypto: empty plaintext packet causes panic     │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2021-43565                   │
│                     ├────────────────┤          │                                   ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2022-27191 │          │                                   │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server            │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191                   │
├─────────────────────┼────────────────┤          ├───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2019-9512  │          │ 0.0.0-20190404232315-eb5bcb51f2a3 │ 0.0.0-20190813141303-74dc4d7220e7 │ HTTP/2: flood using PING frames results in unbounded memory  │
│                     │                │          │                                   │                                   │ growth                                                       │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2019-9512                    │
│                     ├────────────────┤          │                                   │                                   ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2019-9514  │          │                                   │                                   │ HTTP/2: flood using HEADERS frames results in unbounded      │
│                     │                │          │                                   │                                   │ memory growth                                                │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2019-9514                    │
│                     ├────────────────┤          │                                   ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
module github.com/canonical/pebble
│                     │ CVE-2021-33194 │          │                                   │ 0.0.0-20210520170846-37e1c6afe023 │ golang: x/net/html: infinite loop in ParseFragment           │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2021-33194                   │
│                     ├────────────────┤          │                                   ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2021-44716 │          │                                   │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization    │
│                     │                │          │                                   │                                   │ cache                                                        │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2021-44716                   │
│                     ├────────────────┤          │                                   ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2022-27664 │          │                                   │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY  │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                   │
│                     ├────────────────┼──────────┤                                   ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2021-31525 │ MEDIUM   │                                   │ 0.0.0-20210428140749-89ef3d95e781 │ golang: net/http: panic in ReadRequest and ReadResponse when │
│                     │                │          │                                   │                                   │ reading a very large...                                      │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2021-31525                   │
│                     ├────────────────┤          │                                   ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2022-41717 │          │                                   │ 0.4.0                             │ golang: net/http: An attacker can cause excessive memory     │
│                     │                │          │                                   │                                   │ growth in a Go...                                            │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-41717                   │
│                     ├────────────────┼──────────┤                                   ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2022-41723 │ LOW      │                                   │ 0.7.0                             │ [http2/hpack: avoid quadratic complexity in hpack decoding]  │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-41723                   │
├─────────────────────┼────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys    │ CVE-2022-29526 │ MEDIUM   │ 0.0.0-20210119212857-b64e53b001e4 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group                │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526                   │
├─────────────────────┼────────────────┼──────────┼───────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text   │ CVE-2020-14040 │ HIGH     │ 0.3.0                             │ 0.3.3                             │ golang.org/x/text: possibility to trigger an infinite loop   │
│                     │                │          │                                   │                                   │ in encoding/unicode could lead to...                         │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2020-14040                   │
│                     ├────────────────┤          │                                   ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2021-38561 │          │                                   │ 0.3.7                             │ golang: out-of-bounds read in golang.org/x/text/language     │
│                     │                │          │                                   │                                   │ leads to DoS                                                 │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2021-38561                   │
│                     ├────────────────┤          │                                   ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2022-32149 │          │                                   │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage      │
│                     │                │          │                                   │                                   │ takes a long time to parse complex tags                      │
│                     │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                   │
└─────────────────────┴────────────────┴──────────┴───────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘

merkata@mastodon:~/dev/pebble$ go test ./...
ok  	github.com/canonical/pebble/client	0.200s
?   	github.com/canonical/pebble/cmd	[no test files]
ok  	github.com/canonical/pebble/cmd/pebble	1.246s
ok  	github.com/canonical/pebble/internal/daemon	6.811s
ok  	github.com/canonical/pebble/internal/logger	0.046s
ok  	github.com/canonical/pebble/internal/osutil	0.796s
?   	github.com/canonical/pebble/internal/osutil/squashfs	[no test files]
?   	github.com/canonical/pebble/internal/osutil/sys	[no test files]
ok  	github.com/canonical/pebble/internal/overlord	5.116s
ok  	github.com/canonical/pebble/internal/overlord/checkstate	0.268s
?   	github.com/canonical/pebble/internal/overlord/cmdstate	[no test files]
ok  	github.com/canonical/pebble/internal/overlord/patch	0.012s
ok  	github.com/canonical/pebble/internal/overlord/restart	0.011s
ok  	github.com/canonical/pebble/internal/overlord/servstate	2.899s
?   	github.com/canonical/pebble/internal/overlord/servstate/servstatetest	[no test files]
ok  	github.com/canonical/pebble/internal/overlord/standby	0.113s
ok  	github.com/canonical/pebble/internal/overlord/state	7.099s
ok  	github.com/canonical/pebble/internal/plan	0.024s
ok  	github.com/canonical/pebble/internal/progress	0.484s
?   	github.com/canonical/pebble/internal/progress/progresstest	[no test files]
?   	github.com/canonical/pebble/internal/ptyutil	[no test files]
?   	github.com/canonical/pebble/internal/reaper	[no test files]
ok  	github.com/canonical/pebble/internal/servicelog	1.267s
ok  	github.com/canonical/pebble/internal/systemd	0.345s
ok  	github.com/canonical/pebble/internal/testutil	0.162s
ok  	github.com/canonical/pebble/internal/timeutil	0.012s
ok  	github.com/canonical/pebble/internal/timing	0.015s
?   	github.com/canonical/pebble/internal/wsutil	[no test files]

[merkata]

This PR addresses some of the findings leaving out

go.mod (gomod)

Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬───────────────────────────────────┬─────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │         Installed Version         │            Fixed Version            │                            Title                            │
├───────────────────┼────────────────┼──────────┼───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net  │ CVE-2022-41721 │ HIGH     │ 0.0.0-20220906165146-f3363e06e74c │ 0.1.1-0.20221104162952-702349b0e862 │ A request smuggling attack is possible when using           │
│                   │                │          │                                   │                                     │ MaxBytesHandler. Whe ...                                    │
│                   │                │          │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-41721                  │
│                   ├────────────────┼──────────┤                                   ├─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-41717 │ MEDIUM   │                                   │ 0.4.0                               │ golang: net/http: An attacker can cause excessive memory    │
│                   │                │          │                                   │                                     │ growth in a Go...                                           │
│                   │                │          │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-41717                  │
│                   ├────────────────┼──────────┤                                   ├─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-41723 │ LOW      │                                   │ 0.7.0                               │ [http2/hpack: avoid quadratic complexity in hpack decoding] │
│                   │                │          │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-41723                  │
├───────────────────┼────────────────┼──────────┼───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │ HIGH     │ 0.3.7                             │ 0.3.8                               │ golang: golang.org/x/text/language: ParseAcceptLanguage     │
│                   │                │          │                                   │                                     │ takes a long time to parse complex tags                     │
│                   │                │          │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-32149                  │
└───────────────────┴────────────────┴──────────┴───────────────────────────────────┴─────────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Reason for this is that bumping x/net bumps also x/sys to at least v0.1.0 that has fixes backported to go 1.17 and not further down, it also introduces the unsafe.Slice since 1.17 that is not available in versions below that.

[benhoyt]

Looks like a no-brainer to me, thanks.

[jnsgruk]

Agreed, thanks @merkata.

The test failure looks unrelated, but nonetheless concerning - looks like Pebble panicked!

[merkata]

Agreed, thanks @merkata.

The test failure looks unrelated, but nonetheless concerning - looks like Pebble panicked!

Yes it should be unrelated - I re-applied the changes from caebae5 which had all tests passing. Could be something that happens intermittently.

[benhoyt]

Yeah, I've seen this intermittent test failure. Pebble is panicking, but it's due to a test ordering / race condition. There are a bunch of other test-failures issues open as well that need to be looked at when someone has time (this is probably one of those; not sure). I'll re-run the Go 1.14 failed tests now.

[jnsgruk]

Is there a reason we cannot merge this? Some of these came up in a vulnerability scan for a container we're likely to be distributing soon? cc: @niemeyer

[niemeyer]

Has anyone looked over the list to see if anything there actually affects us? We should be updating dependencies anyway every once in a while, but I don't want to make a routine of updating dependencies because there are CVEs in unrelated areas, even more because it's a bad idea to be updating several things at once and then not knowing why unrelated things are broken. A CVE in a dependency is not a CVE in Pebble.

[niemeyer]

@merkata There are a few conflicts. I could fix them, but I don't want to screw up the work you've already done. Can you please have a look to make sure things are as they should before we can merge it?

Thanks for the research there, btw.

[merkata]

@merkata There are a few conflicts. I could fix them, but I don't want to screw up the work you've already done. Can you please have a look to make sure things are as they should before we can merge it?

Thanks for the research there, btw.

Should be all good now, thanks a lot!

[jnsgruk]

@merkata looks like you've accidentally pulled in content from some recent commits which makes this a little messy.

[merkata]

@merkata looks like you've accidentally pulled in content from some recent commits which makes this a little messy.

Should be all good now, thank you all for the feedback!