Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/1.6] upgrade OpenTelemetry to v1.21.0 / v0.46.0 (CVE-2023-47108) etc. #9707

Merged
merged 4 commits into from Jan 30, 2024
Merged

[release/1.6] upgrade OpenTelemetry to v1.21.0 / v0.46.0 (CVE-2023-47108) etc. #9707

merged 4 commits into from Jan 30, 2024

Conversation

aepifanov
Copy link

@aepifanov aepifanov commented Jan 29, 2024
edited

Fixing the following CVEs:

  • golang://golang.org/x/crypto:v0.15.0 CVE-2023-48795 Medium v0.17.0 /usr/bin/containerd
  • golang://go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc:v0.28.0 CVE-2023-47108 High
    v0.46.0 /usr/bin/containerd

@k8s-ci-robot
Copy link

Hi @aepifanov. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@aepifanov aepifanov force-pushed the fix-cves branch 3 times, most recently from e8ef5c8 to d777aad Compare January 30, 2024 05:43
@aepifanov
[release/1.6] vendor: upgrade OpenTelemetry to v1.21.0 / v0.46.0
16ac018 
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov
[release/1.6] vendor: golang.org/x/sys v0.16.0
7d6a4d2 
full diff: golang/sys@v0.13.0...v0.16.0

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov
[release/1.6] vendor: golang.org/x/term v0.16.0
919928f 
full diff: golang/term@v0.13.0...v0.16.0

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov
[release/1.6] vendor: golang.org/x/crypto v0.18.0
1950072 
full diff: golang/crypto@v0.14.0...v0.18.0

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov aepifanov changed the title Fix cves [release/1.6] Fix cves Jan 30, 2024
@aepifanov aepifanov changed the title [release/1.6] Fix cves [release/1.6] Fix CVEs Jan 30, 2024
@AkihiroSuda
Copy link
Member

golang://golang.org/x/crypto:v0.15.0 GHSA-45x7-px36-x8w8 Medium v0.17.0 /usr/bin/containerd

This is a false alarm. containerd does not use x/crypto for SSH.

@AkihiroSuda
Copy link
Member

/ok-to-test

@AkihiroSuda AkihiroSuda changed the title [release/1.6] Fix CVEs [release/1.6] upgrade OpenTelemetry to v1.21.0 / v0.46.0 (CVE-2023-47108) etc. Jan 30, 2024
@thaJeztah
Copy link
Member

Is there an equivalent PR for the 1.7 release branch? (looks like that one is on an older version)

@AkihiroSuda AkihiroSuda merged commit cf4f85a into containerd:release/1.6 Jan 30, 2024
41 checks passed
@aepifanov aepifanov deleted the fix-cves branch January 31, 2024 05:12
@dmcgowan dmcgowan mentioned this pull request Jan 31, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@estesp estesp estesp approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
ok-to-test size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@aepifanov @k8s-ci-robot @AkihiroSuda @thaJeztah @estesp