Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address CVE-2023-45288 #17703

Closed
10 tasks done
ivanvc opened this issue Apr 4, 2024 · 13 comments
Closed
10 tasks done

Address CVE-2023-45288 #17703

ivanvc opened this issue Apr 4, 2024 · 13 comments
Assignees
@henrybear327
Labels
area/security good first issue type/feature

Comments

@ivanvc
Copy link
Member

ivanvc commented Apr 4, 2024
edited
Loading

What would you like to be added?

CVE-2023-45288 / GO-2024-2687 was recently published. We need to:

Go version bump

Bump golang.org/x/net from 1.22.1 to 1.22.2

Why is this needed?

To improve security and address the CVE. And to keep the Go version up to date.
@henrybear327
Copy link
Contributor

henrybear327 commented Apr 4, 2024
edited
Loading

I can work on it!

@ahrtr
Copy link
Member

ahrtr commented Apr 4, 2024

We also need to update bbolt (including both main and release-1.3) and raft.

@ahrtr ahrtr mentioned this issue Apr 4, 2024
Merged
henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go toolchain version to 1.22.2
ca6e265 
Changes:
- Bump toolchain version to 1.22.2 due to CVE-2023-45288
- Update CHANGELOG-3.6
- Bump go version in rw-heatmaps (which was still at 1.21 where
everything else is at 1.22)

Reference:
- PR etcd-io#17703
@henrybear327 henrybear327 mentioned this issue Apr 4, 2024
Merged
henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go-version to 1.21.9 for release-3.5 due to CVE-2023-45288
7ce37ce 
Reference:
- PR etcd-io#17703
@henrybear327 henrybear327 mentioned this issue Apr 4, 2024
Merged
henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go-version to 1.21.9 for release-3.4 due to CVE-2023-45288
d2aec61 
Reference:
- PR etcd-io#17703
@henrybear327 henrybear327 mentioned this issue Apr 4, 2024
Merged
henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go-version to 1.21.9 for release-3.4 due to CVE-2023-45288
1024750 
Reference:
- PR etcd-io#17703
henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go toolchain version to address CVE-2023-45288
aaff4d1 
Changes:
- Bump release-3.6 toolchain version to 1.22.2 due to CVE-2023-45288
- Update CHANGELOG-3.4, CHANGELOG-3.5, and CHANGELOG-3.6
- Bump go version in rw-heatmaps (which was still at 1.21 where
everything else is at 1.22)

Reference:
- PR etcd-io#17703
henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go toolchain version to address CVE-2023-45288
56888dd 
Changes:
- Bump release-3.6 toolchain version to 1.22.2 due to CVE-2023-45288
- Bump golang.org/x/net to v0.23.0
- Update CHANGELOG-3.4, CHANGELOG-3.5, and CHANGELOG-3.6
- Bump go version in rw-heatmaps (which was still at 1.21 where
everything else is at 1.22)

Reference:
- PR etcd-io#17703
@rissh
Copy link

rissh commented Apr 4, 2024

Hello everyone,

I'm diving into updating dependencies for CVE-2023-45288 / GO-2024-2687. Excited to give it a shot! If anyone wants to join or has advice, let me know.

henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go toolchain version to address CVE-2023-45288
0e76886 
Changes:
- Bump release-3.6 toolchain version to 1.22.2 due to CVE-2023-45288
- Bump golang.org/x/net to v0.23.0
- Update CHANGELOG-3.4, CHANGELOG-3.5, and CHANGELOG-3.6
- Bump go version in rw-heatmaps (which was still at 1.21 where
everything else is at 1.22)

Reference:
- PR etcd-io#17703
@henrybear327
Copy link
Contributor

Hello everyone,

I'm diving into updating dependencies for CVE-2023-45288 / GO-2024-2687. Excited to give it a shot! If anyone wants to join or has advice, let me know.

Hey @rissh,

I have already created all the PRs!

@rissh
Copy link

rissh commented Apr 4, 2024

Hi @henrybear327 ,

Thank you for taking the initiative to create the PRs! Your efforts are commendable. I'm glad to see progress on this front.
I'm also eager to contribute and collaborate on this issue. Feel free to reach out if you require any assistance or support.

Thanks again.

@MrDXY MrDXY mentioned this issue Apr 4, 2024
Merged
@henrybear327
Copy link
Contributor

We also need to update bbolt (including both main and release-1.3) and raft.

Done on the bblot side!

henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go toolchain version to address CVE-2023-45288
f86dd78 
Changes:
- Bump release-3.6 toolchain version to 1.22.2 due to CVE-2023-45288
- Bump golang.org/x/net to v0.23.0
- Update CHANGELOG-3.4, CHANGELOG-3.5, and CHANGELOG-3.6
- Bump go version in rw-heatmaps (which was still at 1.21 where
everything else is at 1.22)

Reference:
- PR etcd-io#17703

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go-version to 1.21.9 for release-3.4 due to CVE-2023-45288
5acca27 
Reference:
- PR etcd-io#17703

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go toolchain version to address CVE-2023-45288
d89a106 
Changes:
- Bump release-3.6 toolchain version to 1.22.2 due to CVE-2023-45288
- Bump golang.org/x/net to v0.23.0
- Update CHANGELOG-3.4, CHANGELOG-3.5, and CHANGELOG-3.6
- Bump go version in rw-heatmaps (which was still at 1.21 where
everything else is at 1.22)

Reference:
- PR etcd-io#17703

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go-version to 1.21.9 for release-3.5 due to CVE-2023-45288
5776e21 
Reference:
- PR etcd-io#17703

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
henrybear327 added a commit to henrybear327/etcd that referenced this issue Apr 4, 2024
@henrybear327
Bump go toolchain version to address CVE-2023-45288
034574f 
Changes:
- Bump release-3.6 toolchain version to 1.22.2 due to CVE-2023-45288
- Bump golang.org/x/net to v0.23.0
- Update CHANGELOG-3.4, CHANGELOG-3.5, and CHANGELOG-3.6
- Bump go version in rw-heatmaps (which was still at 1.21 where
everything else is at 1.22)

Reference:
- PR etcd-io#17703

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
@henrybear327
Copy link
Contributor

What would you like to be added?

CVE-2023-45288 / GO-2024-2687 was recently published. We need to:

  • update main's branch Go version from 1.22.1 to 1.22.2
  • update release-3.5 from 1.21.8 to 1.21.9
  • update release-3.4 from 1.21.8 to 1.21.9
  • update CHANGELOG
  • update main's golang.org/x/net from v0.22.0 to v0.23.0

The severity hasn't been published yet. So, I'm unsure if we should update golang.org/x/net in release-3.4/3.5. However, it may be a good idea as the govuln check will fail.

Why is this needed?

To improve security and address the CVE. And to keep the Go version up to date.

The vulnerability scan on CI will report an error, thus, the decision is made to also upgrade golang.org/x/net.

Log extract:

go: downloading golang.org/x/vuln v1.0.4
go: downloading golang.org/x/mod v0.14.0
go: downloading golang.org/x/tools v0.1[7](https://github.com/etcd-io/etcd/actions/runs/8551422689/job/23430401128#step:6:8).0
go: downloading golang.org/x/sync v0.6.0
Scanning your code and 504 packages across 77 dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-26[8](https://github.com/etcd-io/etcd/actions/runs/8551422689/job/23430401128#step:6:9)7
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0

@ivanvc
Copy link
Member Author

ivanvc commented Apr 4, 2024

@henrybear327, yes we also need to bump golang.org/x/net.

@ivanvc ivanvc mentioned this issue Apr 4, 2024
Merged
@ivanvc
Copy link
Member Author

ivanvc commented Apr 4, 2024

@henrybear327, I just saw that you bumped the dependency and Go in tandem. Thanks, I'll update the to-do list from the description.

@ivanvc ivanvc mentioned this issue Apr 4, 2024
Merged
@henrybear327
Copy link
Contributor

@henrybear327, I just saw that you bumped the dependency and Go in tandem. Thanks, I'll update the to-do list from the description.

Hey @ivanvc,

Sorry that I probably should have done it in 2 PRs instead of 1. I will keep that in mind next time! :)

@ivanvc
Copy link
Member Author

ivanvc commented Apr 5, 2024

With all subtasks completed. I'll go ahead and close this issue. Thanks, @henrybear327 and @MrDXY, for working on this 🙇

@ivanvc ivanvc closed this as completed Apr 5, 2024
@ivanvc ivanvc mentioned this issue Apr 5, 2024
Merged
3 tasks
@henrybear327 henrybear327 mentioned this issue Jun 13, 2024
Merged
@ivanvc
Copy link
Member Author

ivanvc commented Jun 13, 2024

Reopening as #17708 only partially addressed the issue.

@jmhbnz, would we need a new CHANGELOG entry for 3.5 for this?

@ivanvc ivanvc reopened this Jun 13, 2024
@jmhbnz
Copy link
Member

jmhbnz commented Jun 20, 2024

Discussed during sig-etcd triage meeting, the work has been completed for this so we can close. We need to push ahead with 3.5.15 to release this.

@jmhbnz jmhbnz closed this as completed Jun 20, 2024
@henrybear327 henrybear327 mentioned this issue Jun 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@henrybear327 henrybear327

Labels
area/security good first issue type/feature
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ivanvc @henrybear327 @ahrtr @jmhbnz @rissh