[Backport release-1.28] Fix CVE-2023-45288 #4257

twz123 · 2024-04-09T11:37:31Z

Backport to release-1.28:

See:

Bump golang.org/x/net to v0.23.0 #4254

Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.15.0 to 0.16.0. - [Commits](golang/sys@v0.15.0...v0.16.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 3abd703)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.17.0 to 0.18.0. - [Commits](golang/crypto@v0.17.0...v0.18.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 1af8b2b)

Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.16.0 to 0.17.0. - [Commits](golang/sys@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit be0998b) (cherry picked from commit caa6093)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.18.0 to 0.19.0. - [Commits](golang/crypto@v0.18.0...v0.19.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 73ea428) (cherry picked from commit 4b9c633)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.19.0 to 0.20.0. - [Commits](golang/crypto@v0.19.0...v0.20.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit ce4d201) (cherry picked from commit 4b0df6c)

Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.17.0 to 0.18.0. - [Commits](golang/sys@v0.17.0...v0.18.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 99d7642) (cherry picked from commit 99ab917)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.20.0 to 0.21.0. - [Commits](golang/crypto@v0.20.0...v0.21.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit f60840a) (cherry picked from commit 5f59a23)

This fixes CVE-2023-45288. Signed-off-by: Tom Wieczorek <twieczorek@mirantis.com> (cherry picked from commit b43f3a1) (cherry picked from commit c562360)

k0s-bot · 2024-04-10T07:44:13Z

Backport failed for release-1.27, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-1.27
git worktree add -d .worktree/backport-4257-to-release-1.27 origin/release-1.27
cd .worktree/backport-4257-to-release-1.27
git checkout -b backport-4257-to-release-1.27
ancref=$(git merge-base 8dc2b806bd9da6e7cbebf8f90f314dc61793fe1b 237e1ae6987d7db623b03e36b4cd9aa91ff64e47)
git cherry-pick -x $ancref..237e1ae6987d7db623b03e36b4cd9aa91ff64e47

dependabot bot and others added 8 commits April 9, 2024 12:51

Bump golang.org/x/net to v0.23.0

237e1ae

This fixes CVE-2023-45288. Signed-off-by: Tom Wieczorek <twieczorek@mirantis.com> (cherry picked from commit b43f3a1) (cherry picked from commit c562360)

twz123 added security fix backport/release-1.27 PR that needs to be backported/cherrypicked to release-1.27 branch labels Apr 9, 2024

twz123 mentioned this pull request Apr 9, 2024

[Backport release-1.27] Fix CVE-2023-45288 #4258

Merged

jnummelin approved these changes Apr 10, 2024

View reviewed changes

twz123 marked this pull request as ready for review April 10, 2024 07:43

twz123 requested a review from a team as a code owner April 10, 2024 07:43

twz123 requested review from ncopa and makhov April 10, 2024 07:43

twz123 merged commit 0e6bec4 into k0sproject:release-1.28 Apr 10, 2024
73 checks passed

twz123 deleted the backport-4256-to-release-1.28 branch April 10, 2024 07:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Backport release-1.28] Fix CVE-2023-45288 #4257

[Backport release-1.28] Fix CVE-2023-45288 #4257

twz123 commented Apr 9, 2024

k0s-bot commented Apr 10, 2024

[Backport release-1.28] Fix CVE-2023-45288 #4257

[Backport release-1.28] Fix CVE-2023-45288 #4257

Conversation

twz123 commented Apr 9, 2024

k0s-bot commented Apr 10, 2024