Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update golang.org/protobuf version to fix CVE-2024-24786 #3618

Merged
merged 7 commits into from Mar 19, 2024
Merged

Update golang.org/protobuf version to fix CVE-2024-24786 #3618

merged 7 commits into from Mar 19, 2024

Conversation

shraddhabang
Copy link
Collaborator

Issue

CVE-2024-24786

Description

Update golang.org/protobuf version to fix CVE-2024-24786

Trivy scan result on test image

2024-03-19T13:53:23.621-0700    INFO    Vulnerability scanning is enabled
2024-03-19T13:53:23.622-0700    INFO    Secret scanning is enabled
2024-03-19T13:53:23.622-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-19T13:53:23.622-0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-19T13:53:32.085-0700    INFO    Detected OS: amazon
2024-03-19T13:53:32.086-0700    INFO    Detecting Amazon Linux vulnerabilities...
2024-03-19T13:53:32.088-0700    INFO    Number of language-specific files: 1
2024-03-19T13:53:32.088-0700    INFO    Detecting gobinary vulnerabilities...

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the docs directory)
  • Manually tested
  • Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

  • Backfilled missing tests for code in same general area 🎉
  • Refactored something and made the world a better place 🌟

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 19, 2024
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Mar 19, 2024
@oliviassss
Copy link
Collaborator

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Mar 19, 2024
M00nF1sh
M00nF1sh approved these changes Mar 19, 2024
View reviewed changes
Copy link
Collaborator

@M00nF1sh M00nF1sh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: M00nF1sh, oliviassss, shraddhabang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [M00nF1sh,oliviassss]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@M00nF1sh M00nF1sh merged commit 8393192 into kubernetes-sigs:main Mar 19, 2024
6 of 9 checks passed
@oliviassss oliviassss added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Mar 19, 2024
shraddhabang added a commit to shraddhabang/aws-load-balancer-controller that referenced this pull request Mar 20, 2024
@shraddhabang
Update golang.org/protobuf version to fix CVE-2024-24786 (kubernetes-…
9ae4080 
…sigs#3618)

* Add a note to recommend to use compatible chart and image versions

* Update golang.org/protobuf version to fix CVE-2024-24786
M00nF1sh pushed a commit that referenced this pull request Mar 22, 2024
@shraddhabang @oliviassss
@alebedev87 @the-technat @jukie @xdu31 @haouc @alex-berger
Release v2.7.2 - Cherry picked the commits from main (#3620)
61e0135 
* fix log level in listener manager and tagging manager (#3573)

* bump up controller-gen version and update manifests (#3580)

* docs: ingress subnets annotation - clarify locale differences (#3579)

* feat: allowed ACM cert discovery to filter on CA ARNs (#3565) (#3591)

* Add example for NLB target-group-attributes to enable unhealthy target connection draining (#3577)

* Add example annotation for NLB unhealthy target connection draining

* Add emtpyline back in

* fix: ca-filter causing expontentially more api-calls (#3608)

due to missing cache

* Repo controlled build go version (#3598)

* update go version to mitigate CVE (#3615)

* Adding support for Availability Zone Affinity (#3470)

Fixes #3431

Signed-off-by: Alex Berger <alex-berger@gmx.ch>

* Update golang.org/protobuf version to fix CVE-2024-24786 (#3618)

* Add a note to recommend to use compatible chart and image versions

* Update golang.org/protobuf version to fix CVE-2024-24786

---------

Signed-off-by: Alex Berger <alex-berger@gmx.ch>
Co-authored-by: Olivia Song <sonyingy@amazon.com>
Co-authored-by: Andrey Lebedev <alebedev87@gmail.com>
Co-authored-by: Nathanael Liechti <technat@technat.ch>
Co-authored-by: Isaac Wilson <10012479+jukie@users.noreply.github.com>
Co-authored-by: Nathanael Liechti <nathanael.liechti@post.ch>
Co-authored-by: Jason Du <jasonxdu@amazon.com>
Co-authored-by: Hao Zhou <haouc@users.noreply.github.com>
Co-authored-by: Alexander Berger <alex-berger@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@M00nF1sh M00nF1sh M00nF1sh approved these changes

@johngmyers johngmyers Awaiting requested review from johngmyers

@kishorj kishorj Awaiting requested review from kishorj

Assignees

@M00nF1sh M00nF1sh

@oliviassss oliviassss

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@shraddhabang @oliviassss @k8s-ci-robot @M00nF1sh