Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.26][CVE-2024-24786] Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0 #123767

Merged
merged 1 commit into from Mar 7, 2024
Merged

[1.26][CVE-2024-24786] Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0 #123767

merged 1 commit into from Mar 7, 2024

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Mar 6, 2024

Manual pick of #123758

What type of PR is this?

/kind bug
/kind security

What this PR does / why we need it:

Updates protobuf dependencies for CVE-2024-24786

Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786

/assign @dims

@k8s-ci-robot k8s-ci-robot added do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Mar 6, 2024
@k8s-ci-robot k8s-ci-robot added this to the v1.26 milestone Mar 6, 2024
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 6, 2024
@k8s-ci-robot
Copy link
Contributor

@liggitt: The label(s) kind/security cannot be applied, because the repository doesn't have them.

In response to this:

Manual pick of #123758

What type of PR is this?

/kind bug
/kind security

What this PR does / why we need it:

Updates protobuf dependencies for CVE-2024-24786

Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786

/assign @dims

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cloudprovider area/code-generation do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. area/dependency Issues or PRs related to dependency changes labels Mar 6, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Mar 6, 2024
@k8s-ci-robot k8s-ci-robot requested review from ardaguclu and a team March 6, 2024 16:04
@k8s-ci-robot k8s-ci-robot added area/kubectl sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/node Categorizes an issue or PR as relevant to SIG Node. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 6, 2024
@k8s-ci-robot k8s-ci-robot added the sig/storage Categorizes an issue or PR as relevant to SIG Storage. label Mar 6, 2024
@dims
Copy link
Member

dims commented Mar 6, 2024

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 6, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 4702ad5a818b33d2493b7a262eaaec7e03a46845

@k8s-ci-robot k8s-ci-robot added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. and removed do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. labels Mar 7, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, liggitt, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 5e75c65 into kubernetes:release-1.26 Mar 7, 2024
16 checks passed
SIG Node PR Triage automation moved this from Triage to Done Mar 7, 2024
@ehashman
Copy link
Member

Will there be an additional patch release of 1.26 with this CVE fix? Schedule says EOL was 02/28 https://kubernetes.io/releases/#release-v1-26

/cc @kubernetes/release-managers

@k8s-ci-robot k8s-ci-robot requested a review from a team March 13, 2024 18:58
@xmudrii
Copy link
Member

xmudrii commented Mar 13, 2024

@ehashman Yes, there's going to be the final 1.26 release this week: https://kubernetes.slack.com/archives/CJH2GBF7Y/p1710351466450079?thread_ts=1710349768.638449&cid=CJH2GBF7Y

@liggitt liggitt deleted the proto-1.26 branch March 21, 2024 14:03
@cici37 cici37 added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Apr 11, 2024
@k8s-ci-robot k8s-ci-robot removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@andrewsykim andrewsykim Awaiting requested review from andrewsykim

@ardaguclu ardaguclu Awaiting requested review from ardaguclu

Assignees

@dims dims

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/cloudprovider area/code-generation area/dependency Issues or PRs related to dependency changes area/kubectl cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
SIG CLI
Archived in project
SIG Node PR Triage
Done
Milestone
v1.26
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@liggitt @k8s-ci-robot @dims @ehashman @xmudrii @saschagrunert @cici37