Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update golang.org/x/crypto to fix CVE-2020-9283 #88381

Merged
merged 1 commit into from Feb 20, 2020

Conversation

@BenTheElder
Copy link
Member

BenTheElder commented Feb 20, 2020

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

/kind api-change
/kind bug

/kind cleanup

/kind deprecation
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it: updates golang.org/x/crypto to v0.0.0-20200220183623-bac4c82f6975 to fix CVE-2020-9283

Which issue(s) this PR fixes:

Fixes #

fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed peers to cause a panic in SSH servers that accept public keys and in any SSH client.

An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client.

Special notes for your reviewer:
Unsure if we usually add a release note for this? happy to add a suggested note

Does this PR introduce a user-facing change?:

golang/x/net has been updated to bring in fixes for CVE-2020-9283

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


@BenTheElder

This comment has been minimized.

Copy link
Member Author

BenTheElder commented Feb 20, 2020

/👏👏 @liggitt

@k8s-ci-robot k8s-ci-robot requested a review from liggitt Feb 20, 2020
@BenTheElder

This comment has been minimized.

Copy link
Member Author

BenTheElder commented Feb 20, 2020

/remove-kind cleanup
/kind bug
/priority important-soon
not actually sure what sig this is ... cloud-provider (gcp)? auth? network?

@BenTheElder

This comment has been minimized.

Copy link
Member Author

BenTheElder commented Feb 20, 2020

updated the release note thanks to suggestion in slack from @liggitt

@enj

This comment has been minimized.

Copy link
Member

enj commented Feb 20, 2020

/lgtm

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 20, 2020

/lgtm
/approve

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Feb 20, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: BenTheElder, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 056374d into kubernetes:master Feb 20, 2020
16 checks passed
16 checks passed
cla/linuxfoundation BenTheElder authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-kind Job succeeded.
Details
pull-kubernetes-e2e-kind-ipv6 Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Feb 20, 2020
@BenTheElder BenTheElder deleted the BenTheElder:CVE-2020-9283 branch Feb 20, 2020
k8s-ci-robot added a commit that referenced this pull request Feb 28, 2020
…1-upstream-release-1.16

Automated cherry pick of #88381: update golang.org/x/crypto
k8s-ci-robot added a commit that referenced this pull request Feb 28, 2020
…1-upstream-release-1.17

Automated cherry pick of #88381: update golang.org/x/crypto
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.