Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update github.com/miekg/dns to pick up fix for CVE-2019-19794. #97405

Merged
merged 1 commit into from Jan 11, 2021
Merged

Update github.com/miekg/dns to pick up fix for CVE-2019-19794. #97405

merged 1 commit into from Jan 11, 2021

Conversation

dlorenc
Copy link
Contributor

@dlorenc dlorenc commented Dec 19, 2020

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

I noticed this was out of date using 'snyk test' on the main repository.

More info is available here: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMIEKGDNS-537825

I don't think the codepath in question is used directly here, but I'm not 100% sure.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 19, 2020
@k8s-ci-robot
Copy link
Contributor

@dlorenc: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Dec 19, 2020
@k8s-ci-robot k8s-ci-robot requested review from dchen1107, lavalamp and a team December 19, 2020 21:36
@k8s-ci-robot k8s-ci-robot added the area/dependency Issues or PRs related to dependency changes label Dec 19, 2020
Update github.com/miekg/dns to pick up fix for CVE-2019-19794.
f273212 
I noticed this was out of date using 'snyk test' on the main repository.
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Dec 19, 2020
@dlorenc
Copy link
Contributor Author

dlorenc commented Jan 6, 2021

This should be ready for review
/assign @dchen1107

@aojea
Copy link
Member

aojea commented Jan 6, 2021

/assign @liggitt @dims

@liggitt
Copy link
Member

liggitt commented Jan 6, 2021

I don't think the codepath in question is used directly here, but I'm not 100% sure.

it is not, the only places this dependency is used is in test/e2e code and in pkg/proxy/winuserspace/proxysocket.go to decode a DNS request.

Ideally we could drop this dependency completely. I'll defer to sig-network and sig-windows to review the update

/sig network windows

@k8s-ci-robot k8s-ci-robot added sig/network Categorizes an issue or PR as relevant to SIG Network. sig/windows Categorizes an issue or PR as relevant to SIG Windows. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 6, 2021
@liggitt
Copy link
Member

liggitt commented Jan 6, 2021

/approve
for dependency mechanics

/hold for network/windows review

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 6, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlorenc, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 6, 2021
@aojea
Copy link
Member

aojea commented Jan 6, 2021

Ideally we could drop this dependency completely. I'll defer to sig-network and sig-windows to review the update

I've added the e2e dependency, but it just uses a helper function that can be copied, but it seems that there was some discussion with the winproxy dependency and is not clear to me the conclusion.

#45642

/hold
/assign
let me see if we can remove one dependency

This was referenced Jan 7, 2021
Merged
Closed
@dims
Copy link
Member

dims commented Jan 8, 2021

@aojea how about we merge and iterate?

@aojea
Copy link
Member

aojea commented Jan 8, 2021

@aojea how about we merge and iterate?

yep, the windows dependency doesn't seem to be resolved soon :)
/hod cancel

@aojea
Copy link
Member

aojea commented Jan 8, 2021

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 8, 2021
@dlorenc
Copy link
Contributor Author

dlorenc commented Jan 10, 2021

Thanks! I took a look at the windows dependency and it seems pretty small (one struct, dns.Msg), but that struct pulls in about a dozen other structs and interfaces totaling a few hundred lines of code.

@dims
Copy link
Member

dims commented Jan 11, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 11, 2021
@k8s-ci-robot k8s-ci-robot merged commit 334b426 into kubernetes:master Jan 11, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Jan 11, 2021
@dims dims mentioned this pull request Apr 8, 2021
Closed
@dlorenc dlorenc deleted the dns branch May 12, 2021 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@lavalamp lavalamp Awaiting requested review from lavalamp

Assignees

@dims dims

@liggitt liggitt

@aojea aojea

@dchen1107 dchen1107

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/dependency Issues or PRs related to dependency changes cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/windows Categorizes an issue or PR as relevant to SIG Windows. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@dlorenc @k8s-ci-robot @aojea @liggitt @dims @dchen1107