Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update gogo/protobuf to v1.3.2 #98477

Merged
merged 1 commit into from
Feb 2, 2021
Merged

Update gogo/protobuf to v1.3.2 #98477

merged 1 commit into from
Feb 2, 2021

Conversation

palnabarun
Copy link
Member

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

gogo/protobuf@v1.3.2 fixes https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Changes in the dependency between v1.3.1 and v1.3.2: gogo/protobuf@v1.3.1...v1.3.2

Which issue(s) this PR fixes:

Fixes: kubernetes/client-go#927

Special notes for your reviewer:

The change is tentative and is pending on the merge of gogo/protobuf#721 and a new version to be pushed after that merges.

This is needed because gogo/protobuf@v1.3.2 includes an unnecessary version update for golang.org/x/tools as well.

Does this PR introduce a user-facing change?:

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

NONE

/assign
/cc @dims @nikhita @liggitt
/sig architecture
/sig api-machinery
/area code-organization

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 27, 2021
@k8s-ci-robot k8s-ci-robot added sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. area/code-organization Issues or PRs related to kubernetes code organization cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 27, 2021
@palnabarun
Copy link
Member Author

/wip
/priority critical-urgent

@k8s-ci-robot k8s-ci-robot added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. area/apiserver area/cloudprovider area/code-generation area/dependency Issues or PRs related to dependency changes area/kubectl sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/node Categorizes an issue or PR as relevant to SIG Node. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 27, 2021
@palnabarun
Copy link
Member Author

/retitle WIP: update gogo/protobuf to v1.3.2

@k8s-ci-robot k8s-ci-robot changed the title update gogo/protobuf to v1.3.2 WIP: update gogo/protobuf to v1.3.2 Jan 27, 2021
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 27, 2021
SchSeba added a commit to SchSeba/linuxptp-daemon that referenced this pull request Feb 9, 2021
@SchSeba
Bump protobuf to v1.3.2
1010186 
Update gogo/protobuf to v1.3.2 to fix https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121. The related k8s fix is here: kubernetes/kubernetes#98477

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
@SchSeba SchSeba mentioned this pull request Feb 9, 2021
Merged
SchSeba added a commit to SchSeba/ptp-operator that referenced this pull request Feb 10, 2021
@SchSeba
Bump protobuf to v1.3.2
bceb16d 
Update gogo/protobuf to v1.3.2 to fix https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121. The related k8s fix is here: kubernetes/kubernetes#98477

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
SchSeba added a commit to SchSeba/linuxptp-daemon that referenced this pull request Feb 10, 2021
@SchSeba
Bump protobuf to v1.3.2
c72e7fb 
Update gogo/protobuf to v1.3.2 to fix https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121. The related k8s fix is here: kubernetes/kubernetes#98477

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
@abhat abhat mentioned this pull request Feb 18, 2021
Merged
vpickard added a commit to vpickard/sdn that referenced this pull request Feb 19, 2021
@vpickard
Bug 1924512: CVE-2021-3121 gogo/protobuf lacks certain index validation
584b236 
The k/k fix is here:
kubernetes/kubernetes#98477

Resolves CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Here are the steps I used:
go list -m all |grep gogo/protobuf
go get github.com/gogo/protobuf@v1.3.2
go mod vendor
go mod tidy
make

Signed-off-by: vpickard <vpickard@redhat.com>
@vpickard vpickard mentioned this pull request Feb 19, 2021
Merged
periklis added a commit to periklis/elasticsearch-proxy that referenced this pull request Feb 24, 2021
@periklis
Bug 1924506: CVE-2021-3121 gogo/protobuf lacks certain index validation
2eb5d4e 
The k/k fix is here:
kubernetes/kubernetes#98477

Resolves CVE:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Here are the steps I used:
go list -m all |grep gogo/protobuf
go get github.com/gogo/protobuf@v1.3.2
go mod vendor
go mod tidy
make
@periklis periklis mentioned this pull request Feb 24, 2021
Merged
periklis added a commit to periklis/elasticsearch-operator that referenced this pull request Feb 24, 2021
@periklis
Bug 1924440: CVE-2021-3121 gogo/protobuf lacks certain index validation
278dcce 
The k/k fix is here:
kubernetes/kubernetes#98477

Resolves CVE:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Here are the steps I used:
go list -m all |grep gogo/protobuf
go get github.com/gogo/protobuf@v1.3.2
go mod vendor
go mod tidy
make
@periklis periklis mentioned this pull request Feb 24, 2021
Merged
periklis added a commit to periklis/elasticsearch-operator that referenced this pull request Feb 24, 2021
@periklis
Bug 1924440: CVE-2021-3121 gogo/protobuf lacks certain index validation
0b2cae0 
The k/k fix is here:
kubernetes/kubernetes#98477

Resolves CVE:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Here are the steps I used:
go list -m all |grep gogo/protobuf
go get github.com/gogo/protobuf@v1.3.2
go mod vendor
go mod tidy
make
periklis added a commit to periklis/elasticsearch-operator that referenced this pull request Mar 1, 2021
@periklis
Bug 1924440: CVE-2021-3121 gogo/protobuf lacks certain index validation
1dd75e4 
The k/k fix is here:
kubernetes/kubernetes#98477

Resolves CVE:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Here are the steps I used:
go list -m all |grep gogo/protobuf
go get github.com/gogo/protobuf@v1.3.2
go mod vendor
go mod tidy
make
periklis added a commit to periklis/elasticsearch-operator that referenced this pull request Mar 1, 2021
@periklis
Bug 1924440: CVE-2021-3121 gogo/protobuf lacks certain index validation
2c9457c 
The k/k fix is here:
kubernetes/kubernetes#98477

Resolves CVE:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Here are the steps I used:
go list -m all |grep gogo/protobuf
go get github.com/gogo/protobuf@v1.3.2
go mod vendor
go mod tidy
make
openshift-cherrypick-robot pushed a commit to openshift-cherrypick-robot/sdn that referenced this pull request Mar 4, 2021
@vpickard
Bug 1924512: CVE-2021-3121 gogo/protobuf lacks certain index validation
ad98ea9 
The k/k fix is here:
kubernetes/kubernetes#98477

Resolves CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Here are the steps I used:
go list -m all |grep gogo/protobuf
go get github.com/gogo/protobuf@v1.3.2
go mod vendor
go mod tidy
make

Signed-off-by: vpickard <vpickard@redhat.com>
periklis added a commit to periklis/elasticsearch-operator that referenced this pull request Mar 5, 2021
@periklis
Bug 1924440: CVE-2021-3121 gogo/protobuf lacks certain index validation
f526553 
The k/k fix is here:
kubernetes/kubernetes#98477

Resolves CVE:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121

Here are the steps I used:
go list -m all |grep gogo/protobuf
go get github.com/gogo/protobuf@v1.3.2
go mod vendor
go mod tidy
make
This was referenced Mar 23, 2021
Merged
Merged
Merged
k8s-ci-robot added a commit that referenced this pull request Mar 29, 2021
@k8s-ci-robot
Merge pull request #100514 from joelsmith/release-1.18
55c7f26 
[1.18] Cherry pick of #98477: update gogo/protobuf to v1.3.2
k8s-ci-robot added a commit that referenced this pull request Mar 29, 2021
@k8s-ci-robot
Merge pull request #100501 from joelsmith/automated-cherry-pick-of-#9…
67f7cc9 
…8477-upstream-release-1.20

[1.20] Automated cherry pick of #98477: update gogo/protobuf to v1.3.2
k8s-ci-robot added a commit that referenced this pull request Mar 29, 2021
@k8s-ci-robot
Merge pull request #100515 from joelsmith/release-1.19
0817555 
[1.19] Cherry pick of #98477: update gogo/protobuf to v1.3.2
@joelsmith joelsmith mentioned this pull request Apr 23, 2021
Closed
@rfranzke rfranzke mentioned this pull request Apr 24, 2021
Merged
rfranzke added a commit to rfranzke/gardener that referenced this pull request Apr 26, 2021
@rfranzke
Update gogo/protobuf to v1.3.2
41c8eba 
Similar to kubernetes/kubernetes#98477
ialidzhikov pushed a commit to gardener/gardener that referenced this pull request Apr 27, 2021
@rfranzke
Update gogo/protobuf to v1.3.2 and k8s.io/* to v0.20.6 to fix CVE-202…
c957166 
…1-3121 (#3945)

* Update gogo/protobuf to v1.3.2

Similar to kubernetes/kubernetes#98477

* Manually apply kubernetes/kubernetes#101326

* Update k8s.io/* to v0.20.6

* Remove go.mod replacement for sigs.k8s.io/structured-merge-diff/v4
krgostev pushed a commit to krgostev/gardener that referenced this pull request Apr 21, 2022
@rfranzke
Update gogo/protobuf to v1.3.2 and k8s.io/* to v0.20.6 to fix CVE-202…
b9ae583 
…1-3121 (gardener#3945)

* Update gogo/protobuf to v1.3.2

Similar to kubernetes/kubernetes#98477

* Manually apply kubernetes/kubernetes#101326

* Update k8s.io/* to v0.20.6

* Remove go.mod replacement for sigs.k8s.io/structured-merge-diff/v4
krgostev pushed a commit to krgostev/gardener that referenced this pull request Jul 5, 2022
@rfranzke
Update gogo/protobuf to v1.3.2 and k8s.io/* to v0.20.6 to fix CVE-202…
0ac913d 
…1-3121 (gardener#3945)

* Update gogo/protobuf to v1.3.2

Similar to kubernetes/kubernetes#98477

* Manually apply kubernetes/kubernetes#101326

* Update k8s.io/* to v0.20.6

* Remove go.mod replacement for sigs.k8s.io/structured-merge-diff/v4
josephdrichard pushed a commit to k8snetworkplumbingwg/ptp-operator that referenced this pull request May 23, 2023
@SchSeba @josephdrichard
Bump protobuf to v1.3.2
2516b9b 
Update gogo/protobuf to v1.3.2 to fix https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121. The related k8s fix is here: kubernetes/kubernetes#98477

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dims dims Awaiting requested review from dims

@liggitt liggitt Awaiting requested review from liggitt

@nikhita nikhita Awaiting requested review from nikhita

Assignees

@mrunalp mrunalp

@liggitt liggitt

@smarterclayton smarterclayton

@derekwaynecarr derekwaynecarr

@palnabarun palnabarun

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/cloudprovider area/code-generation area/code-organization Issues or PRs related to kubernetes code organization area/dependency Issues or PRs related to dependency changes area/kubectl area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Node PR Triage
Archived in project
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.

Critical vulnerability in gogo-protobuf used by client-go
10 participants
@palnabarun @dims @fejta-bot @liggitt @sjenning @derekwaynecarr @k8s-ci-robot @prashilgupta @mrunalp @smarterclayton