-
Notifications
You must be signed in to change notification settings - Fork 502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tobiasb/CVE 2023 28155 reaper #5560
Closed
tobiasb-ms
wants to merge
25
commits into
microsoft:2.0
from
tobiasb-ms:tobiasb/CVE-2023-28155-reaper
Closed
Tobiasb/CVE 2023 28155 reaper #5560
tobiasb-ms
wants to merge
25
commits into
microsoft:2.0
from
tobiasb-ms:tobiasb/CVE-2023-28155-reaper
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
microsoft#5529) * Upgrade cloud-hypervisor to 31.1, kernel-mshv to 5-15-110, and kernel-uvm to 5-15-110 as part of LSG release v2305.11.1 * update manifest * install bzImage
Add rootfs partition name in gen2 market place image
* Update moby-containerd-cc to 1.7.1 to fix unit test TestSnapshotterFromPodSandboxConfig
* Add ldap support to sudo ALlow ldap to be used to configure sudo * Updated 1.8.15-4 of commit in change log rpmlint was failing as date and day did not match up, correcting day to pass rpmlint * Address PR commnts - Removing ldap path and defauting to default config path - Changing openldap to openldap-devel
* updating to v1.11.2 * Fixing bogus date warning * Removing patch for CVE-2023-25165 as it is patched in the upgrade * Removing patch for CVE-2023-25165 as it is patched in the upgrade * Updating prep section to work withouth patch * Fixing linting error
* Upgrade lua to 5.4.4 to fix CVE-2021-44964 * Update signature file manually * Update toolchain build scripts for lua * Remove patches that were already merged to lua-5.4.4 * Fix typo in changelog
Provide k8s-cni in cni-plugins --------- Co-authored-by: Betty Lakes <bettylakes@microsoft.com>
* Fix CVE-2023-29194 by upgrading vitess to version 16.0.2 * Updage cgmanifest.json with correct version
* Update CVE-2022-37601.patch to fix multiple occurances loader-utils module is used by multiple other modules which reaper is depending upon. Instead of reusing already downloaded code, npm redownloades the same module at different subtree level of node_modules. So the same CVE has to be fixed in other two places as well. * Addressed review comments
tobiasb-ms
force-pushed
the
tobiasb/CVE-2023-28155-reaper
branch
from
May 24, 2023 20:17
c28f407
to
35d2f6a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DRAFT--IGNORE
Merge Checklist
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./SPECS/LICENSES-AND-NOTICES/data/licenses.json
,./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
,./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
Patch reaper to fix CVE-2023-28155, which is a vulnerability in the
request
npm module, upon whichreaper
depends. This is somewhat complicated by the fact thatrequest
has been deprecated and is no longer taking updates. The patch is actually adapted from a pull request that was never and will never be merged.Change Log
Patch CVE-2023-28155
Does this affect the toolchain?
NO
Links to CVEs
Test Methodology
compile
stage ofrpmbuild
.