Skip to content

Fix CVE-2023-47108 by backporting the fix from newer version of otel grpc#6840

Merged
PawelWMS merged 5 commits intofasttrack/2.0from
bala/cve-2023-47108-moby-containerd-cc
Dec 5, 2023
Merged

Fix CVE-2023-47108 by backporting the fix from newer version of otel grpc#6840
PawelWMS merged 5 commits intofasttrack/2.0from
bala/cve-2023-47108-moby-containerd-cc

Conversation

@0xba1a
Copy link
Copy Markdown
Member

@0xba1a 0xba1a commented Nov 23, 2023

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Fix CVE-2023-47108 by upgrading otel-grpc version to 0.46.0 in go.mod

Change Log
  • Fix CVE-2023-47108 by upgrading otel-grpc version to 0.46.0 in go.mod
Does this affect the toolchain?

NO

Associated issues
Links to CVEs
Test Methodology
  • Local build

@0xba1a 0xba1a requested a review from a team as a code owner November 23, 2023 16:09
jslobodzian
jslobodzian reviewed Nov 27, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jslobodzian jslobodzian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like vendored code. Was that upgraded too?

PawelWMS
PawelWMS reviewed Nov 27, 2023
View reviewed changes
Comment thread SPECS/moby-containerd-cc/CVE-2023-47108.patch Outdated
PawelWMS
PawelWMS approved these changes Dec 1, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@PawelWMS PawelWMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. And the failing test is for mysql, which was triggered by the changes from #6857, not this PR, so I think we're fine. I can override the PR check for you - just ping me.

@0xba1a 0xba1a changed the title Fix CVE-2023-47108 by upgrading otelgrpc version to 0.46.0 in go.mod Fix CVE-2023-47108 by backporting the fix from newer version of otel grpc Dec 4, 2023
@PawelWMS PawelWMS merged commit 8208548 into fasttrack/2.0 Dec 5, 2023
@PawelWMS PawelWMS deleted the bala/cve-2023-47108-moby-containerd-cc branch December 5, 2023 21:23
CBL-Mariner-Bot pushed a commit that referenced this pull request Dec 5, 2023
@0xba1a @CBL-Mariner-Bot
Fix CVE-2023-47108 by backporting the fix from newer version of otel …
9b09b2f 
…grpc (#6840)

(cherry picked from commit 8208548)
@CBL-Mariner-Bot CBL-Mariner-Bot mentioned this pull request Dec 5, 2023
Merged
@CBL-Mariner-Bot
Copy link
Copy Markdown
Collaborator

CBL-Mariner-Bot commented Dec 5, 2023

Auto cherry-pick results:

Auto cherry-pick pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=463762&view=results

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jslobodzian jslobodzian jslobodzian left review comments

@PawelWMS PawelWMS PawelWMS approved these changes

@hbeberman hbeberman hbeberman approved these changes

@dallasd1 dallasd1 dallasd1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@0xba1a @CBL-Mariner-Bot @jslobodzian @PawelWMS @hbeberman @dallasd1