Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerability fixes #37

Closed
wants to merge 1 commit into from
Closed

vulnerability fixes #37

wants to merge 1 commit into from

Conversation

spolti
Copy link
Member

@spolti spolti commented Nov 23, 2023

chore: This commit fixes the following CVEs:

  • CVE-2023-37788: github.com/elazarl/goproxy Denial of Service (DoS)
  • CVE-2022-1996: github.com/emicklei/go-restful Authorization Bypass Through User-Controlled Key
  • CWE-285: github.com/emicklei/go-restful Authorization Bypass
  • CWE-400: github.com/prometheus/client_golang Denial of Service (DoS)

Motivation

Modifications

Result

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Nov 23, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spolti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@spolti spolti mentioned this pull request Nov 23, 2023
Closed
8 tasks
@spolti
Copy link
Member Author

spolti commented Nov 24, 2023

/hold
depends on #38

@spolti
vulnerability fixes
efac38d 
chore: This commit fixes the following CVEs:
- [CVE-2023-37788](https://www.cve.org/CVERecord?id=CVE-2023-37788):  github.com/elazarl/goproxy Denial of Service (DoS)
- [CVE-2022-1996](https://www.cve.org/CVERecord?id=CVE-2022-1996): github.com/emicklei/go-restful Authorization Bypass Through User-Controlled Key
- [CWE-285](https://cwe.mitre.org/data/definitions/285.html): github.com/emicklei/go-restful Authorization Bypass
- [CWE-400](https://cwe.mitre.org/data/definitions/400.html): github.com/prometheus/client_golang Denial of Service (DoS)

Signed-off-by: Spolti <fspolti@redhat.com>
@spolti
Copy link
Member Author

spolti commented Nov 24, 2023

/unhold

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Nov 24, 2023

@spolti: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/pr-image-mirror efac38d link true /test pr-image-mirror
ci/prow/images efac38d link true /test images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@Jooho
Copy link

Jooho commented Nov 27, 2023

@spolti it failed ci,could you please take a look at this?

@spolti spolti linked an issue Nov 27, 2023 that may be closed by this pull request
Address High vulnerabilities in Modelmesh-runtime-adapter SNYK reports opendatahub-io/modelmesh-serving#256
Closed
1 task
@spolti
Copy link
Member Author

spolti commented Dec 5, 2023

@Jooho I'll close this and sync with community when this is merged kserve#76

@spolti
Copy link
Member Author

spolti commented Dec 5, 2023

replaced by: kserve#76

@spolti spolti closed this Dec 5, 2023
@spolti spolti deleted the cve branch December 5, 2023 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@israel-hdez israel-hdez Awaiting requested review from israel-hdez

@heyselbi heyselbi Awaiting requested review from heyselbi

@Jooho Jooho Awaiting requested review from Jooho

Assignees
No one assigned
Labels
approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Address High vulnerabilities in Modelmesh-runtime-adapter SNYK reports
2 participants
@spolti @Jooho