Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CM-218: [CVE-2023-44487,CVE-2023-39325] Go mod: update golang.org/x/net@v0.17.0 #153

Merged
merged 1 commit into from
Oct 17, 2023
Merged

CM-218: [CVE-2023-44487,CVE-2023-39325] Go mod: update golang.org/x/net@v0.17.0 #153

merged 1 commit into from
Oct 17, 2023

Conversation

swghosh
Copy link
Member

@swghosh swghosh commented Oct 17, 2023

Fixes CVE-2023-44487 by:

$ go get golang.org/x/net@v0.17.0
go: upgraded golang.org/x/crypto v0.11.0 => v0.14.0
go: upgraded golang.org/x/net v0.12.0 => v0.17.0
go: upgraded golang.org/x/sys v0.10.0 => v0.13.0
go: upgraded golang.org/x/term v0.10.0 => v0.13.0
go: upgraded golang.org/x/text v0.11.0 => v0.13.0

$ go mod tidy

$ go mod vendor

@swghosh
Go mod: update golang.org/x/net@v0.17.0
f9e82af 
Fixes CVE-2023-44487

Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 17, 2023
edited by openshift-ci bot

@swghosh: This pull request references CM-218 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.15.0" version, but no target version was set.

In response to this:

Fixes CVE-2023-44487 by:

$ go get golang.org/x/net@v0.17.0
go: upgraded golang.org/x/crypto v0.11.0 => v0.14.0
go: upgraded golang.org/x/net v0.12.0 => v0.17.0
go: upgraded golang.org/x/sys v0.10.0 => v0.13.0
go: upgraded golang.org/x/term v0.10.0 => v0.13.0
go: upgraded golang.org/x/text v0.11.0 => v0.13.0

$ go mod tidy

$ go mod vendor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Oct 17, 2023
@swghosh swghosh changed the title CM-218: Go mod: update golang.org/x/net@v0.17.0 CM-218: [CVE-2023-4487] Go mod: update golang.org/x/net@v0.17.0 Oct 17, 2023
@swghosh swghosh changed the title CM-218: [CVE-2023-4487] Go mod: update golang.org/x/net@v0.17.0 CM-218: [CVE-2023-44487,CVE-2023-39325] Go mod: update golang.org/x/net@v0.17.0 Oct 17, 2023
@swghosh
Copy link
Member Author

swghosh commented Oct 17, 2023

/test e2e-operator

@swghosh
Copy link
Member Author

swghosh commented Oct 17, 2023

/cc @xingxingxia @lunarwhite
for qe-approved label
[we'll backport this change to 1.12, 1.11 also]

lunarwhite
lunarwhite reviewed Oct 17, 2023
View reviewed changes
Copy link
Member

@lunarwhite lunarwhite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Oct 17, 2023
@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 17, 2023
edited by openshift-ci bot

@swghosh: This pull request references CM-218 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.15.0" version, but no target version was set.

In response to this:

Fixes CVE-2023-44487 by:

$ go get golang.org/x/net@v0.17.0
go: upgraded golang.org/x/crypto v0.11.0 => v0.14.0
go: upgraded golang.org/x/net v0.12.0 => v0.17.0
go: upgraded golang.org/x/sys v0.10.0 => v0.13.0
go: upgraded golang.org/x/term v0.10.0 => v0.13.0
go: upgraded golang.org/x/text v0.11.0 => v0.13.0

$ go mod tidy

$ go mod vendor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@swghosh
Copy link
Member Author

swghosh commented Oct 17, 2023

/label docs-approved
self-adding docs-approved label as I've already added doc requirement labels to https://issues.redhat.com/browse/CM-180 and https://issues.redhat.com/browse/CM-224

@openshift-ci openshift-ci bot added the docs-approved Signifies that Docs has signed off on this PR label Oct 17, 2023
@swghosh
Copy link
Member Author

swghosh commented Oct 17, 2023

/cc @thejasn
waiting for CI to turn green (e2e had failed once due to an unrelated CI issue)

@openshift-ci openshift-ci bot requested a review from thejasn October 17, 2023 11:06
@thejasn
Copy link
Contributor

thejasn commented Oct 17, 2023

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 17, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 17, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: swghosh, thejasn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 17, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 17, 2023

@swghosh: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@swghosh
Copy link
Member Author

swghosh commented Oct 17, 2023

/label px-approved
Security fix forms part of our lifecycle.

@openshift-ci openshift-ci bot added the px-approved Signifies that Product Support has signed off on this PR label Oct 17, 2023
@swghosh
Copy link
Member Author

swghosh commented Oct 17, 2023

/cherry-pick cert-manager-1.12

@openshift-cherrypick-robot
Copy link

@swghosh: once the present PR merges, I will cherry-pick it on top of cert-manager-1.12 in a new PR and assign it to you.

In response to this:

/cherry-pick cert-manager-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@swghosh
Copy link
Member Author

swghosh commented Oct 17, 2023

/cherry-pick cert-manager-1.11

@openshift-cherrypick-robot
Copy link

@swghosh: once the present PR merges, I will cherry-pick it on top of cert-manager-1.11 in a new PR and assign it to you.

In response to this:

/cherry-pick cert-manager-1.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot merged commit 6959170 into openshift:master Oct 17, 2023
7 checks passed
@openshift-cherrypick-robot
Copy link

@swghosh: #153 failed to apply on top of branch "cert-manager-1.11":

Applying: Go mod: update golang.org/x/net@v0.17.0 Fixes CVE-2023-44487
Using index info to reconstruct a base tree...
M	go.mod
M	go.sum
M	vendor/golang.org/x/crypto/cryptobyte/builder.go
A	vendor/golang.org/x/net/html/render.go
M	vendor/golang.org/x/net/http2/server.go
M	vendor/golang.org/x/net/http2/transport.go
M	vendor/golang.org/x/sys/cpu/hwcap_linux.go
M	vendor/golang.org/x/sys/unix/mkerrors.sh
A	vendor/golang.org/x/sys/unix/mremap.go
M	vendor/golang.org/x/sys/unix/ptrace_darwin.go
M	vendor/golang.org/x/sys/unix/ptrace_ios.go
M	vendor/golang.org/x/sys/unix/syscall_aix.go
M	vendor/golang.org/x/sys/unix/syscall_bsd.go
M	vendor/golang.org/x/sys/unix/syscall_darwin.go
M	vendor/golang.org/x/sys/unix/syscall_darwin_amd64.go
M	vendor/golang.org/x/sys/unix/syscall_darwin_arm64.go
M	vendor/golang.org/x/sys/unix/syscall_dragonfly.go
M	vendor/golang.org/x/sys/unix/syscall_freebsd.go
M	vendor/golang.org/x/sys/unix/syscall_linux.go
M	vendor/golang.org/x/sys/unix/syscall_linux_amd64.go
M	vendor/golang.org/x/sys/unix/syscall_linux_arm64.go
M	vendor/golang.org/x/sys/unix/syscall_linux_loong64.go
M	vendor/golang.org/x/sys/unix/syscall_linux_mips64x.go
M	vendor/golang.org/x/sys/unix/syscall_linux_riscv64.go
M	vendor/golang.org/x/sys/unix/syscall_netbsd.go
M	vendor/golang.org/x/sys/unix/syscall_openbsd.go
M	vendor/golang.org/x/sys/unix/syscall_solaris.go
M	vendor/golang.org/x/sys/unix/syscall_unix.go
M	vendor/golang.org/x/sys/unix/syscall_zos_s390x.go
M	vendor/golang.org/x/sys/unix/zerrors_linux.go
M	vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
M	vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
M	vendor/golang.org/x/sys/unix/zsyscall_aix_ppc.go
M	vendor/golang.org/x/sys/unix/zsyscall_aix_ppc64.go
M	vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go
M	vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s
M	vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go
M	vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s
M	vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go
M	vendor/golang.org/x/sys/unix/zsyscall_freebsd_386.go
M	vendor/golang.org/x/sys/unix/zsyscall_freebsd_amd64.go
M	vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm.go
M	vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm64.go
M	vendor/golang.org/x/sys/unix/zsyscall_freebsd_riscv64.go
M	vendor/golang.org/x/sys/unix/zsyscall_linux.go
M	vendor/golang.org/x/sys/unix/zsyscall_linux_riscv64.go
M	vendor/golang.org/x/sys/unix/zsyscall_netbsd_386.go
M	vendor/golang.org/x/sys/unix/zsyscall_netbsd_amd64.go
M	vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm.go
M	vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm64.go
M	vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
M	vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
M	vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
M	vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
M	vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
M	vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
M	vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
M	vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
M	vendor/golang.org/x/sys/unix/zsyscall_zos_s390x.go
M	vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
M	vendor/golang.org/x/sys/unix/ztypes_linux.go
M	vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go
M	vendor/golang.org/x/sys/windows/exec_windows.go
M	vendor/golang.org/x/sys/windows/syscall_windows.go
M	vendor/golang.org/x/sys/windows/types_windows.go
M	vendor/golang.org/x/sys/windows/zsyscall_windows.go
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
CONFLICT (content): Merge conflict in vendor/modules.txt
Auto-merging vendor/golang.org/x/sys/windows/zsyscall_windows.go
Auto-merging vendor/golang.org/x/sys/windows/types_windows.go
Auto-merging vendor/golang.org/x/sys/windows/syscall_windows.go
Auto-merging vendor/golang.org/x/sys/windows/exec_windows.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/windows/exec_windows.go
Auto-merging vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go
Auto-merging vendor/golang.org/x/sys/unix/ztypes_linux.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/ztypes_linux.go
Auto-merging vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_zos_s390x.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_netbsd_arm.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_netbsd_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_netbsd_386.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_linux_riscv64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_linux.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsyscall_linux.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_freebsd_riscv64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_freebsd_arm.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_freebsd_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_freebsd_386.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_aix_ppc64.go
Auto-merging vendor/golang.org/x/sys/unix/zsyscall_aix_ppc.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
Auto-merging vendor/golang.org/x/sys/unix/zerrors_linux.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_zos_s390x.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_unix.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_solaris.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_openbsd.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/syscall_openbsd.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_netbsd.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/syscall_netbsd.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_linux_riscv64.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_linux_mips64x.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_linux_loong64.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_linux_arm64.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_linux_amd64.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_linux.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/syscall_linux.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_freebsd.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_dragonfly.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_darwin.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/unix/syscall_darwin.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_bsd.go
Auto-merging vendor/golang.org/x/sys/unix/syscall_aix.go
CONFLICT (modify/delete): vendor/golang.org/x/sys/unix/mremap.go deleted in HEAD and modified in Go mod: update golang.org/x/net@v0.17.0 Fixes CVE-2023-44487. Version Go mod: update golang.org/x/net@v0.17.0 Fixes CVE-2023-44487 of vendor/golang.org/x/sys/unix/mremap.go left in tree.
Auto-merging vendor/golang.org/x/sys/unix/mkerrors.sh
Removing vendor/golang.org/x/sys/internal/unsafeheader/unsafeheader.go
Auto-merging vendor/golang.org/x/sys/cpu/hwcap_linux.go
CONFLICT (content): Merge conflict in vendor/golang.org/x/sys/cpu/hwcap_linux.go
Auto-merging vendor/golang.org/x/net/http2/transport.go
Auto-merging vendor/golang.org/x/net/http2/server.go
Removing vendor/golang.org/x/net/http2/Makefile
Removing vendor/golang.org/x/net/http2/Dockerfile
CONFLICT (modify/delete): vendor/golang.org/x/net/html/render.go deleted in HEAD and modified in Go mod: update golang.org/x/net@v0.17.0 Fixes CVE-2023-44487. Version Go mod: update golang.org/x/net@v0.17.0 Fixes CVE-2023-44487 of vendor/golang.org/x/net/html/render.go left in tree.
Auto-merging vendor/golang.org/x/crypto/cryptobyte/builder.go
Auto-merging go.sum
CONFLICT (content): Merge conflict in go.sum
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Go mod: update golang.org/x/net@v0.17.0 Fixes CVE-2023-44487
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick cert-manager-1.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Oct 17, 2023
Merged
@openshift-cherrypick-robot
Copy link

@swghosh: new pull request created: #154

In response to this:

/cherry-pick cert-manager-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@swghosh swghosh mentioned this pull request Oct 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunarwhite lunarwhite lunarwhite left review comments

@s-urbaniak s-urbaniak Awaiting requested review from s-urbaniak

@TrilokGeer TrilokGeer Awaiting requested review from TrilokGeer

@xingxingxia xingxingxia Awaiting requested review from xingxingxia

@thejasn thejasn Awaiting requested review from thejasn

Assignees

@thejasn thejasn

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. docs-approved Signifies that Docs has signed off on this PR jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. px-approved Signifies that Product Support has signed off on this PR qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@swghosh @openshift-ci-robot @thejasn @openshift-cherrypick-robot @lunarwhite