Bug 1856130: [release-4.5] bump golang.org/x/text/encoding to v0.3.3 #714

aojea · 2020-07-16T15:11:33Z

CVE-2020-14040 golang.org/x/text: possibility to trigger an
infinite loop in encoding/unicode could lead to crash.

Upgrade to golang.org/x/text/encoding to v0.3.3

Signed-off-by: Antonio Ojea aojea@redhat.com

CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash. Upgrade to golang.org/x/text/encoding to v0.3.3 Signed-off-by: Antonio Ojea <aojea@redhat.com>

openshift-ci-robot · 2020-07-16T15:11:35Z

@aojea: This pull request references Bugzilla bug 1856130, which is invalid:

expected the bug to target the "4.5.z" release, but it targets "4.6.0" instead
expected Bugzilla bug 1856130 to depend on a bug targeting a release in 4.6.0, 4.6.z and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1856130: [release-4.5] bump golang.org/x/text/encoding to v0.3.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

aojea · 2020-07-17T08:56:15Z

/assign @rcarrillocruz @alexanderConstantinescu
/bugzilla refresh

openshift-ci-robot · 2020-07-17T08:56:17Z

@aojea: This pull request references Bugzilla bug 1856130, which is invalid:

expected the bug to target the "4.5.z" release, but it targets "4.6.0" instead
expected Bugzilla bug 1856130 to depend on a bug targeting a release in 4.6.0, 4.6.z and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/assign @rcarrillocruz @alexanderConstantinescu
/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

aojea · 2020-07-17T08:56:25Z

/retest

aojea · 2020-07-17T09:24:08Z

/bugzilla refresh

openshift-ci-robot · 2020-07-17T09:24:10Z

@aojea: This pull request references Bugzilla bug 1856130, which is invalid:

expected Bugzilla bug 1856130 to depend on a bug targeting a release in 4.6.0, 4.6.z and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

alexanderConstantinescu · 2020-07-20T05:59:07Z

/lgtm

alexanderConstantinescu · 2020-07-20T06:01:48Z

Just FMI (for my information...): I didn't see a master PR with this patch, do you have one @aojea ?

aojea · 2020-07-20T07:34:42Z

Just FMI (for my information...): I didn't see a master PR with this patch, do you have one @aojea ?

Master is not affected @alexanderConstantinescu

The fix is in golang.org/x/text v0.3.3,

master is not affected since already vendor that version

cluster-network-operator/vendor/modules.txt

Line 224 in e907dc5

# golang.org/x/text v0.3.3
4.7 ok

cluster-network-operator/vendor/modules.txt

Line 224 in e907dc5

# golang.org/x/text v0.3.3
4.6 ok

cluster-network-operator/vendor/modules.txt

Line 224 in e907dc5

# golang.org/x/text v0.3.3

4.5 and lower needs to upgrade the module to the v0.3.3 version

alexanderConstantinescu · 2020-07-20T07:42:22Z

Just FMI (for my information...): I didn't see a master PR with this patch, do you have one @aojea ?

Master is not affected @alexanderConstantinescu

The fix is in golang.org/x/text v0.3.3,

master is not affected since already vendor that version

cluster-network-operator/vendor/modules.txt

Line 224 in e907dc5

# golang.org/x/text v0.3.3

4.7 ok

cluster-network-operator/vendor/modules.txt

Line 224 in e907dc5

# golang.org/x/text v0.3.3

4.6 ok

cluster-network-operator/vendor/modules.txt

Line 224 in e907dc5

# golang.org/x/text v0.3.3

4.5 and lower needs to upgrade the module to the v0.3.3 version

ACK, thanks for clarifying. We might need a "dummy bug" in that case that targets 4.6, so that this PR can go in.

aojea · 2020-07-20T14:03:02Z

/cherry-pick release-4.4

openshift-cherrypick-robot · 2020-07-20T14:03:05Z

@aojea: once the present PR merges, I will cherry-pick it on top of release-4.4 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

aojea · 2020-07-20T14:12:29Z

/bugzilla refresh

openshift-ci-robot · 2020-07-20T14:12:31Z

@aojea: This pull request references Bugzilla bug 1856130, which is invalid:

expected dependent Bugzilla bug 1858837 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is ASSIGNED instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2020-07-21T01:00:40Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci-robot · 2020-07-21T01:00:42Z

@openshift-bot: This pull request references Bugzilla bug 1856130, which is invalid:

expected dependent Bugzilla bug 1858837 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2020-07-22T01:01:00Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci-robot · 2020-07-22T01:01:02Z

@openshift-bot: Bugzilla bug 1856130 is in a bug group that is not in the allowed groups for this repo. There are no allowed bug groups configured for this repo.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2020-07-23T01:01:17Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-ci-robot · 2020-07-23T01:01:19Z

@openshift-bot: Bugzilla bug 1856130 is in a bug group that is not in the allowed groups for this repo. There are no allowed bug groups configured for this repo.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

knobunc · 2020-07-23T16:04:20Z

@aojea the bot will be fixed when openshift/release#10440 merges.

openshift-bot · 2020-07-24T01:00:34Z

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

openshift-bot · 2020-08-15T12:50:27Z

/retest