Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[mce-2.6] CVE-2024-6104: go-retryablehttp 0.7.7 #2349

Merged
merged 1 commit into from
Jul 11, 2024
Merged

[mce-2.6] CVE-2024-6104: go-retryablehttp 0.7.7 #2349

merged 1 commit into from
Jul 11, 2024

Conversation

openshift-cherrypick-robot
Copy link

This is an automated cherry-pick of #2345

/assign 2uasimojo

/cherrypick mce-2.5 mce-2.4 mce-2.3 mce-2.2

@2uasimojo
CVE-2024-6104: go-retryablehttp 0.7.7
48a52a1 
✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp
  Description: Insertion of Sensitive Information into Log File
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036
  Introduced through: github.com/IBM/go-sdk-core/v5/core@5.16.3, github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0, github.com/IBM/networking-go-sdk/zonesv1@0.45.0, github.com/IBM/vpc-go-sdk/vpcv1@0.50.0, github.com/IBM/platform-services-go-sdk/resourcecontrollerv2@0.62.0, github.com/IBM/platform-services-go-sdk/resourcemanagerv2@0.62.0, github.com/IBM/platform-services-go-sdk/iamidentityv1@0.62.0, github.com/openshift/installer/pkg/asset/machines/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/destroy/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/gcp@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/aws@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/azure@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/openstack@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/vsphere@#304af6735c65
  From: github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5
  From: github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5
  From: github.com/IBM/networking-go-sdk/zonesv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5
  and 25 more...
  Fixed in: 0.7.7

CVE-2024-6104
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Jul 8, 2024
Merged
@openshift-ci-robot
Copy link

@openshift-cherrypick-robot: Ignoring requests to cherry-pick non-bug issues: CVE-2024

In response to this:

This is an automated cherry-pick of #2345

/assign 2uasimojo

/cherrypick mce-2.5 mce-2.4 mce-2.3 mce-2.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from 2uasimojo and jstuever July 8, 2024 20:55
@2uasimojo
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 8, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jul 8, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 8, 2024
@codecov Codecov
Copy link

codecov bot commented Jul 8, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 58.55%. Comparing base (d83161f) to head (48a52a1).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff            @@
##           mce-2.6    #2349   +/-   ##
========================================
  Coverage    58.55%   58.55%           
========================================
  Files          182      182           
  Lines        25829    25829           
========================================
  Hits         15124    15124           
  Misses        9429     9429           
  Partials      1276     1276

@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD d83161f and 2 for PR HEAD 48a52a1 in total

@2uasimojo
Copy link
Member

/test e2e-pool

@2uasimojo
Copy link
Member

/test e2e-pool

...now that openshift/release#54169 has landed.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jul 11, 2024

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit 40a5b82 into openshift:mce-2.6 Jul 11, 2024
8 checks passed
@openshift-cherrypick-robot
Copy link
Author

@openshift-cherrypick-robot: #2349 failed to apply on top of branch "mce-2.5":

Applying: CVE-2024-6104: go-retryablehttp 0.7.7
Using index info to reconstruct a base tree...
M	go.mod
M	go.sum
A	vendor/github.com/hashicorp/go-retryablehttp/CHANGELOG.md
A	vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS
M	vendor/github.com/hashicorp/go-retryablehttp/client.go
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
CONFLICT (content): Merge conflict in vendor/modules.txt
Auto-merging vendor/github.com/hashicorp/go-retryablehttp/client.go
CONFLICT (modify/delete): vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS deleted in HEAD and modified in CVE-2024-6104: go-retryablehttp 0.7.7. Version CVE-2024-6104: go-retryablehttp 0.7.7 of vendor/github.com/hashicorp/go-retryablehttp/CODEOWNERS left in tree.
CONFLICT (modify/delete): vendor/github.com/hashicorp/go-retryablehttp/CHANGELOG.md deleted in HEAD and modified in CVE-2024-6104: go-retryablehttp 0.7.7. Version CVE-2024-6104: go-retryablehttp 0.7.7 of vendor/github.com/hashicorp/go-retryablehttp/CHANGELOG.md left in tree.
Auto-merging go.sum
CONFLICT (content): Merge conflict in go.sum
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 CVE-2024-6104: go-retryablehttp 0.7.7
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

This is an automated cherry-pick of #2345

/assign 2uasimojo

/cherrypick mce-2.5 mce-2.4 mce-2.3 mce-2.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@2uasimojo
Copy link
Member

@openshift-cherrypick-robot: #2349 failed to apply on top of branch "mce-2.5":

#2353

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@2uasimojo 2uasimojo Awaiting requested review from 2uasimojo

@jstuever jstuever Awaiting requested review from jstuever

Assignees

@2uasimojo 2uasimojo

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@openshift-cherrypick-robot @openshift-ci-robot @2uasimojo