Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-21584: UPSTREAM: 121128: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 #1757

Merged
merged 3 commits into from Oct 13, 2023
Merged

OCPBUGS-21584: UPSTREAM: 121128: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 #1757

merged 3 commits into from Oct 13, 2023

Conversation

ncdc
Copy link

@ncdc ncdc commented Oct 11, 2023

/kind bug

What this PR does / why we need it:

Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Address CVE-2023-44487 and CVE-2023-39325 for all components that serve HTTP/2.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@ncdc ncdc requested review from soltysh and deads2k October 11, 2023 15:50
@openshift-ci-robot openshift-ci-robot added the backports/validated-commits Indicates that all commits come to merged upstream PRs. label Oct 11, 2023
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could be automatically validated.

The following commits are valid:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 11, 2023
@openshift-ci openshift-ci bot requested a review from mfojtik October 11, 2023 15:56
@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Oct 11, 2023
@ncdc ncdc changed the title UPSTREAM: 121117: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 UPSTREAM: 121128: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 Oct 11, 2023
@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Oct 11, 2023
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci-robot openshift-ci-robot removed the backports/validated-commits Indicates that all commits come to merged upstream PRs. label Oct 11, 2023
@ncdc
Copy link
Author

ncdc commented Oct 11, 2023

/retest

deads2k
deads2k reviewed Oct 11, 2023
View reviewed changes
staging/src/k8s.io/api/go.mod Outdated
@@ -38,16 +37,7 @@ require (
)

replace (
github.com/google/cadvisor => github.com/openshift/google-cadvisor v0.47.3-openshift-4.15-1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't have happened. I'm going to try to pull locally and see if I get a different result.

@deads2k deads2k mentioned this pull request Oct 11, 2023
Closed
@deads2k
Copy link

deads2k commented Oct 11, 2023

the go.mod doesn't look quite right here. See if #1763 looks closer to the upstream and passes verify.

@mfojtik
Copy link
Member

mfojtik commented Oct 12, 2023

/retest

@soltysh soltysh mentioned this pull request Oct 12, 2023
Closed
@ncdc
UPSTREAM: 121128: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0
ac4be70 
Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
@openshift-ci-robot openshift-ci-robot added backports/validated-commits Indicates that all commits come to merged upstream PRs. and removed backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. labels Oct 12, 2023
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could be automatically validated.

The following commits are valid:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@ncdc
Copy link
Author

ncdc commented Oct 12, 2023

/retest

1 similar comment
@ncdc
Copy link
Author

ncdc commented Oct 12, 2023

/retest

@ncdc ncdc mentioned this pull request Oct 13, 2023
Closed
@enj @ncdc
UPSTREAM: 121196: Prevent rapid reset http2 DOS on API server
d9d763d 
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
golang/net@b225e7c
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>
(cherry picked from commit 238d89c)
@enj @ncdc
UPSTREAM: 121204: Skip TestUnauthenticatedHTTP2ClientConnectionClose …
9a9476a 
…http1 tests

These occasionally flake on CI:

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312

=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
    authentication_test.go:653: expect TCP connection: 1, actual: 2
        --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
    --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)

Signed-off-by: Monis Khan <mok@microsoft.com>
(cherry picked from commit 9fa4bdf)
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could be automatically validated.

The following commits are valid:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@deads2k
Copy link

deads2k commented Oct 13, 2023

/lgtm
/approve

@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 13, 2023
@tkashem
Copy link

tkashem commented Oct 13, 2023

/lgtm
/approve

@openshift-ci
Copy link

openshift-ci bot commented Oct 13, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, ncdc, tkashem

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@soltysh
Copy link
Member

soltysh commented Oct 13, 2023

/override ci/prow/unit
this is being tracked elsewhere, and the failures are not related to this change

@openshift-ci
Copy link

openshift-ci bot commented Oct 13, 2023

@soltysh: Overrode contexts on behalf of soltysh: ci/prow/unit

In response to this:

/override ci/prow/unit
this is being tracked elsewhere, and the failures are not related to this change

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 270de19 and 2 for PR HEAD 9a9476a in total

@ncdc
Copy link
Author

ncdc commented Oct 13, 2023

e2e-gcp transient failure - error building rpms

[ERROR] openshift-hack/build-rpms.sh:34: `OS_RPM_NAME="$( rpmspec -q --qf '%{name}\n' "${OS_RPM_SPECFILE}" | head -1 )"` exited with status 141.

/test e2e-gcp

@ncdc
Copy link
Author

ncdc commented Oct 13, 2023

e2e-gcp-ovn-upgrade has multiple failures

[sig-network] pods should successfully create sandboxes by other expand_less
--
Run #0: Failed expand_less0s{  3 failures to create the sandbox  ns/openshift-multus pod/network-metrics-daemon-k97fg node/ci-op-z5yhgz1c-194fd-pw79k-worker-b-5xhpq - never deleted - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-k97fg_openshift-multus_ef9d954d-2f81-44e9-a222-c7e4e7320643_0(f112d4b6f0696fa9a37599d67c387e5fc11557d2954bc698fcc0eb5b22358f7d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(ae01db5fcaf412a31cc7ad2660eedfa704ead0e3c20ef7819dff3c6473415c5c): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(bb0d3fda9f152f0d9fd20f9f606b83b95c346626763c0bcde360cb3d4bf5104d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started?} | Run #0: Failed expand_less0s{  3 failures to create the sandbox  ns/openshift-multus pod/network-metrics-daemon-k97fg node/ci-op-z5yhgz1c-194fd-pw79k-worker-b-5xhpq - never deleted - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-k97fg_openshift-multus_ef9d954d-2f81-44e9-a222-c7e4e7320643_0(f112d4b6f0696fa9a37599d67c387e5fc11557d2954bc698fcc0eb5b22358f7d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(ae01db5fcaf412a31cc7ad2660eedfa704ead0e3c20ef7819dff3c6473415c5c): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(bb0d3fda9f152f0d9fd20f9f606b83b95c346626763c0bcde360cb3d4bf5104d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started?} | Run #0: Failed expand_less | 0s | {  3 failures to create the sandbox  ns/openshift-multus pod/network-metrics-daemon-k97fg node/ci-op-z5yhgz1c-194fd-pw79k-worker-b-5xhpq - never deleted - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-k97fg_openshift-multus_ef9d954d-2f81-44e9-a222-c7e4e7320643_0(f112d4b6f0696fa9a37599d67c387e5fc11557d2954bc698fcc0eb5b22358f7d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(ae01db5fcaf412a31cc7ad2660eedfa704ead0e3c20ef7819dff3c6473415c5c): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(bb0d3fda9f152f0d9fd20f9f606b83b95c346626763c0bcde360cb3d4bf5104d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started?}
Run #0: Failed expand_less0s{  3 failures to create the sandbox  ns/openshift-multus pod/network-metrics-daemon-k97fg node/ci-op-z5yhgz1c-194fd-pw79k-worker-b-5xhpq - never deleted - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-k97fg_openshift-multus_ef9d954d-2f81-44e9-a222-c7e4e7320643_0(f112d4b6f0696fa9a37599d67c387e5fc11557d2954bc698fcc0eb5b22358f7d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(ae01db5fcaf412a31cc7ad2660eedfa704ead0e3c20ef7819dff3c6473415c5c): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(bb0d3fda9f152f0d9fd20f9f606b83b95c346626763c0bcde360cb3d4bf5104d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started?} | Run #0: Failed expand_less | 0s | {  3 failures to create the sandbox  ns/openshift-multus pod/network-metrics-daemon-k97fg node/ci-op-z5yhgz1c-194fd-pw79k-worker-b-5xhpq - never deleted - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-k97fg_openshift-multus_ef9d954d-2f81-44e9-a222-c7e4e7320643_0(f112d4b6f0696fa9a37599d67c387e5fc11557d2954bc698fcc0eb5b22358f7d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(ae01db5fcaf412a31cc7ad2660eedfa704ead0e3c20ef7819dff3c6473415c5c): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(bb0d3fda9f152f0d9fd20f9f606b83b95c346626763c0bcde360cb3d4bf5104d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started?}
Run #0: Failed expand_less | 0s
{  3 failures to create the sandbox  ns/openshift-multus pod/network-metrics-daemon-k97fg node/ci-op-z5yhgz1c-194fd-pw79k-worker-b-5xhpq - never deleted - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-k97fg_openshift-multus_ef9d954d-2f81-44e9-a222-c7e4e7320643_0(f112d4b6f0696fa9a37599d67c387e5fc11557d2954bc698fcc0eb5b22358f7d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(ae01db5fcaf412a31cc7ad2660eedfa704ead0e3c20ef7819dff3c6473415c5c): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started? ns/openshift-multus pod/network-metrics-daemon-mwqvs node/ci-op-z5yhgz1c-194fd-pw79k-worker-c-4vkfb - never deleted - network rollout - reason/FailedCreatePodSandBox Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_network-metrics-daemon-mwqvs_openshift-multus_2859d2cb-f7b5-4ff2-a748-81bc2a4878a7_0(bb0d3fda9f152f0d9fd20f9f606b83b95c346626763c0bcde360cb3d4bf5104d): No CNI configuration file in /etc/kubernetes/cni/net.d/. Has your network provider started?}



[sig-node] nodes should not go unready after being upgraded and go unready only once expand_less | 0s
-- | --
{  1 nodes violated upgrade expectations:  Node ci-op-z5yhgz1c-194fd-pw79k-master-2 went unready multiple times: 2023-10-13T15:03:47Z, 2023-10-13T15:23:43Z Node ci-op-z5yhgz1c-194fd-pw79k-master-2 went ready multiple times: 2023-10-13T15:03:57Z, 2023-10-13T15:25:38Z  }

@ncdc
Copy link
Author

ncdc commented Oct 13, 2023

/test e2e-gcp-ovn-upgrade

@ncdc
Copy link
Author

ncdc commented Oct 13, 2023

aws-ovn-serial failed due to quay outage
/test e2e-aws-ovn-serial

@deads2k
Copy link

deads2k commented Oct 13, 2023

/override ci/prow/e2e-gcp-ovn-upgrade

multiple observations

  1. for TRT, the first unreadiness of master-2 is not listed on the timeline (15:03)
  2. for networking, micro (already ovn-ic) upgrade had a networking outage for the master-2 host during the networking upgrade state. This rippled into master-2 going ready=false, which impacts pod scheduling
  3. for networking or TRT (networking preferred), let's get the pod sandbox creation failures posted to the timeline for future debugging
    upshot for your PR: passed enough

@openshift-ci
Copy link

openshift-ci bot commented Oct 13, 2023

@deads2k: Overrode contexts on behalf of deads2k: ci/prow/e2e-gcp-ovn-upgrade

In response to this:

/override ci/prow/e2e-gcp-ovn-upgrade

multiple observations

  1. for TRT, the first unreadiness of master-2 is not listed on the timeline (15:03)
  2. for networking, micro (already ovn-ic) upgrade had a networking outage for the master-2 host during the networking upgrade state. This rippled into master-2 going ready=false, which impacts pod scheduling
  3. for networking or TRT (networking preferred), let's get the pod sandbox creation failures posted to the timeline for future debugging
    upshot for your PR: passed enough

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ncdc ncdc changed the title UPSTREAM: 121128: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 OCPBUGS-21584: UPSTREAM: 121128: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 Oct 13, 2023
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Oct 13, 2023
@openshift-ci-robot
Copy link

@ncdc: This pull request references Jira Issue OCPBUGS-21584, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.15.0) matches configured target version for branch (4.15.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

/kind bug

What this PR does / why we need it:

Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Address CVE-2023-44487 and CVE-2023-39325 for all components that serve HTTP/2.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot requested a review from wangke19 October 13, 2023 19:10
@openshift-ci
Copy link

openshift-ci bot commented Oct 13, 2023

@ncdc: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-ci openshift-ci bot merged commit 481304a into openshift:master Oct 13, 2023
20 checks passed
@openshift-ci-robot
Copy link

@ncdc: Jira Issue OCPBUGS-21584: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-21584 has been moved to the MODIFIED state.

In response to this:

/kind bug

What this PR does / why we need it:

Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Address CVE-2023-44487 and CVE-2023-39325 for all components that serve HTTP/2.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot
Copy link

Fix included in accepted release 4.15.0-0.nightly-2023-10-17-065657

@dgrisonnet
Copy link
Member

dgrisonnet commented Oct 20, 2023
edited by ncdc

@ncdc @deads2k we might have problems carrying the changes made in d9d763d since it wasn't marked as a <carry> in the commit.

@ncdc
Copy link
Author

ncdc commented Oct 20, 2023

@dgrisonnet it's marked UPSTREAM

@dgrisonnet
Copy link
Member

Yes but the part where we change UnauthenticatedHTTP2DOSMitigation to be default=true, should be a separate commit with UPSTREAM to make it easier to distinguish from the initial upstream commit.

@ncdc
Copy link
Author

ncdc commented Oct 20, 2023

It is separate. The commit the changes the default to false was intentionally not cherry-picked, so we end up with the default of true. But I see your point. I guess a better approach would have been to pick the commit, then revert it with a <carry>.

@dgrisonnet
Copy link
Member

dgrisonnet commented Oct 20, 2023
edited

Yeah we could've done it that way. When I made the patch in our k8s.io/apiserver fork, I treated both commits as one PR and squashed them together under UPSTREAM: 121120 and then added a <carry> patch: openshift/kubernetes-apiserver#46

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k deads2k left review comments

@soltysh soltysh Awaiting requested review from soltysh

@mfojtik mfojtik Awaiting requested review from mfojtik

@wangke19 wangke19 Awaiting requested review from wangke19

Assignees

@tkashem tkashem

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backports/validated-commits Indicates that all commits come to merged upstream PRs. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. vendor-update Touching vendor dir or related files
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@ncdc @openshift-ci-robot @deads2k @mfojtik @tkashem @soltysh @openshift-merge-robot @dgrisonnet @enj