Bug 1844990: Bump GoLang to 1.15 for improved TLS Security #2303
Conversation
openshift-ci-robot
requested review from
kikisdeliveryservice and
yuqi-zhang
darkmuggle
changed the title
|
/retest |
darkmuggle
force-pushed
the
pr/CVE-2016-2183
branch
from
6b9c30a
to
87a2ae3
Compare
|
/retest |
darkmuggle
force-pushed
the
pr/CVE-2016-2183
branch
from
87a2ae3
to
7fa6056
Compare
There was a problem hiding this comment.
Do we have to change here too @sinnykumari :
Admittedly, I'm not super knowledgeable about this go-bump... would probably perfer @runcom to take a look next week if there's time before the merge.
pkg/server/api.go
Outdated
| @@ -60,12 +60,23 @@ func NewAPIServer(a *APIHandler, p int, is bool, c, k string) *APIServer { | |||
|
|
|||
| // Serve launches the API Server. | |||
| func (a *APIServer) Serve() { | |||
There was a problem hiding this comment.
can these code changes be broken out into a separate commit from the go upgrade?
There was a problem hiding this comment.
I literally just pushed that commit :)
There was a problem hiding this comment.
I updated the machines-config-daemon.spec too -- it would be required.
There was a problem hiding this comment.
That file is dead btw, the MCD isn't part of RHCOS anymore.
There was a problem hiding this comment.
I thought the spec file was dead, but wasn't 100% sure.
There was a problem hiding this comment.
I literally just pushed that commit :)
great minds!
There was a problem hiding this comment.
yeah as Colin said we no longer need and build machine-config-daemon rpm package. Even if someone wants to build m-c-d rpm package it will build fine with 1.13 because the current 1.15 requirement is added mainly to MCS.
darkmuggle
force-pushed
the
pr/CVE-2016-2183
branch
from
7fa6056
to
9c60b12
Compare
I spent the better part of an afternoon evaluating whether bumping the GoLang version was the better path to resolving the CVE. I concluded that moving to Go1.15 was better due to:
|
|
Should also do the equivalent of this: openshift/release#8148 I believe |
|
openshift/release#14355 filed for the CI change. |
|
/retest |
1 similar comment
|
/retest |
The MCD is not longer distributed as an RPM.
darkmuggle
force-pushed
the
pr/CVE-2016-2183
branch
from
9c60b12
to
5aba0a9
Compare
darkmuggle
changed the title
|
I dropped the TLS config for now. Turns out there is no easy way to have HTTP/2 and provide a list of approved ciphers. However, since we are using TLS and HTTP/2 only approved ciphers are allowed so this will drop the SHA hashing and 3DES ciphers. |
|
/retest |
|
@darkmuggle: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Too get this into 4.7, we will need a bug for go 1.15 version bump. |
openshift-ci-robot
added
the
approved
|
/retest |
darkmuggle
changed the title
|
/retest |
|
/bugzilla refresh |
|
@darkmuggle: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
darkmuggle
changed the title
openshift-ci-robot
added
bugzilla/severity-medium
|
@darkmuggle: This pull request references Bugzilla bug 1844990, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/bugzilla refresh |
|
@darkmuggle: This pull request references Bugzilla bug 1844990, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: darkmuggle, sinnykumari, yuqi-zhang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@darkmuggle: All pull requests linked via external trackers have merged: Bugzilla bug 1844990 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This change is needed in order to fix CVE-2016-2183.
With [1] TLS 1.3 is on-by-default which improves the security posture of
the MCO.
[1] golang/go#30055
Signed-off-by: Ben Howard ben.howard@redhat.com