Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2020-29652 and CVE-2020-26160 #4274

Merged
merged 1 commit into from
Nov 3, 2021
Merged

Fix CVE-2020-29652 and CVE-2020-26160 #4274

merged 1 commit into from
Nov 3, 2021

Conversation

ywk253100
Copy link
Contributor

Bump up restic to v0.12.1 to fix CVE-2020-26160.
Bump up module "github.com/vmware-tanzu/crash-diagnostics" to v0.3.7 to fix CVE-2020-29652.
The "github.com/vmware-tanzu/crash-diagnostics" updates client-go to v0.22.2 which introduces several break changes, this commit updates the related codes as well

Signed-off-by: Wenkai Yin(尹文开) yinw@vmware.com

Thank you for contributing to Velero!

Please add a summary of your change

Does your change fix a particular issue?

Fixes #(issue)

Please indicate you've done the following:

@github-actions github-actions bot added the Dependencies Pull requests that update a dependency file label Oct 25, 2021
jenting
jenting reviewed Oct 25, 2021
View reviewed changes
Makefile
@@ -82,7 +82,7 @@ see: https://velero.io/docs/main/build-from-source/#making-images-and-updating-v
endef

# The version of restic binary to be downloaded for power architecture
RESTIC_VERSION ?= 0.12.0
RESTIC_VERSION ?= 0.12.1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we could support s390x now

#4047 (comment)
#2622 (comment)

@ywk253100 ywk253100 changed the title Fix CVE-2020-29652 and CVE-2020-26160 [WIP]Fix CVE-2020-29652 and CVE-2020-26160 Oct 25, 2021
@ywk253100 ywk253100 force-pushed the 211024_cve branch 2 times, most recently from 682f79a to efc6237 Compare October 25, 2021 13:22
sseago
sseago reviewed Oct 25, 2021
View reviewed changes
go.sum Show resolved Hide resolved
@ywk253100 ywk253100 mentioned this pull request Oct 25, 2021
Closed
3 tasks
@ywk253100 ywk253100 changed the title [WIP]Fix CVE-2020-29652 and CVE-2020-26160 Fix CVE-2020-29652 and CVE-2020-26160 Oct 25, 2021
ywk253100
ywk253100 commented Oct 25, 2021
View reviewed changes
Makefile Outdated Show resolved Hide resolved
reasonerjt
reasonerjt reviewed Oct 27, 2021
View reviewed changes
Makefile Outdated Show resolved Hide resolved
dsu-igeek
dsu-igeek suggested changes Oct 27, 2021
View reviewed changes
Copy link
Contributor

@dsu-igeek dsu-igeek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's check vs 1.12 and understand if the go-client update is a breaking change, thanks!

Makefile Outdated Show resolved Hide resolved
@ywk253100 ywk253100 added this to the v1.7.1 milestone Oct 27, 2021
@ywk253100 ywk253100 force-pushed the 211024_cve branch 2 times, most recently from 97ab70c to 48264a1 Compare October 27, 2021 12:00
@ywk253100
Fix CVE-2020-29652 and CVE-2020-26160
427f4fd 
Bump up restic to v0.12.1 to fix CVE-2020-26160.
Bump up module "github.com/vmware-tanzu/crash-diagnostics" to v0.3.7 to fix CVE-2020-29652.
The "github.com/vmware-tanzu/crash-diagnostics" updates client-go to v0.22.2 which introduces several break changes, this commit updates the related codes as well

Signed-off-by: Wenkai Yin(尹文开) <yinw@vmware.com>
@ywk253100
Copy link
Contributor Author

ywk253100 commented Oct 27, 2021
edited

I have done some basic verification against k8s 1.12, it works as expected

dsu-igeek
dsu-igeek approved these changes Nov 3, 2021
View reviewed changes
Copy link
Contributor

@dsu-igeek dsu-igeek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks!

@dsu-igeek dsu-igeek merged commit 9f0ea22 into vmware-tanzu:main Nov 3, 2021
@zubron zubron mentioned this pull request Dec 7, 2021
Open
danfengliu pushed a commit to danfengliu/velero that referenced this pull request Jan 25, 2022
@ywk253100 @danfengliu
Fix CVE-2020-29652 and CVE-2020-26160 (vmware-tanzu#4274)
d8ab301 
Bump up restic to v0.12.1 to fix CVE-2020-26160.
Bump up module "github.com/vmware-tanzu/crash-diagnostics" to v0.3.7 to fix CVE-2020-29652.
The "github.com/vmware-tanzu/crash-diagnostics" updates client-go to v0.22.2 which introduces several break changes, this commit updates the related codes as well

Signed-off-by: Wenkai Yin(尹文开) <yinw@vmware.com>
gyaozhou pushed a commit to gyaozhou/velero-read that referenced this pull request May 14, 2022
@ywk253100 @gyaozhou
Fix CVE-2020-29652 and CVE-2020-26160 (vmware-tanzu#4274)
e005d9c 
Bump up restic to v0.12.1 to fix CVE-2020-26160.
Bump up module "github.com/vmware-tanzu/crash-diagnostics" to v0.3.7 to fix CVE-2020-29652.
The "github.com/vmware-tanzu/crash-diagnostics" updates client-go to v0.22.2 which introduces several break changes, this commit updates the related codes as well

Signed-off-by: Wenkai Yin(尹文开) <yinw@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sseago sseago sseago left review comments

@dsu-igeek dsu-igeek dsu-igeek approved these changes

@reasonerjt reasonerjt reasonerjt approved these changes

@jenting jenting jenting approved these changes

Assignees

@ywk253100 ywk253100

Labels
Dependencies Pull requests that update a dependency file has-changelog
Projects
None yet
Milestone
v1.7.1
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ywk253100 @dsu-igeek @sseago @reasonerjt @jenting