Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump go-version to 1.21.9 for release-3.5 due to CVE-2023-45288 #17708

Merged
merged 2 commits into from
Apr 4, 2024

Conversation

henrybear327
Copy link
Contributor

@k8s-ci-robot
Copy link

Hi @henrybear327. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ahrtr
Copy link
Member

ahrtr commented Apr 4, 2024

Question: why bump golang.org/x/net to v0.23.0 in the second commit? Did you see any issue if not bumping it?

@henrybear327
Copy link
Contributor Author

henrybear327 commented Apr 4, 2024

Sorry for not being clear on this second commit.

The vulnerability scan on CI will report an error, thus, I decided to upgrade to the version specified up there.

Log extract:

go: downloading golang.org/x/vuln v1.0.4
go: downloading golang.org/x/mod v0.14.0
go: downloading golang.org/x/tools v0.1[7](https://github.com/etcd-io/etcd/actions/runs/8551422689/job/23430401128#step:6:8).0
go: downloading golang.org/x/sync v0.6.0
Scanning your code and 504 packages across 77 dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-26[8](https://github.com/etcd-io/etcd/actions/runs/8551422689/job/23430401128#step:6:9)7
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

@ahrtr
Copy link
Member

ahrtr commented Apr 4, 2024

Thanks for the clarification.

Copy link
Member

@ahrtr ahrtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Thanks.

@ahrtr ahrtr merged commit 01851da into etcd-io:release-3.5 Apr 4, 2024
18 checks passed
@ivanvc ivanvc mentioned this pull request Apr 4, 2024
10 tasks
@henrybear327 henrybear327 deleted the cve/3.5-bump-go-1.21.9 branch April 4, 2024 18:30
henrybear327 added a commit to henrybear327/etcd that referenced this pull request Jun 13, 2024
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Reference:
- etcd-io#17708

Signed-off-by: Chun-Hung Tseng <[email protected]>
henrybear327 added a commit to henrybear327/etcd that referenced this pull request Jun 13, 2024
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Reference:
- etcd-io#17708

Signed-off-by: Chun-Hung Tseng <[email protected]>
henrybear327 added a commit to henrybear327/etcd that referenced this pull request Jun 14, 2024
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Reference:
- etcd-io#17708

Signed-off-by: Chun-Hung Tseng <[email protected]>
henrybear327 added a commit to henrybear327/etcd that referenced this pull request Jun 14, 2024
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Reference:
- etcd-io#17708

Signed-off-by: Chun-Hung Tseng <[email protected]>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Sep 24, 2024
Extracted log from govulncheck, suggesting that we should bump the
version of golang.org/x/net

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]

Reference:
- etcd-io#17708

Signed-off-by: Chun-Hung Tseng <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

5 participants