-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address CVE-2022-1996 #394
Address CVE-2022-1996 #394
Conversation
Welcome @datamattsson! |
Hi @datamattsson. Thanks for your PR. I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Is it possible to not bump the go version from 1.16 to 1.18? For a stable release we don't want to change unnecessary things like compiler versions, due to the chance that the new compiler breaks something that used to work (due to deprecation). |
/ok-to-test |
1.16 has a cascade of CVEs associated with it in some of the indirect dependencies. Is 1.17 a middle road? |
10dae54
to
f3fad8b
Compare
Even the latest dot release - 1.16.15? If there are known unpatched security vulnerabilities then I agree it wouldn't make much sense to continue using the old compiler version in a patch that specifically addresses security vulnerabilities, but we should want to avoid upgrading anything that might deprecate existing support because nobody wants to do a dot release upgrade (of this sidecar) and find that something broke. I'm not specifically aware of anything that was dropped between go version 1.16 and 1.17/1.18, but that's the thing to worry about. |
Changing go.mod from 1.17 to 1.16 and running Yesterday, 1.17 was clean as a whistle but today CVE-2022-41717 in golang.org/x/net was discovered (not relevant to the attacher AFAICT). |
This is why we test. Any sidecar upgrade, major, minor or patch would require full e2e on our end and expect the same results. I don't think users blindly flick an image upgrade before safely testing the new image. |
Given the CVEs associated with older go compiler versions, I'm not going to oppose an update here, but did want to push back on the idea that testing is sufficient in every case. Testing covers a lot of use cases but typically only in a single (or small number of) configurations. More exotic configurations tend not to be tested, and deprecations tend to affect exotic configurations more than anything. It's a good rule in general to avoid updating things in stable branches without an explicit reason. In this case our explicit reason is security issues with the compiler, so I'm fine with that. |
Signed-off-by: Michael Mattsson <[email protected]>
f3fad8b
to
e157881
Compare
Will this PR be merge-able at one point? (I understand 1.26 deliverables takes precedence). |
/retest |
/test all |
I'm fixing CI in #401 |
/test all |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: datamattsson, jsafrane The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
version in go.mod just specifies version of go vendoring rules that will be used by |
Signed-off-by: Michael Mattsson [email protected]
What type of PR is this?
What this PR does / why we need it:
Addresses CVE-2022-1996
Which issue(s) this PR fixes:
Fixes #369
Special notes for your reviewer:
Slack thread: https://kubernetes.slack.com/archives/C09QZFCE5/p1670445226176689
Does this PR introduce a user-facing change?: