Upstream go security issue with crypto/elliptic #46391
Comments
k8s-ci-robot
added
kind/bug
|
cc @kubernetes/kubernetes-release-managers as I misspelled it the first time |
|
I've created:
I'm not sure who the best reviewer is, but I know @luxas and @ixdy have helped with the cross build images previously. If either of you are able to take a look, I'd appreciate it :) |
|
Bump to 1.8.3 at head is happening in: #46429 |
|
The |
Automatic merge from submit-queue [release-1.6] Bump golang versions to 1.7.6 **What this PR does / why we need it**: Addresses #46391 for the release-1.6 branch. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: Tests will not pass until kube-cross image is built and pushed to GCR. **Release note**: ```release-note Upgrade golang version to 1.7.6 ```
Automatic merge from submit-queue (batch tested with PRs 46429, 46308, 46395, 45867, 45492) Bump Go version to 1.8.3 This PR also removed this patched version of Go 1.8.1 which we used to use to workaround performance problem of Go 1.8.1. Fix #45216 Ref #46391 @timothysc @bradfitz
|
To update status here:
|
Automatic merge from submit-queue [release-1.5] Bump golang versions to 1.7.6 **What this PR does / why we need it**: Addresses #46391 for the release-1.5 branch. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: Tests will not pass until kube-cross image is built and pushed to GCR. **Release note**: ```release-note Upgrade golang version to 1.7.6 ```
|
Only thing left is cni and etcd.
@cblecker Feel free to send a PR to etcd bump to 1.7.6 in the meantime so we don't miss it in case we'd make a new release of that image. |
Automatic merge from submit-queue (batch tested with PRs 45699, 46200, 46335, 46599) Bump CNI and etcd go base images to 1.7.6 **What this PR does / why we need it**: Addresses #46391 for CNI and etcd images. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ``` /assign @luxas
|
All known instances of go in k/k have been updated to a patched version (go1.7.6 or go1.8.3). 🎉 |
Yesterday, the golang team released go 1.7.6 and go 1.8.2 to address a security issue involving the
crypto/ellipticpackage. There is currently no known exploit, but as we have dependencies on this package in kubernetes, we should upgrade the versions of go we are using.Details are here:
golang/go#20040
As we are updating master/1.7 to use go 1.8.3 (#45216 (comment)), I don't think we need any specific action there. However, we should probably update 1.5 and 1.6 to use go 1.7.6.
The kubernetes security team is aware of this issue, and is okay with a public issue on it as details are already public.
/kind bug
/area security
/priority important-soon
cc @timstclair @kubernetes/kubernetes-release-managers @luxas @ixdy @wojtek-t
The text was updated successfully, but these errors were encountered: