Skip to content

Update go version and packages for CVE-2023-44487 #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 25, 2024
Merged

Update go version and packages for CVE-2023-44487 #20

merged 1 commit into from
Jan 25, 2024

Conversation

eliyamlevy
Copy link
Contributor

@eliyamlevy eliyamlevy commented Dec 12, 2023
edited by pmatseykanets
Loading

@eliyamlevy eliyamlevy marked this pull request as draft December 12, 2023 18:33
@eliyamlevy eliyamlevy marked this pull request as ready for review December 12, 2023 19:41
@pmatseykanets pmatseykanets self-assigned this Jan 25, 2024
macedogm
macedogm requested changes Jan 25, 2024
View reviewed changes
Copy link
Member

@macedogm macedogm left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would recommend to bump Go to 1.21 directly, plus also bump some Go dependencies:

  • github.com/containerd/containerd to 1.6.26 or higher
  • github.com/cyphar/filepath-securejoin to 0.2.4 or higher
  • github.com/docker/docker to 20.10.27 or higher
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to 0.44.0 or higher
  • golang.org/x/crypto to 0.17.0 or higher
  • k8s.io/kubernetes to 1.27.10 and all k8s.io/* deps to match the same version

@pmatseykanets
Copy link
Contributor

@macedogm Do we want to lump all of these changes in this PR? Or create a subsequent PR for proposed additional version bumps?

@macedogm
Copy link
Member

@macedogm Do we want to lump all of these changes in this PR? Or create a subsequent PR for proposed additional version bumps?

Both way works for me. Feel free to do the way that is the best for you.

@pjbgf
Copy link
Member

pjbgf commented Jan 25, 2024

We could just merge this PR and #18. So that the bumps can be managed automatically.

@pmatseykanets pmatseykanets merged commit ff477c7 into rancher:master Jan 25, 2024
@pmatseykanets pmatseykanets changed the title Update go version and packages for CVE Update go version and packages for CVE-2023-44487 Jan 25, 2024
@pmatseykanets pmatseykanets mentioned this pull request Jan 29, 2024
Merged
pmatseykanets added a commit that referenced this pull request Feb 22, 2024
@pmatseykanets
Update Go to 1.21 and deps for k8s 1.27 (#21)
b3dd13c 
* Update to Go 1.21
* Update deps for k8s 1.27
* Update rancher and norman dependencies
* Bump x/crypto to v0.17.0
* Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.44.0

Ref: #20 (review),
rancher/rancher#43318
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pjbgf pjbgf pjbgf approved these changes

@tomleb tomleb tomleb approved these changes

@macedogm macedogm macedogm approved these changes

@MbolotSuse MbolotSuse Awaiting requested review from MbolotSuse

@crobby crobby Awaiting requested review from crobby

Assignees

@pmatseykanets pmatseykanets

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@eliyamlevy @pmatseykanets @macedogm @pjbgf @tomleb