Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 2228807: rebase: update golang.org/x/net to v0.14 #179

Merged
merged 1 commit into from
Aug 8, 2023
Merged

Bug 2228807: rebase: update golang.org/x/net to v0.14 #179

merged 1 commit into from
Aug 8, 2023

Conversation

nixpanic
Copy link
Member

@nixpanic nixpanic commented Aug 8, 2023

Bug 2228807 has been reported because ceph-csi includes a vulnerable version of golang.org/x/net/html.

golang.org/x/net/html v0.12 is vulnerable against CVE-2023-3978. Exploiting it through Ceph-CSI is non-trivial, but rebasing golang.org/x/net should take away any concerns.

I hereby confirm that:

  • this change is in the upstream project (/rebase: update golang.org/x/net to v0.14 ceph/ceph-csi#4034)
  • this change is in the devel branch of this project (commit a129b1c)
  • branches for higher versions of the project have this change merged
  • this PR is not downstream-only, if that was the case, I would have
    explained its need very clearly

@nixpanic
rebase: update golang.org/x/net to v0.14
d95c784 
golang.org/x/net/html v0.12 is vulnerable against CVE-2023-3978.
Exploiting it through Ceph-CSI is non-trivial, but rebasing
golang.org/x/net should take away any concerns.

See-also: https://pkg.go.dev/vuln/GO-2023-1988
Signed-off-by: Niels de Vos <[email protected]>
(cherry picked from commit a129b1c)
@openshift-ci
Copy link

openshift-ci bot commented Aug 8, 2023

@nixpanic: This pull request references Bugzilla bug 2228807, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.

2 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @keesturam

In response to this:

Bug 2228807: rebase: update golang.org/x/net to v0.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link

openshift-ci bot commented Aug 8, 2023

@openshift-ci[bot]: GitHub didn't allow me to request PR reviews from the following users: keesturam.

Note that only red-hat-storage members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

@nixpanic: This pull request references Bugzilla bug 2228807, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.

2 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @keesturam

In response to this:

Bug 2228807: rebase: update golang.org/x/net to v0.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Madhu-1
Copy link
Member

Madhu-1 commented Aug 8, 2023

/lgtm

@openshift-ci openshift-ci bot added the lgtm Code looks good label Aug 8, 2023
@openshift-ci
Copy link

openshift-ci bot commented Aug 8, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Madhu-1, nixpanic

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 2b2d5aa into red-hat-storage:release-4.14 Aug 8, 2023
10 checks passed
@openshift-ci
Copy link

openshift-ci bot commented Aug 8, 2023

@nixpanic: All pull requests linked via external trackers have merged:

Bugzilla bug 2228807 has been moved to the MODIFIED state.

In response to this:

Bug 2228807: rebase: update golang.org/x/net to v0.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Madhu-1 Madhu-1

Labels
approved Its a good idea bugzilla/severity-medium bugzilla/valid-bug lgtm Code looks good
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nixpanic @Madhu-1 @openshift-merge-robot