Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gopkg.in/yaml.v2 Denial of Service (DoS) [nerdctl is NOT affected by this CVE] #1135

Merged
merged 1 commit into from
Jul 29, 2022
Merged

gopkg.in/yaml.v2 Denial of Service (DoS) [nerdctl is NOT affected by this CVE] #1135

merged 1 commit into from
Jul 29, 2022

Conversation

fahedouch
Copy link
Member

gopkg.in/yaml.v2 has vulnerability https://nvd.nist.gov/vuln/detail/CVE-2019-11254.

need to upgrade gopkg.in/yaml.v2 to version 2.2.8 or higher.

Signed-off-by: Fahed DORGAA fahed.dorgaa@gmail.com

@fahedouch fahedouch force-pushed the upgrade-yaml-gopkg branch 2 times, most recently from 66f7af5 to 89b5b8f Compare June 17, 2022 21:01
AkihiroSuda
AkihiroSuda reviewed Jun 18, 2022
View reviewed changes
go.mod
@@ -170,6 +170,7 @@ require (
google.golang.org/grpc v1.47.0 // indirect
google.golang.org/protobuf v1.28.0 // indirect
gopkg.in/square/go-jose.v2 v2.5.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

compose-go needs to be fixed too

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AkihiroSuda compose-spec/compose-go#153 is still Draft, can we merge this before compose-go ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

@AkihiroSuda
Copy link
Member

I don't think the CVE affects us. We don't launch a server that accepts YAML from an untrusted source.

@AkihiroSuda AkihiroSuda changed the title gopkg.in/yaml.v2 Denial of Service (DoS) gopkg.in/yaml.v2 Denial of Service (DoS) [nerdctl is NOT affected by this CVE] Jun 18, 2022
@fahedouch
Copy link
Member Author

fahedouch commented Jun 18, 2022
edited
Loading

I don't think the CVE affects us. We don't launch a server that accepts YAML from an untrusted source.

Agree but it is always good to upgrade to non-vulnerable version to avoid scanner noise. It looks like we should point to this fork https://github.com/compose-spec/compose-go/pull/153/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R24 as compose is doing.

@fahedouch fahedouch force-pushed the upgrade-yaml-gopkg branch from 2b01bbf to 89b5b8f Compare June 20, 2022 13:50
@AkihiroSuda
Copy link
Member

Needs rebase

@fahedouch fahedouch force-pushed the upgrade-yaml-gopkg branch 3 times, most recently from 62ef1b6 to bd6a7af Compare July 25, 2022 08:39
@fahedouch fahedouch requested a review from AkihiroSuda July 25, 2022 08:41
AkihiroSuda
AkihiroSuda reviewed Jul 25, 2022
View reviewed changes
go.mod Outdated
golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
golang.org/x/crypto v0.0.0-20220513210258-46612604a0f9
golang.org/x/net v0.0.0-20220516133312-45b265872317
golang.org/x/sync v0.0.0-20220513210516-0976fa681c29
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why rollback?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry it was a rebase issue!

@fahedouch fahedouch force-pushed the upgrade-yaml-gopkg branch from 3805ee2 to af9d72b Compare July 25, 2022 09:15
@fahedouch
fix yaml pkg vulnerability
81095fb 
Signed-off-by: Fahed DORGAA <fahed.dorgaa@gmail.com>
@fahedouch fahedouch force-pushed the upgrade-yaml-gopkg branch from af9d72b to 81095fb Compare July 25, 2022 09:15
AkihiroSuda
AkihiroSuda approved these changes Jul 25, 2022
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@AkihiroSuda AkihiroSuda added this to the v0.22.1 milestone Jul 25, 2022
@AkihiroSuda AkihiroSuda merged commit 3f25af7 into containerd:master Jul 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.22.1
Development

Successfully merging this pull request may close these issues.
2 participants
@fahedouch @AkihiroSuda