Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.14] Bump c/image v5.29.3, c/common v0.57.5, CVE-2024-3727 #2331

Closed
wants to merge 2 commits into from
Closed

[release-1.14] Bump c/image v5.29.3, c/common v0.57.5, CVE-2024-3727 #2331

wants to merge 2 commits into from

Conversation

TomSweeneyRedHat
Copy link
Member

Bump c/image to v5.29.3 and c/common to v0.57.3, and then Skopeo to v1.14.4

Addresses: CVE-2024-3727

https://issues.redhat.com/browse/RHEL-35914

and RHEL 8.10/9.4 cards once they are spun up.

@TomSweeneyRedHat
[release-1.14] Bump c/image v5.29.3, c/common v0.57.5, CVE-2024-3727
5595b40 
Bump c/image to v5.29.3 and c/common to v0.57.3

Addresses: CVE-2024-3727

https://issues.redhat.com/browse/RHEL-35914

and RHEL 8.10/9.4 cards once they are spun up.

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
@TomSweeneyRedHat
[release-1.14] Bump Skopeo to v1.14.4
4b0a742 
Bumps Skopeo to v1.14.4 to incorporate the fix for
CVE-2024-3727

Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
@TomSweeneyRedHat
Copy link
Member Author

I just realized I never made a v1.14.3 release, will do so now.

@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

mtrmac
mtrmac reviewed May 20, 2024
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TomSweeneyRedHat The version bumps LGTM, but the “Bump Skopeo to v1.14.4” commit only updates go.sum.

danishprakash
danishprakash reviewed May 20, 2024
View reviewed changes
Copy link

@danishprakash danishprakash left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TomSweeneyRedHat just wondering, could this have been 1.14.3?

@mtrmac
Copy link
Contributor

mtrmac commented May 27, 2024

@TomSweeneyRedHat This is now a strict subset of #2337, so I think this PR can be closed in favor of the other one — but the two refer to different Jira bugs, I’m not sure if anything needs updating Jira-side.

@TomSweeneyRedHat
Copy link
Member Author

I messed this one up entirely. The Jira card this was meant to tend to is https://issues.redhat.com/browse/RHEL-35443. That was fixed by a renovate PR in upstream with #2334. We still need a change in the release-1.14 branch, we will continue on with that with #2337, which is in a happier state.

@TomSweeneyRedHat TomSweeneyRedHat deleted the dev/tsweeney/cve-2024-3727-1.14 branch May 28, 2024 22:29
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Aug 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@danishprakash danishprakash danishprakash left review comments

@mtrmac mtrmac mtrmac left review comments

Assignees
No one assigned
Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TomSweeneyRedHat @mtrmac @danishprakash