-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #16739
Conversation
Do we need to upgrade v1.21.3 too? I assume not, but want someone to double check. |
From the Go release notes, it mentions fixing a security fix for net/http. |
Looks like we should: golang/go#63427 |
We should bump golang to 1.21.3 for main, and 1.20.10 for 3.4/3.5, and also grpc to 1.58.3 for main, and 1.56.3 or 1.57.1 or 1.58.3 for 3.4/3.5. |
Part of #16740 |
Besides the .go-version file, does anything else need to be updated to bump to 1.21.3? |
@dusk125 I suggest to bump different dependencies in separate PRs or commits |
Only the .go-version file for the main branch, please raise a separate PR for that. thx |
Address CVE-2023-39325 and CVE-2023-44487 Signed-off-by: Allen Ray <alray@redhat.com>
Signed-off-by: Allen Ray <alray@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
thx
The last step with gRPC update behavior changes auditing to resolve CVE etcd-io#16740 in 3.5 This PR backports etcd-io#14922, etcd-io#16338, etcd-io#16587, etcd-io#16630, etcd-io#16636 and etcd-io#16739 to release-3.5. Signed-off-by: Chao Chen <chaochn@amazon.com>
The last step with gRPC update behavior changes auditing to resolve CVE etcd-io#16740 in 3.5 This PR backports etcd-io#14922, etcd-io#16338, etcd-io#16587, etcd-io#16630, etcd-io#16636 and etcd-io#16739 to release-3.5. Signed-off-by: Chao Chen <chaochn@amazon.com>
The last step with gRPC update behavior changes auditing to resolve CVE etcd-io#16740 in 3.5 This PR backports etcd-io#14922, etcd-io#16338, etcd-io#16587, etcd-io#16630, etcd-io#16636 and etcd-io#16739 to release-3.5. Signed-off-by: Chao Chen <chaochn@amazon.com>
Address CVE-2023-39325 and CVE-2023-44487