Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #16739

Merged
merged 2 commits into from
Oct 11, 2023

Conversation

dusk125
Copy link
Contributor

@dusk125 dusk125 commented Oct 11, 2023

@serathius
Copy link
Member

Do we need to upgrade v1.21.3 too? I assume not, but want someone to double check.

@dusk125
Copy link
Contributor Author

dusk125 commented Oct 11, 2023

Do we need to upgrade v1.21.3 too? I assume not, but want someone to double check.

From the Go release notes, it mentions fixing a security fix for net/http.
I can go ahead and do this here as well if you want to handle it in one, or I can create another PR for the Go bump.

@dusk125
Copy link
Contributor Author

dusk125 commented Oct 11, 2023

Looks like we should: golang/go#63427

@ahrtr
Copy link
Member

ahrtr commented Oct 11, 2023

We should bump golang to 1.21.3 for main, and 1.20.10 for 3.4/3.5, and also grpc to 1.58.3 for main, and 1.56.3 or 1.57.1 or 1.58.3 for 3.4/3.5.

@ahrtr
Copy link
Member

ahrtr commented Oct 11, 2023

Part of #16740

@dusk125
Copy link
Contributor Author

dusk125 commented Oct 11, 2023

Besides the .go-version file, does anything else need to be updated to bump to 1.21.3?

@ahrtr
Copy link
Member

ahrtr commented Oct 11, 2023

@dusk125 I suggest to bump different dependencies in separate PRs or commits

@ahrtr
Copy link
Member

ahrtr commented Oct 11, 2023

Besides the .go-version file, does anything else need to be updated to bump to 1.21.3?

Only the .go-version file for the main branch, please raise a separate PR for that. thx

Address CVE-2023-39325 and CVE-2023-44487

Signed-off-by: Allen Ray <alray@redhat.com>
@dusk125 dusk125 changed the title bump golang.org/x/net to v0.17.0 bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 Oct 11, 2023
Signed-off-by: Allen Ray <alray@redhat.com>
Copy link
Member

@ahrtr ahrtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

thx

@ahrtr ahrtr merged commit bf80055 into etcd-io:main Oct 11, 2023
27 checks passed
@dusk125 dusk125 deleted the http2-update branch October 11, 2023 15:26
@ahrtr ahrtr mentioned this pull request Oct 11, 2023
24 tasks
chaochn47 added a commit to chaochn47/etcd that referenced this pull request Oct 17, 2023
The last step with gRPC update behavior changes auditing to resolve CVE etcd-io#16740 in 3.5

This PR backports etcd-io#14922, etcd-io#16338, etcd-io#16587, etcd-io#16630, etcd-io#16636 and etcd-io#16739 to release-3.5.

Signed-off-by: Chao Chen <chaochn@amazon.com>
dusk125 pushed a commit to dusk125/etcd that referenced this pull request Oct 18, 2023
The last step with gRPC update behavior changes auditing to resolve CVE etcd-io#16740 in 3.5

This PR backports etcd-io#14922, etcd-io#16338, etcd-io#16587, etcd-io#16630, etcd-io#16636 and etcd-io#16739 to release-3.5.

Signed-off-by: Chao Chen <chaochn@amazon.com>
dusk125 pushed a commit to dusk125/etcd that referenced this pull request Oct 18, 2023
The last step with gRPC update behavior changes auditing to resolve CVE etcd-io#16740 in 3.5

This PR backports etcd-io#14922, etcd-io#16338, etcd-io#16587, etcd-io#16630, etcd-io#16636 and etcd-io#16739 to release-3.5.

Signed-off-by: Chao Chen <chaochn@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

3 participants