Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade golang.org/x/net to v0.24.0 #30283

Merged
merged 2 commits into from
Apr 5, 2024
Merged

Upgrade golang.org/x/net to v0.24.0 #30283

merged 2 commits into from
Apr 5, 2024

Conversation

silverwind
Copy link
Member

@silverwind silverwind commented Apr 4, 2024

Result of go get -u golang.org/x/net; make tidy.

This is related to the following vulncheck warning:

There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0

Vulnerability #2: GO-2022-0470
    No access control in github.com/blevesearch/bleve and bleve/v2
  More info: https://pkg.go.dev/vuln/GO-2022-0470
  Module: github.com/blevesearch/bleve/v2
    Found in: github.com/blevesearch/bleve/v2@v2.3.10
    Fixed in: N/A

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 4, 2024
@pull-request-size pull-request-size bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Apr 4, 2024
@silverwind silverwind added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! backport/v1.22 This PR should be backported to Gitea 1.22 labels Apr 4, 2024
@github-actions github-actions bot added modifies/dependencies and removed topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! backport/v1.22 This PR should be backported to Gitea 1.22 labels Apr 4, 2024
@silverwind silverwind added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! backport/v1.22 This PR should be backported to Gitea 1.22 labels Apr 4, 2024
@silverwind silverwind changed the title Upgrade golang.org/x/net Upgrade golang.org/x/net to v0.24.0 Apr 4, 2024
@silverwind silverwind changed the title Upgrade golang.org/x/net to v0.24.0 Upgrade golang.org/x/net to v0.24.0 Apr 4, 2024
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Apr 5, 2024
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 5, 2024
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 5, 2024
@lunny lunny enabled auto-merge (squash) April 5, 2024 02:19
@lunny lunny merged commit 9550404 into go-gitea:main Apr 5, 2024
26 checks passed
@GiteaBot GiteaBot added this to the 1.23.0 milestone Apr 5, 2024
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Apr 5, 2024
Result of `go get -u golang.org/x/net; make tidy`.

This is related to the following vulncheck warning:
```
There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability go-gitea#1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0

Vulnerability go-gitea#2: GO-2022-0470
    No access control in github.com/blevesearch/bleve and bleve/v2
  More info: https://pkg.go.dev/vuln/GO-2022-0470
  Module: github.com/blevesearch/bleve/v2
    Found in: github.com/blevesearch/bleve/v2@v2.3.10
    Fixed in: N/A
```
@GiteaBot GiteaBot added backport/done All backports for this PR have been created and removed reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels Apr 5, 2024
@silverwind silverwind deleted the godeps1 branch April 5, 2024 02:57
silverwind added a commit that referenced this pull request Apr 5, 2024
Backport #30283 by @silverwind

Result of `go get -u golang.org/x/net; make tidy`.

This is related to the following vulncheck warning:
```
There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0

Vulnerability #2: GO-2022-0470
    No access control in github.com/blevesearch/bleve and bleve/v2
  More info: https://pkg.go.dev/vuln/GO-2022-0470
  Module: github.com/blevesearch/bleve/v2
    Found in: github.com/blevesearch/bleve/v2@v2.3.10
    Fixed in: N/A
```

Co-authored-by: silverwind <me@silverwind.io>
zjjhot added a commit to zjjhot/gitea that referenced this pull request Apr 8, 2024
* giteaofficial/main: (26 commits)
  Fix oauth2 builtin application logic (go-gitea#30304)
  [skip ci] Updated licenses and gitignores
  Some NuGet package enhancements (go-gitea#30280)
  Fix and rewrite contrast color calculation, fix project-related bugs (go-gitea#30237)
  Add `--page-spacing` variable, fix admin dashboard notice (go-gitea#30302)
  Action view mobile improvements and fixes (go-gitea#30309)
  Fix checkboxes on mobile view, remove some dead css (go-gitea#30308)
  Clean up log messages (go-gitea#30313)
  Fix right-aligned input icons (go-gitea#30301)
  Refactor startup deprecation messages (go-gitea#30305)
  [skip ci] Updated translations via Crowdin
  Remove fomantic list module (go-gitea#30281)
  Markup color and font size fixes (go-gitea#30282)
  Fix code block style for code preview (go-gitea#30298)
  Always use `octicon-eye` on watch button (go-gitea#30288)
  Fix view commit link (go-gitea#30297)
  Add gap to commit status details (go-gitea#30284)
  Update JS dependencies and add new eslint rules (go-gitea#30279)
  Upgrade `golang.org/x/net` to v0.24.0 (go-gitea#30283)
  Commit-Dropdown: Show Author of commit if available (go-gitea#30272)
  ...

# Conflicts:
#	templates/base/footer_content.tmpl
AvengerMoJo pushed a commit to AvengerMoJo/gitea that referenced this pull request Apr 8, 2024
Result of `go get -u golang.org/x/net; make tidy`.

This is related to the following vulncheck warning:
```
There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability go-gitea#1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0

Vulnerability go-gitea#2: GO-2022-0470
    No access control in github.com/blevesearch/bleve and bleve/v2
  More info: https://pkg.go.dev/vuln/GO-2022-0470
  Module: github.com/blevesearch/bleve/v2
    Found in: github.com/blevesearch/bleve/v2@v2.3.10
    Fixed in: N/A
```
@wxiaoguang wxiaoguang added the skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. label Apr 27, 2024
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jul 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created backport/v1.22 This PR should be backported to Gitea 1.22 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/dependencies size/S Denotes a PR that changes 10-29 lines, ignoring generated files. skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants