Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade golang.org/x/net to v0.24.0 (#30283) #30286

Merged
merged 1 commit into from
Apr 5, 2024
Merged

Upgrade golang.org/x/net to v0.24.0 (#30283) #30286

merged 1 commit into from
Apr 5, 2024

Conversation

GiteaBot
Copy link
Collaborator

@GiteaBot GiteaBot commented Apr 5, 2024

Backport #30283 by @silverwind

Result of go get -u golang.org/x/net; make tidy.

This is related to the following vulncheck warning:

There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0

Vulnerability #2: GO-2022-0470
    No access control in github.com/blevesearch/bleve and bleve/v2
  More info: https://pkg.go.dev/vuln/GO-2022-0470
  Module: github.com/blevesearch/bleve/v2
    Found in: github.com/blevesearch/bleve/v2@v2.3.10
    Fixed in: N/A

@silverwind @GiteaBot
Upgrade golang.org/x/net to v0.24.0 (go-gitea#30283)
c92f7b3 
Result of `go get -u golang.org/x/net; make tidy`.

This is related to the following vulncheck warning:
```
There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability go-gitea#1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0

Vulnerability go-gitea#2: GO-2022-0470
    No access control in github.com/blevesearch/bleve and bleve/v2
  More info: https://pkg.go.dev/vuln/GO-2022-0470
  Module: github.com/blevesearch/bleve/v2
    Found in: github.com/blevesearch/bleve/v2@v2.3.10
    Fixed in: N/A
```
@GiteaBot GiteaBot added modifies/dependencies topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Apr 5, 2024
@GiteaBot GiteaBot added this to the 1.22.0 milestone Apr 5, 2024
@GiteaBot GiteaBot requested a review from lunny April 5, 2024 02:46
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 5, 2024
@GiteaBot GiteaBot requested a review from techknowlogick April 5, 2024 02:46
@pull-request-size pull-request-size bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Apr 5, 2024
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Apr 5, 2024
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 5, 2024
@silverwind silverwind merged commit 1d77df8 into go-gitea:release/v1.22 Apr 5, 2024
26 checks passed
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jul 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@silverwind silverwind silverwind approved these changes

@lunny lunny lunny approved these changes

@techknowlogick techknowlogick Awaiting requested review from techknowlogick

Assignees

@silverwind silverwind

Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/dependencies size/S Denotes a PR that changes 10-29 lines, ignoring generated files. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.22.0
Development

Successfully merging this pull request may close these issues.
3 participants
@GiteaBot @lunny @silverwind