Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NET-4865] security: Upgrade Go and net/http CVE-2023-29406 #219

Merged
merged 2 commits into from
Jul 25, 2023

Conversation

zalimeni
Copy link
Member

Upgrade to Go 1.20.6 and net/http 1.12.0 to resolve CVE-2023-29406.

@zalimeni zalimeni requested a review from a team as a code owner July 24, 2023 19:37
@zalimeni zalimeni requested review from a team, ndhanushkodi and thisisnotashwin and removed request for a team July 24, 2023 19:37
@zalimeni zalimeni added backport/1.0 backport/1.1 Changes are backported to 1.1 labels Jul 24, 2023
Upgrade to Go 1.20.6 and `net/http` 1.12.0 to resolve CVE-2023-29406.
@zalimeni zalimeni force-pushed the zalimeni/net-4865-bump-go-net_http-cve branch from f231b1b to fbc05ec Compare July 24, 2023 19:38
@zalimeni
Copy link
Member Author

This will take another fix similar to hashicorp/consul#18129; putting back in draft for now and will ping for review after that's done.

@zalimeni zalimeni marked this pull request as draft July 24, 2023 20:06
@zalimeni zalimeni removed request for a team, ndhanushkodi and thisisnotashwin July 24, 2023 20:06
@curtbushko
Copy link
Contributor

You might have to wait until 1.20.7 for the host header fix? golang/go#61076

@curtbushko curtbushko self-requested a review July 24, 2023 20:22
@zalimeni
Copy link
Member Author

You might have to wait until 1.20.7 for the host header fix? golang/go#61076

@curtbushko ah yeah, I overlooked that the testcontainers breakage is going to put a hold on this. Thanks for pointing that out - I hadn't noticed they're now planning to partially revert the validation to make it more lenient.

I think we can take a similar approach to consul here, and run the tests w/ 1.20.5, while building w/ 1.20.6. That way we satisfy the CVE w/o blocking on the next patch. I'll give that a shot.

Avoid testcontainers breakage due to validation added in Go 1.20.6 until
that issue is resolved. Keep the global version bump to 1.20.6 to
resolve CVEs.
@zalimeni zalimeni force-pushed the zalimeni/net-4865-bump-go-net_http-cve branch from 88a7bf9 to c41146c Compare July 25, 2023 13:07
@zalimeni
Copy link
Member Author

:success-kid: I think that did it @curtbushko - no rush but gonna mark this ready for review again.

@zalimeni zalimeni marked this pull request as ready for review July 25, 2023 13:41
@zalimeni zalimeni requested review from a team, shore and dlaguerta and removed request for a team July 25, 2023 13:41
@zalimeni zalimeni merged commit c4c357e into main Jul 25, 2023
@zalimeni zalimeni deleted the zalimeni/net-4865-bump-go-net_http-cve branch July 25, 2023 13:44
@zalimeni
Copy link
Member Author

Backports didn't fire and reruns are failing in a way I don't quite understand; manually backporting this (would have likely had conflicts anyway)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/1.1 Changes are backported to 1.1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants