Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of [NET-8174] security: add scan triage for CVE-2024-26147 (helm/v3) into release/1.4.x #3692

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #3688 to be assessed for backporting due to the inclusion of the label backport/1.4.x.

The below text is copied from the body of the original PR.


Changes proposed in this PR

  • Add scan triage for additional CVE, which can be addressed by the same follow-up work as the previous CVE

Checklist


Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/net-8174-triage-helm-CVE-2024-26147/properly-verified-mustang branch from 279bb8f to 1fb47cc Compare February 26, 2024 16:19
@hc-github-team-consul-core hc-github-team-consul-core merged commit 27d4bd3 into release/1.4.x Feb 26, 2024
25 of 49 checks passed
@hc-github-team-consul-core hc-github-team-consul-core deleted the backport/zalimeni/net-8174-triage-helm-CVE-2024-26147/properly-verified-mustang branch February 26, 2024 16:43
zalimeni added a commit that referenced this pull request Feb 28, 2024
* Backport of [NET-5932] chore: remove comment from closed ticket into release/1.4.x (#3637)

backport of commit a95e951

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

* Backport of build: Create arm64 packages as well into release/1.4.x (#3647)

backport of commit affc631

Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com>

* Backport of [NET-2420] security: Upgrade helm containerd and several other dependencies into release/1.4.x (#3641)

* security: upgrade helm/v3 to 3.11.3

Addresses multiple CVEs:
- CVE-2023-25165
- CVE-2022-23524
- CVE-2022-23526
- CVE-2022-23525

* chore: upgrade k8s dependencies to match controller-runtime

* security: upgrade containerd to latest

Addresses GHSA-7ww5-4wqc-m92c (GO-2023-2412)

* security: upgrade docker/docker to latest

Addresses GHSA-jq35-85cj-fj4p

* security: upgrade docker/distribution to latest

Addresses CVE-2023-2253

* security: upgrade filepath-securejoin to latest patch

Addresses GHSA-6xv5-86q9-7xr8 (GO-2023-2048)

* chore: upgrade oras-go to fix docker incompatibility

* Add changelog

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

* Backport of values.yaml - tlsServerName docs into release/1.4.x (#3667)

* backport of commit 1598b40

* backport of commit 41dabc4

---------

Co-authored-by: David Yu <dyu@hashicorp.com>

* Backport of [NET-2420] security: re-enable security scan release block into release/1.4.x (#3651)

* security: re-enable security scan release block

This was previously disabled due to an unresolved false-positive CVE.
Re-enabling both secrets and OSV + Go Modules scanning, which per our
current scan results should not be a blocker to future releases.

Also add security scans on PR and merge to protected branches to allow
proactive triage going forward.

See hashicorp/consul#19978 for similar change in that repo, adapted
here.

* security: add scan triage for CVE-2024-25620 (helm/v3)

Triage this scan result as `consul-k8s` should not be directly
impacted and it is medium severity. Follow-up ticket filed for
remediation.

Also improve formatting of scan config since this change will be
backported.

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

* Backport of [NET-6741] make: Add target for updating dependencies across all modules into release/1.4.x (#3673)

backport of commit 44583d3

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

* Backport of build.yml: Add ECR images back into release/1.4.x (#3679)

* backport of commit 8fba327

* backport of commit 9a73765

* backport of commit dd2222f

---------

Co-authored-by: David Yu <dyu@hashicorp.com>

* Backport of build.yml: typo on tags into release/1.4.x (#3684)

backport of commit cf8dcbe

Co-authored-by: David Yu <dyu@hashicorp.com>

* Backport of [NET-8174] security: add scan triage for CVE-2024-26147 (helm/v3) into release/1.4.x (#3692)

backport of commit 4b8bc71

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

* Backport of bump kind to v0.22.0 and update k8s support into release/1.4.x (#3687)

* backport of commit 9f495e0

* backport of commit df8edec

* backport of commit ca89a82

---------

Co-authored-by: NicoletaPopoviciu <nicoleta@hashicorp.com>

---------

Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
Co-authored-by: NicoletaPopoviciu <nicoleta@hashicorp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants