Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of [NET-5146] security: Update Go version to 1.20.7 and x/net to 0.13.0 into release/1.14.x #18361

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #18358 to be assessed for backporting due to the inclusion of the label backport/1.14.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@zalimeni
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.


Go upgrade resolves CVE-2023-29409(crypto/tls).

x/net upgrade resolves CVE-2023-3978 for dependency scanners (non-impacting).

Description

Resolves CVEs and brings us up to the latest version of Go and x/net.

Possible follow up to merge the prior Go 1.20.6 and x/net bump changelog entries for simplicity, but leaving for now to focus on getting the fix out in time for the next patch release.

Testing & Reproduction steps

Tests should continue to pass.

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/net-5146-bump-go-net_http-cve/trivially-fleet-caribou branch from f33d7d7 to c3fcc75 Compare August 2, 2023 17:15
@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/net-5146-bump-go-net_http-cve/trivially-fleet-caribou branch from c3fcc75 to f33d7d7 Compare August 2, 2023 17:15
@hashicorp-cla
Copy link

hashicorp-cla commented Aug 2, 2023

CLA assistant check
All committers have signed the CLA.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@vercel vercel bot temporarily deployed to Preview – consul-ui-staging August 2, 2023 17:19 Inactive
@vercel vercel bot temporarily deployed to Preview – consul August 2, 2023 17:21 Inactive
@zalimeni zalimeni force-pushed the backport/zalimeni/net-5146-bump-go-net_http-cve/trivially-fleet-caribou branch from d8c6ee0 to 75b3a8c Compare August 2, 2023 18:27
@zalimeni zalimeni marked this pull request as ready for review August 2, 2023 18:27
@zalimeni zalimeni requested a review from a team August 2, 2023 18:27
@zalimeni zalimeni requested a review from a team as a code owner August 2, 2023 18:27
@zalimeni zalimeni requested review from sarahethompson and claire-labry and removed request for a team August 2, 2023 18:27
@zalimeni zalimeni enabled auto-merge (squash) August 2, 2023 18:27
@zalimeni zalimeni merged commit b63fec3 into release/1.14.x Aug 2, 2023
@zalimeni zalimeni deleted the backport/zalimeni/net-5146-bump-go-net_http-cve/trivially-fleet-caribou branch August 2, 2023 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants