Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump golang.org/x/net to v0.17.0 to address CVE concerns #4167

Merged
merged 1 commit into from
Oct 25, 2023
Merged

bump golang.org/x/net to v0.17.0 to address CVE concerns #4167

merged 1 commit into from
Oct 25, 2023

Conversation

RainbowMango
Copy link
Member

@RainbowMango RainbowMango commented Oct 24, 2023
edited
Loading

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

bump golang.org/x/net to v0.17.0 to address CVE(CVE-2023-39325, CVE-2023-44487) concerns.

@RainbowMango
bump golang.org/x/net to v0.17.0 to address CVE concerns
cd3918f 
Signed-off-by: RainbowMango <qdurenhongcai@gmail.com>
@karmada-bot karmada-bot added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Oct 24, 2023
@karmada-bot karmada-bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Oct 24, 2023
@RainbowMango
Copy link
Member Author

cc @XiShanYongYe-Chang @zhzhuang-zju

@zhzhuang-zju
Copy link
Contributor

I tried a local trivy scan and from the results, vulnerabilities CVE-2023-39325 and CVE-2023-44487 were resolved by bumping golang.org/x/net to v0.17.0.
The overall process is as follows

  1. git pull the latest code of the branch RainbowMango:pr_update_net to local
  2. code scanning with trivy
➜  karmada git:(trivyscan) ✗ trivy fs --format table --scanners vuln /home/karmada                             
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/net/http/otelht- │ CVE-2023-45142 │ HIGH     │ fixed  │ 0.35.1            │ 0.44.0        │ OpenTelemetry-Go Contrib vulnerable to denial of service in │
│ tp                                                           │                │          │        │                   │               │ otelhttp due to unbound...                                  │
│                                                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45142                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

XiShanYongYe-Chang
XiShanYongYe-Chang reviewed Oct 24, 2023
View reviewed changes
Copy link
Member

@XiShanYongYe-Chang XiShanYongYe-Chang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks~
/lgtm

@karmada-bot karmada-bot added the lgtm Indicates that a PR is ready to be merged. label Oct 24, 2023
@zhzhuang-zju
Copy link
Contributor

Thanks~
/lgtm

@karmada-bot
Copy link
Collaborator

@zhzhuang-zju: changing LGTM is restricted to collaborators

In response to this:

Thanks~
/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@RainbowMango RainbowMango added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 25, 2023
@karmada-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot karmada-bot merged commit fc006ce into karmada-io:master Oct 25, 2023
12 checks passed
@RainbowMango RainbowMango deleted the pr_update_net branch October 25, 2023 01:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@XiShanYongYe-Chang XiShanYongYe-Chang XiShanYongYe-Chang left review comments

@Garrybest Garrybest Awaiting requested review from Garrybest

Assignees

@XiShanYongYe-Chang XiShanYongYe-Chang

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@RainbowMango @zhzhuang-zju @karmada-bot @XiShanYongYe-Chang