Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release: 2.12.1 #5207

Closed
16 tasks done
zroubalik opened this issue Nov 27, 2023 · 5 comments
Closed
16 tasks done

Release: 2.12.1 #5207

zroubalik opened this issue Nov 27, 2023 · 5 comments
Assignees
@zroubalik @tomkerkhove @JorTurFer
Labels
governance release-management All issues related to how we release

Comments

@zroubalik
Copy link
Member

zroubalik commented Nov 27, 2023
edited
Loading

This issue template is used to track the rollout of a new KEDA version.

For the full release process, we recommend reading this document.

Required items

Timeline

We aim to release this release in the week of November 27 2024.

Progress

  • Prepare changelog
  • Welcome message supported versions are up-to-date
  • Add the new version to GitHub Bug report template
  • Create KEDA release
  • Publish new documentation version
  • Setup continuous container scanning with Snyk
  • Prepare & ship Helm chart
  • Prepare next release
  • Provide update in Slack
  • Tweet about new release
@zroubalik zroubalik added release-management All issues related to how we release governance labels Nov 27, 2023
This was referenced Nov 27, 2023
Merged
Merged
Merged
Merged
Merged
Merged
@djsly
Copy link

djsly commented Nov 27, 2023

@zroubalik , do you know if this PR #5200 will be part of 2.12.1 ?

looks like the golang.org/x/net will be fixed in 2.12.1, github.com/go-jose/go-jose/v3 is merged in main and I also see grace was bumped 1 month ago the fix is in main , is 2.12.1 based of main ?

the latest privy reports shows

┌───────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library            │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version      │                            Title                             │
├───────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v3 │ GHSA-2c7c-3mj9-8fqh │ MEDIUM   │ fixed  │ v3.0.0            │ 3.0.1                  │ Decryption of malicious PBES2 JWE objects can consume        │
│                               │                     │          │        │                   │                        │ unbounded system resources                                   │
│                               │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-2c7c-3mj9-8fqh            │
├───────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net              │ CVE-2023-39325      │ HIGH     │        │ v0.15.0           │ 0.17.0                 │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                               │                     │          │        │                   │                        │ excessive work (CVE-2023-44487)                              │
│                               │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                               ├─────────────────────┼──────────┤        │                   │                        ├──────────────────────────────────────────────────────────────┤
│                               │ CVE-2023-44487      │ MEDIUM   │        │                   │                        │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                               │                     │          │        │                   │                        │ to a DDoS attack...                                          │
│                               │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├───────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc        │ GHSA-m425-mq94-257g │ HIGH     │        │ v1.58.2           │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                     │
│                               │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g            │
│                               ├─────────────────────┼──────────┤        │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2023-44487      │ MEDIUM   │        │                   │ 1.58.3, 1.57.1, 1.56.3 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                               │                     │          │        │                   │                        │ to a DDoS attack...                                          │
│                               │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└───────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

@zroubalik
Copy link
Member Author

google.golang.org/grpc

@djsly hi, this is the release go.mod https://github.com/kedacore/keda/blob/v2.12.1/go.mod

It seems like go-jose hasn't been bumped, this particular issue wasn't on my radar. Sorry for that.

@zroubalik
Copy link
Member Author

Release done

@djsly
Copy link

djsly commented Nov 28, 2023

@zroubalik for my personal knowledge, on which branch are the 1.12 releases based on ? should the go-jose version bumped by cherry picked somewhere ?
are you guys planning on releasing 1.12.3 with this fix before the January 1.13 release ?

@JorTurFer
Copy link
Member

@zroubalik for my personal knowledge, on which branch are the 1.12 releases based on ?

The release is based on this code: https://github.com/kedacore/keda/tree/v2.12.1

are you guys planning on releasing 1.12.3 with this fix before the January 1.13 release ?

I don't think so as there isn't any critical issue for the moment IIRC

should the go-jose version bumped by cherry picked somewhere ?

As we don't plan to cut any other release before next release in January, the bump will be already there

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zroubalik zroubalik

@tomkerkhove tomkerkhove

@JorTurFer JorTurFer

Labels
governance release-management All issues related to how we release
Projects
Roadmap - KEDA Core
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zroubalik @tomkerkhove @djsly @JorTurFer