Address CVE-2022-1996 #394
Conversation
k8s-ci-robot
added
release-note-none
|
Welcome @datamattsson! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @datamattsson. Thanks for your PR. I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/XXL
|
Is it possible to not bump the go version from 1.16 to 1.18? For a stable release we don't want to change unnecessary things like compiler versions, due to the chance that the new compiler breaks something that used to work (due to deprecation). |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
1.16 has a cascade of CVEs associated with it in some of the indirect dependencies. Is 1.17 a middle road? |
datamattsson
force-pushed
the
cve-2022-1996
branch
from
10dae54 to
f3fad8b
Compare
Even the latest dot release - 1.16.15? If there are known unpatched security vulnerabilities then I agree it wouldn't make much sense to continue using the old compiler version in a patch that specifically addresses security vulnerabilities, but we should want to avoid upgrading anything that might deprecate existing support because nobody wants to do a dot release upgrade (of this sidecar) and find that something broke. I'm not specifically aware of anything that was dropped between go version 1.16 and 1.17/1.18, but that's the thing to worry about. |
Changing go.mod from 1.17 to 1.16 and running Yesterday, 1.17 was clean as a whistle but today CVE-2022-41717 in golang.org/x/net was discovered (not relevant to the attacher AFAICT). |
This is why we test. Any sidecar upgrade, major, minor or patch would require full e2e on our end and expect the same results. I don't think users blindly flick an image upgrade before safely testing the new image. |
Given the CVEs associated with older go compiler versions, I'm not going to oppose an update here, but did want to push back on the idea that testing is sufficient in every case. Testing covers a lot of use cases but typically only in a single (or small number of) configurations. More exotic configurations tend not to be tested, and deprecations tend to affect exotic configurations more than anything. It's a good rule in general to avoid updating things in stable branches without an explicit reason. In this case our explicit reason is security issues with the compiler, so I'm fine with that. |
datamattsson
requested review from
msau42
and removed request for
xing-yang and
j-griffith
Signed-off-by: Michael Mattsson <michael.mattsson@gmail.com>
datamattsson
force-pushed
the
cve-2022-1996
branch
from
f3fad8b to
e157881
Compare
|
Will this PR be merge-able at one point? (I understand 1.26 deliverables takes precedence). |
|
/retest |
|
/test all |
|
I'm fixing CI in #401 |
|
/test all |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: datamattsson, jsafrane The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
version in go.mod just specifies version of go vendoring rules that will be used by |
k8s-ci-robot
added
release-note
Signed-off-by: Michael Mattsson michael.mattsson@gmail.com
What type of PR is this?
What this PR does / why we need it:
Addresses CVE-2022-1996
Which issue(s) this PR fixes:
Fixes #369
Special notes for your reviewer:
Slack thread: https://kubernetes.slack.com/archives/C09QZFCE5/p1670445226176689
Does this PR introduce a user-facing change?: