Merge pull request #2813 from jpmcb/host-ctr-go-restful-dependency

`host-ctr`: Upgrades `go-restful` dependency used by containerd
bottlerocket-os · Feb 17, 2023 · 113b49b · 113b49b
2 parents ed063a0 + 26c3c0a
commit 113b49b
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 85 deletions.
diff --git a/sources/host-ctr/go.mod b/sources/host-ctr/go.mod
@@ -15,10 +15,22 @@ require (
 	k8s.io/cri-api v0.26.0
 )
 
-// containerd still uses the v1alpha2 APIs in k8s.io/cri-api.
-// These were removed in v0.26 of cri-api resulting in a dependency conflict.
-// TODO: Remove this `replace` when containerd uses v1 of the cri-api
-replace k8s.io/cri-api => k8s.io/cri-api v0.25.5
+replace (
+	// Containerd 1.6.x carries an older version of go-restful that has a CVE.
+	// As documented in containerd here: https://github.com/containerd/containerd/pull/7117
+	// this CVE cannot be executed against containerd.
+	// Regardless, this replace statement upgrades the go-restful dependency
+	// to a version that does not have this CVE
+	// and is still compatible with containerd.
+	// TODO: For containerd 1.7.x, this replace statement can be removed
+	// since containerd moved to go-restful/v3
+	github.com/emicklei/go-restful v2.9.5+incompatible => github.com/emicklei/go-restful v2.16.0+incompatible
+
+	// containerd still uses the v1alpha2 APIs in k8s.io/cri-api.
+	// These were removed in v0.26 of cri-api resulting in a dependency conflict.
+	// TODO: Remove this `replace` when containerd uses v1 of the cri-api
+	k8s.io/cri-api => k8s.io/cri-api v0.25.5
+)
 
 require (
 	github.com/Microsoft/go-winio v0.6.0 // indirect