[v0.51] Bump c/image to v5.24.3, c/common to v0.51.4 #2154
Conversation
Bump c/image to v5.24.3 to resolve CVE-2024-3727 in the Podman v4.4.1-rhel branch for a number of versions of OCP Signed-off-by: tomsweeneyredhat <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: TomSweeneyRedHat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
I seem to remember seeing this error elsewhere, but I can't find the secret sauce to fix it: Anyone's memory cells connecting better than mine are tonight? |
@TomSweeneyRedHat, try:
This is because the |
|
@TomSweeneyRedHat, there are other issues here per: go: github.com/containers/common/libimage imports
github.com/containers/ocicrypt/config imports
gopkg.in/yaml.v3 tested by
gopkg.in/yaml.v3.test imports
gopkg.in/check.v1 imports
github.com/kr/pretty imports
github.com/rogpeppe/go-internal/fmtsort loaded from github.com/rogpeppe/[email protected],
but go 1.16 would select v1.8.0
To upgrade to the versions selected by go 1.16:
go mod tidy -go=1.16 && go mod tidy -go=1.17
If reproducibility with go 1.16 is not needed:
go mod tidy -compat=1.17
For other options, see:
https://golang.org/doc/modules/pruning
go: github.com/containers/common/libimage imports
github.com/containers/ocicrypt/config imports
gopkg.in/yaml.v3 tested by
gopkg.in/yaml.v3.test imports
gopkg.in/check.v1 imports
github.com/kr/pretty imports
github.com/rogpeppe/go-internal/fmtsort loaded from github.com/rogpeppe/[email protected],
but go 1.16 would select v1.8.0 |
Exclude the old, outdated, and problematic github.com/mitchellh/osext which was being dragged in by containerd. This is what containerd did in containerd/containerd#10011 and included it in 1.6.31. I tried bumping first to 1.6.31, but that dragged in a lot of stuff. I think this is safer, if it works. Signed-off-by: tomsweeneyredhat <[email protected]>
As the title says, bumping c/common to v0.51.4. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cveplus-v0.51
branch
from
05809a1
to
4d0d20a
Compare
|
@kwilczynski TYVM! It looks like mitchell/osext is not used and dragged in by contained from some far flung dependency. They got rid of it in 1.6.31, but bumping up that high in this branch dragged in a boatload of other nasty. When contained ran into this same issue, they excluded osext. I've tried doing the same and will cross my fingers that will cure it. If not, I'll dive into your other suggestions. |
@TomSweeneyRedHat, looks like excluding the |
|
/lgtm |
|
Fixes: https://issues.redhat.com/browse/RHEL-59127 once this is vendored into Podman v4.4.* |
|
Let me check if the mergebot is stuck |
|
LGTM for reference |
|
It shouldn't be stuck. |
|
Too many PRs, thix addresses CVE-2024-3727 follow on fix. #2157 fixes https://issues.redhat.com/browse/RHEL-59127 . Once a release is cut and then c/common vendored into Skopeo and Podman, this will fix: I'm waiting for #2157 to merge before creating a c/common release and then merge into Podman/Skopeo. |
As the title says, bump c/image to v5.24.3 to address CVE-2024-3727, then bump c/common to include it in Podman v4.4.1-rhel.