Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.5] Security: address HIGH Vulnerabilities #15018

Merged
merged 6 commits into from
Dec 19, 2022
Merged

[3.5] Security: address HIGH Vulnerabilities #15018

merged 6 commits into from
Dec 19, 2022

Conversation

ahrtr
Copy link
Member

@ahrtr ahrtr commented Dec 19, 2022
edited
Loading

Firstly, bumped golang.org/x/net to v0.4.0 to address some HIGH CVEs.

Secondly, golang.org/x/sys and golang.org/x/text are also automatically bumped when bumping golang.org/x/net. They requires Go 1.17+. So let's bump go version to 1.17.13.

cc @mitake @ptabor @serathius @spzala

@ahrtr ahrtr added area/security priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Dec 19, 2022
@ahrtr ahrtr marked this pull request as draft December 19, 2022 05:28
@ahrtr ahrtr force-pushed the deps_3.5_20221219 branch 4 times, most recently from 409b087 to a172ce8 Compare December 19, 2022 08:01
@ahrtr
Remove dependency on gobin
925c061 
Signed-off-by: Benjamin Wang <[email protected]>
@ahrtr ahrtr marked this pull request as ready for review December 19, 2022 08:20
@ahrtr
Copy link
Member Author

ahrtr commented Dec 19, 2022

Please ignore the Release failure for now. Once this PR gets merged, it should can be re solved automatically.

fuweid
fuweid reviewed Dec 19, 2022
View reviewed changes
.github/workflows/e2e.yaml
@@ -13,7 +13,7 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: "1.16.15"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now, the 1.17.x is unsupported.
Just wonder that it will be great to use current stable version like 1.18.x or 1.19.x.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would minimize the changes (so keep 1.17), as we are already breaking the usual promise of the patch versions (due to etcd long lifecycle).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minimize the changes

This was exactly what I was thinking. In the beginning, I bumped to go1.19.4 directly, but after second thought, I downgrade it to 1.17.13.

If all maintainers agree to bump 1.19.x, we can do it in a separate PR.

@ptabor
Copy link
Contributor

ptabor commented Dec 19, 2022

Thinking what consequences for k8s would have bumping the go version:

  • k8s 1.22,1.23 uses golang 1.16 and etcd-3.5.0
    (so didn't bother to patch with 3.5.[5-6])
  • k8s 1.24, go 1.18, etcd-3.5.1
  • k8s 1.25, go 1.19, etcd-3.5.4
  • k8s 1.26, go 1.19, etcd-3.5.5

As etcd-3.5 will be live for a long time, I think we bump the version and let customer's (like k8s) decide whether they want to cary the CVE risk or not. Etcd version for k8s is not critical as the all http traffic is shielded through API server (assuming proper configuration of firewalls).

ptabor
ptabor approved these changes Dec 19, 2022
View reviewed changes
Copy link
Contributor

@ptabor ptabor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a changelog entry in the 'breaking' section.

.github/workflows/e2e.yaml
@@ -13,7 +13,7 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: "1.16.15"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would minimize the changes (so keep 1.17), as we are already breaking the usual promise of the patch versions (due to etcd long lifecycle).

@ahrtr ahrtr merged commit f12f162 into etcd-io:release-3.5 Dec 19, 2022
@ahrtr ahrtr mentioned this pull request Dec 19, 2022
Merged
@serathius serathius mentioned this pull request Jan 18, 2023
Closed
tjungblu pushed a commit to tjungblu/etcd that referenced this pull request Jul 26, 2023
@ahrtr @tjungblu
Merge pull request etcd-io#15018 from ahrtr/deps_3.5_20221219
88a7e02 
[3.5] Security: address HIGH Vulnerabilities
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fuweid fuweid fuweid left review comments

@ptabor ptabor ptabor approved these changes

Assignees
No one assigned
Labels
area/security priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ahrtr @ptabor @fuweid