[v10] Backport of dependabot CVE updates by jentfoo · Pull Request #23577 · gravitational/teleport

jentfoo · 2023-03-24T17:35:26Z

Cherry-picked security updates that have been applied in master but failed to backport to v10

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20210226172049-e18ecbb05110 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/commits/v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20211216030914-fe4d6282115f to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/commits/v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20210817164053-32db794688a5 to 0.1.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20211215153901-e495a2d5b3d3 to 0.1.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](golang/net@v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

codingllama · 2023-03-24T21:01:06Z

Please make sure every module is tidied with go mod tidy, other than that LGTM.

jentfoo · 2023-03-25T01:48:25Z

An additional version revert was required, but this PR should be good to review now. Once merged I will update #23580 and #23582 so that only these packages are updated.

* Bump golang.org/x/net in /assets/backport (#22354) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20210226172049-e18ecbb05110 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/commits/v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/net in /web/.cloudbuild/scripts (#22353) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20211216030914-fe4d6282115f to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/commits/v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/crypto in /assets/backport (#22359) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20210817164053-32db794688a5 to 0.1.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/crypto in /web/.cloudbuild/scripts (#22360) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20211215153901-e495a2d5b3d3 to 0.1.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/net from 0.6.0 to 0.7.0 in /api (#22010) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](golang/net@v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/net from 0.6.0 to 0.7.0 (#22012) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](golang/net@v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Downgrade cyrpto to avoid bcrypt 72char limit change * Go mod update revert --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* [v10] Backport of dependabot CVE updates (#23577) * Bump golang.org/x/net in /assets/backport (#22354) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20210226172049-e18ecbb05110 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/commits/v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/net in /web/.cloudbuild/scripts (#22353) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20211216030914-fe4d6282115f to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/commits/v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/crypto in /assets/backport (#22359) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20210817164053-32db794688a5 to 0.1.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/crypto in /web/.cloudbuild/scripts (#22360) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20211215153901-e495a2d5b3d3 to 0.1.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/commits/v0.1.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/net from 0.6.0 to 0.7.0 in /api (#22010) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](golang/net@v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/net from 0.6.0 to 0.7.0 (#22012) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](golang/net@v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Downgrade cyrpto to avoid bcrypt 72char limit change * Go mod update revert --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update crypto to 0.2.0 universally --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

dependabot Bot added 6 commits March 24, 2023 11:22

jentfoo requested review from r0mant, tigrato and zmb3 March 24, 2023 17:35

jentfoo self-assigned this Mar 24, 2023

zmb3 changed the title ~~Backport of dependabot CVE updates~~ [v10] Backport of dependabot CVE updates Mar 24, 2023

jentfoo commented Mar 24, 2023

View reviewed changes

Comment thread web/.cloudbuild/scripts/go.mod

Downgrade cyrpto to avoid bcrypt 72char limit change

79dbf54

jentfoo force-pushed the jent/v10-dep_updates branch from 4952fa8 to 79dbf54 Compare March 24, 2023 19:53

jentfoo marked this pull request as ready for review March 24, 2023 19:53

jentfoo requested review from codingllama, jakule and rosstimothy March 24, 2023 19:53

github-actions Bot added backport size/sm ui labels Mar 24, 2023

github-actions Bot requested a review from klizhentas March 24, 2023 19:53

codingllama approved these changes Mar 24, 2023

View reviewed changes

Comment thread web/.cloudbuild/scripts/go.mod

jentfoo mentioned this pull request Mar 24, 2023

[v11] Backport of dependabot CVE updates #23580

Merged

Go mod update revert

71fbffc

jentfoo force-pushed the jent/v10-dep_updates branch from 8449e4e to 71fbffc Compare March 25, 2023 01:13

jentfoo enabled auto-merge March 25, 2023 01:48

codingllama approved these changes Mar 27, 2023

View reviewed changes

tigrato approved these changes Mar 27, 2023

View reviewed changes

public-teleport-github-review-bot Bot removed request for jakule, klizhentas, r0mant, rosstimothy and zmb3 March 27, 2023 14:36

jentfoo added this pull request to the merge queue Mar 27, 2023

github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Mar 27, 2023

jentfoo added this pull request to the merge queue Mar 27, 2023

github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Mar 27, 2023

jentfoo added this pull request to the merge queue Mar 27, 2023

Merged via the queue into branch/v10 with commit f968656 Mar 27, 2023

jentfoo deleted the jent/v10-dep_updates branch March 27, 2023 15:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[v10] Backport of dependabot CVE updates#23577

[v10] Backport of dependabot CVE updates#23577
jentfoo merged 8 commits intobranch/v10from
jent/v10-dep_updates

jentfoo commented Mar 24, 2023

Uh oh!

Uh oh!

Uh oh!

codingllama commented Mar 24, 2023

Uh oh!

jentfoo commented Mar 25, 2023

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

jentfoo commented Mar 24, 2023

Uh oh!

Uh oh!

Uh oh!

codingllama commented Mar 24, 2023

Uh oh!

jentfoo commented Mar 25, 2023

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants