Skip to content

Manual backport of [NET-5146] security: Upgrade Go and x/net into release/1.0.x#2722

Merged
zalimeni merged 2 commits intorelease/1.0.xfrom
backport/zalimeni/net-5146-bump-go-net_http-cve/manual-1.0.x
Aug 4, 2023
Merged

Manual backport of [NET-5146] security: Upgrade Go and x/net into release/1.0.x#2722
zalimeni merged 2 commits intorelease/1.0.xfrom
backport/zalimeni/net-5146-bump-go-net_http-cve/manual-1.0.x

Conversation

@zalimeni
Copy link
Copy Markdown
Member

@zalimeni zalimeni commented Aug 3, 2023
edited
Loading

Manual backport (different Go version) of #2710, replaces #2712

Upgrade to Go 1.19.12 and net/http 1.13.0 to resolve CVE-2023-29409 and CVE-2023-3978.

Also, correct the changelog of the previous bump, which did not account for the Go version difference.

How I've tested this PR: tests continue to pass

How I expect reviewers to test this PR: 👀

Checklist:

zalimeni added 2 commits August 3, 2023 10:00
@zalimeni
security: Upgrade Go and x/net
f5e3770 
Upgrade to Go 1.19.12 and `x/net` 1.13.0 to resolve
[CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) and
[CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978).
@zalimeni
Correct changelog entry for previous Go upgrade
dce4fcb 
This was a manually backported change due to differences in Go versions
(1.20 vs. 1.19), which should also be reflected in the backported
changelog. As a result, alter that changelog file to point to the manual
backport PR directly.
zalimeni
zalimeni commented Aug 3, 2023
View reviewed changes
.changelog/2650.txt
Comment on lines 1 to 4
```release-note:security
Upgrade to use Go 1.20.6 and `x/net/http` 0.12.0.
Upgrade to use Go 1.19.11 and `x/net/http` 0.12.0.
This resolves [CVE-2023-29406](https://github.com/advisories/GHSA-f8f7-69v5-w4vx)(`net/http`).
```
Copy link
Copy Markdown
Member Author

@zalimeni zalimeni Aug 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Corrected changelog from previous bump PR #2650

@zalimeni zalimeni requested review from curtbushko and picatz August 3, 2023 14:04
@zalimeni zalimeni added the pr/no-backport signals that a PR will not contain a backport label label Aug 3, 2023
@zalimeni
Copy link
Copy Markdown
Member Author

zalimeni commented Aug 4, 2023

Spent several hours trying to get this to pass, but it seems we have some persistent flaking in the CNI partitions acceptance test. Given the low risk of this change, I'm going to merge and follow up on that breakage separately.

@zalimeni zalimeni merged commit 96718ee into release/1.0.x Aug 4, 2023
@zalimeni zalimeni deleted the backport/zalimeni/net-5146-bump-go-net_http-cve/manual-1.0.x branch August 4, 2023 13:11
@missylbytes missylbytes mentioned this pull request Aug 8, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@curtbushko curtbushko curtbushko approved these changes

+1 more reviewer

@picatz picatz picatz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

pr/no-backport signals that a PR will not contain a backport label

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zalimeni @curtbushko @picatz