Skip to content

Bug 2071538: Address CVE-2022-21698 #226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 1 commit into from
Apr 8, 2022
Merged

Bug 2071538: Address CVE-2022-21698 #226

openshift-merge-robot merged 1 commit into from
Apr 8, 2022

Conversation

@openshift-cherrypick-robot
Copy link

@openshift-cherrypick-robot openshift-cherrypick-robot commented Mar 24, 2022

This is an automated cherry-pick of #224

/assign pierreprinetti

Preemptively address CVE-2022-21698

@pierreprinetti
Address CVE-2022-21698
e82b7fb 
Upgrade the Prometheus client to v1.11.1.

This commit is the result of running:

```
go get github.com/prometheus/client_golang@v1.11.1 \
        && go mod tidy && go mod vendor
```

See the Prometheus advisory: GHSA-cg3q-j54f-5p7p
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Mar 24, 2022
Merged
@openshift-ci openshift-ci bot requested review from EmilienM and mandre March 24, 2022 16:06
@openshift-ci
Copy link

openshift-ci bot commented Mar 24, 2022

@openshift-cherrypick-robot: An error was encountered cloning bug for cherrypick for bug 2067870 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details.

Full error message. code 120: You tried to restrict a bug to the 'qe_staff' group, but either this group does not exist, or you are not allowed to restrict bugs to this group in the 'OpenShift Container Platform' product.

Please contact an administrator to resolve this issue, then request a bug refresh with /bugzilla refresh.

Details

In response to this:

[release-4.10] Bug 2067870: Address CVE-2022-21698

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pierreprinetti
Copy link
Member

pierreprinetti commented Mar 24, 2022

@mandre
What do you want to do with this backport?

@mandre
Copy link
Member

mandre commented Mar 24, 2022

What do you want to do with this backport?

Let's merge it. It's not too costly. Let's hold on other backports until we figure how far we want to backport. Have we evaluated the severity of the CVE for the different components we own?

@openshift-ci
Copy link

openshift-ci bot commented Mar 24, 2022

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@EmilienM
Copy link
Member

EmilienM commented Mar 29, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 29, 2022
@pierreprinetti
Copy link
Member

pierreprinetti commented Apr 4, 2022

/retitle Bug 2071538: Address CVE-2022-21698

@openshift-ci openshift-ci bot changed the title [release-4.10] Bug 2067870: Address CVE-2022-21698 Bug 2071538: Address CVE-2022-21698 Apr 4, 2022
@openshift-ci openshift-ci bot added bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Apr 4, 2022
@openshift-ci
Copy link

openshift-ci bot commented Apr 4, 2022

@openshift-cherrypick-robot: This pull request references Bugzilla bug 2071538, which is invalid:

  • expected the bug to target the "4.10.z" release, but it targets "4.11.0" instead
  • expected dependent Bugzilla bug 2067870 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but it is ASSIGNED instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Bug 2071538: Address CVE-2022-21698

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-bot
Copy link

openshift-bot commented Apr 5, 2022

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-ci openshift-ci bot added bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Apr 5, 2022
@openshift-ci
Copy link

openshift-ci bot commented Apr 5, 2022

@openshift-bot: This pull request references Bugzilla bug 2071538, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.10.z) matches configured target release for branch (4.10.z)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 2067870 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
  • dependent Bugzilla bug 2067870 targets the "4.11.0" release, which is one of the valid target releases: 4.11.0
  • bug has dependents

Requesting review from QA contact:
/cc @eurijon

Details

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link

openshift-ci bot commented Apr 5, 2022

@openshift-ci[bot]: GitHub didn't allow me to request PR reviews from the following users: eurijon.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

@openshift-bot: This pull request references Bugzilla bug 2071538, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.10.z) matches configured target release for branch (4.10.z)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 2067870 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
  • dependent Bugzilla bug 2067870 targets the "4.11.0" release, which is one of the valid target releases: 4.11.0
  • bug has dependents

Requesting review from QA contact:
/cc @eurijon

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pierreprinetti
Copy link
Member

pierreprinetti commented Apr 7, 2022

/approve

@openshift-ci
Copy link

openshift-ci bot commented Apr 7, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pierreprinetti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 7, 2022
mandre
mandre reviewed Apr 8, 2022
View reviewed changes
Copy link
Member

@mandre mandre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/label backport-risk-assessed

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Apr 8, 2022
@eurijon
Copy link

eurijon commented Apr 8, 2022

/label cherry-pick-approved

@openshift-ci openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Apr 8, 2022
@openshift-merge-robot openshift-merge-robot merged commit 12df76b into openshift:release-4.10 Apr 8, 2022
@openshift-ci
Copy link

openshift-ci bot commented Apr 8, 2022

@openshift-cherrypick-robot: All pull requests linked via external trackers have merged:

Bugzilla bug 2071538 has been moved to the MODIFIED state.

Details

In response to this:

Bug 2071538: Address CVE-2022-21698

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@EmilienM EmilienM mentioned this pull request Jan 31, 2023
Closed
pierreprinetti pushed a commit to shiftstack/cluster-api-provider-openstack that referenced this pull request Apr 22, 2024
@eromanova @pierreprinetti
Fix IngexOutOfRange error if managedSecurityGroups:true (openshift#226)
62eed35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mandre mandre mandre left review comments

@EmilienM EmilienM Awaiting requested review from EmilienM

Assignees

@mandre mandre

@EmilienM EmilienM

@pierreprinetti pierreprinetti

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@openshift-cherrypick-robot @pierreprinetti @mandre @EmilienM @openshift-bot @eurijon @openshift-merge-robot