[release-4.11] OCPBUGS-20748: Bump golang.org/x/net for CVE-2023-44487 by Miciah · Pull Request #989 · openshift/cluster-ingress-operator

Miciah · 2023-10-19T14:07:32Z

Bump the vendored golang.org/x/net package to v0.17.0 in order to remedy CVE-2023-44487 (the "Rapid Reset Attack").

go.mod: Bump.
go.sum:
vendor/*: Regenerate.

openshift-ci-robot · 2023-10-19T14:07:37Z

@Miciah: An error was encountered adding this pull request to the external tracker bugs for bug OCPBUGS-20748 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message.


failed to get remote links: You do not have the permission to see the specified issue.: request failed. Please analyze the request body for more details. Status code: 401:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

Bump the vendored golang.org/x/net package to v0.17.0 in order to remedy CVE-2023-44487 (the "Rapid Reset Attack").

go.mod: Bump.

go.sum:

vendor/*: Regenerate.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Bump the vendored golang.org/x/net package to v0.17.0 in order to remedy CVE-2023-44487 (the "Rapid Reset Attack") using the following commands: go get golang.org/x/net@v0.17.0 go mod tidy go mod vendor This commit fixes OCPBUGS-20748. https://issues.redhat.com/browse/OCPBUGS-20748 * go.mod: Bump. * go.sum: * vendor/*: Regenerate.

Miciah · 2023-10-20T15:26:46Z

https://github.com/openshift/cluster-ingress-operator/compare/e6de43f89e893549237bf9b4e87a86c14c753fbf..ee7044bab67bb6780cc4946fd8c47da4a627091a adds the commands I used to do the bump to the commit message.

Miciah · 2023-10-20T17:06:29Z

/jira refresh

openshift-ci-robot · 2023-10-20T17:06:34Z

@Miciah: This pull request references Jira Issue OCPBUGS-20748, which is invalid:

expected dependent Jira Issue OCPBUGS-20765 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Miciah · 2023-10-26T13:15:34Z

e2e-aws-operator failed, and events.json has Failed to pull image "openshift/origin-node": rpc error: code = Unknown desc = reading manifest latest in docker.io/openshift/origin-node: errors:\ndenied: requested access to the resource is denied errors. Looks like we need to backport OCPBUGS-17359 to the release-4.11 branch.

Miciah · 2023-10-26T18:38:00Z

#993 should fix the "failed to pull image" failures.

ShudiLi · 2023-10-31T08:40:51Z

tested it with 4.11.0-0.ci.test-2023-10-31-075412-ci-ln-9ljwxik-latest
`
1.
% oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.11.0-0.ci.test-2023-10-31-075412-ci-ln-9ljwxik-latest True False 9m53s Cluster version is 4.11.0-0.ci.test-2023-10-31-075412-ci-ln-9ljwxik-latest

% oc -n openshift-ingress-operator get pods
NAME READY STATUS RESTARTS AGE
ingress-operator-7864dbd9fd-zctd8 2/2 Running 2 (22m ago) 32m

% shudi@Shudis-MacBook-Pro 44 % oc rsync -n openshift-ingress-operator ingress-operator-7864dbd9fd-zctd8:/usr/bin/ingress-operator .
receiving file list ... done
ingress-operator

% go version -m ingress-operator | grep golang.org
dep golang.org/x/crypto v0.14.0
dep golang.org/x/net v0.17.0
dep golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
dep golang.org/x/sys v0.13.0
dep golang.org/x/term v0.13.0
dep golang.org/x/text v0.13.0
dep golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
dep google.golang.org/api v0.49.0
dep google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368
dep google.golang.org/grpc v1.40.0
dep google.golang.org/protobuf v1.27.1
`

frobware · 2023-11-01T09:23:14Z

/lgtm
/approve

frobware · 2023-11-01T09:23:23Z

/retest

openshift-ci · 2023-11-01T09:24:16Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: frobware

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [frobware]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

candita · 2023-11-01T15:11:35Z

/label backport-risk-assessed

melvinjoseph86 · 2023-11-01T15:24:18Z

/label cherry-pick-approved

Miciah · 2023-11-02T14:25:54Z

/jira refresh

openshift-ci-robot · 2023-11-02T14:26:01Z

@Miciah: This pull request references Jira Issue OCPBUGS-20748, which is valid.

6 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.11.z) matches configured target version for branch (4.11.z)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
dependent bug Jira Issue OCPBUGS-20765 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
dependent Jira Issue OCPBUGS-20765 targets the "4.12.z" version, which is one of the valid target versions: 4.12.0, 4.12.z
bug has dependents

Requesting review from QA contact:
/cc @ShudiLi

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci · 2023-11-02T16:34:33Z

@Miciah: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci-robot · 2023-11-02T16:38:09Z

@Miciah: Jira Issue OCPBUGS-20748: All pull requests linked via external trackers have merged:

openshift/cluster-ingress-operator#989

Jira Issue OCPBUGS-20748 has been moved to the MODIFIED state.

Details

In response to this:

Bump the vendored golang.org/x/net package to v0.17.0 in order to remedy CVE-2023-44487 (the "Rapid Reset Attack").

go.mod: Bump.

go.sum:

vendor/*: Regenerate.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-merge-robot · 2023-11-03T09:49:02Z

Fix included in accepted release 4.11.0-0.nightly-2023-11-03-003703

openshift-bot · 2023-11-21T13:22:05Z

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cluster-ingress-operator-container-v4.11.0-202311211130.p0.g9e60f1f.assembly.stream for distgit ose-cluster-ingress-operator.
All builds following this will include this PR.

Miciah changed the title ~~OCPBUGS-20748: Bump golang.org/x/net for CVE-2023-44487~~ [release-4.11] OCPBUGS-20748: Bump golang.org/x/net for CVE-2023-44487 Oct 19, 2023

openshift-ci bot requested review from gcs278 and lmzuccarelli October 19, 2023 14:10

Miciah force-pushed the OCPBUGS-20748-CVE-2023-44487 branch from e6de43f to ee7044b Compare October 20, 2023 15:22

openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Oct 20, 2023

openshift-ci bot assigned frobware Nov 1, 2023

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 1, 2023

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 1, 2023

openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Nov 1, 2023

openshift-ci bot assigned lihongan, melvinjoseph86 and ShudiLi Nov 1, 2023

openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Nov 1, 2023

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 2, 2023

openshift-ci bot requested a review from ShudiLi November 2, 2023 14:26

openshift-ci bot merged commit 9e60f1f into openshift:release-4.11 Nov 2, 2023

Conversation

Miciah commented Oct 19, 2023

Uh oh!

openshift-ci-robot commented Oct 19, 2023

Uh oh!

Miciah commented Oct 20, 2023

Uh oh!

Miciah commented Oct 20, 2023

Uh oh!

openshift-ci-robot commented Oct 20, 2023

Uh oh!

Miciah commented Oct 26, 2023

Uh oh!

Miciah commented Oct 26, 2023

Uh oh!

ShudiLi commented Oct 31, 2023

Uh oh!

frobware commented Nov 1, 2023

Uh oh!

frobware commented Nov 1, 2023

Uh oh!

openshift-ci bot commented Nov 1, 2023

Uh oh!

candita commented Nov 1, 2023

Uh oh!

melvinjoseph86 commented Nov 1, 2023

Uh oh!

Miciah commented Nov 2, 2023

Uh oh!

openshift-ci-robot commented Nov 2, 2023

Uh oh!

openshift-ci bot commented Nov 2, 2023

Uh oh!

openshift-ci-robot commented Nov 2, 2023

Uh oh!

openshift-merge-robot commented Nov 3, 2023

Uh oh!

openshift-bot commented Nov 21, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants