Skip to content

CVE-2024-6104: go-retryablehttp 0.7.7#2401

Merged
openshift-merge-bot[bot] merged 1 commit intoopenshift:mce-2.3from
2uasimojo:CVE-2024-6104/mce-2.3
Aug 5, 2024
Merged

CVE-2024-6104: go-retryablehttp 0.7.7#2401
openshift-merge-bot[bot] merged 1 commit intoopenshift:mce-2.3from
2uasimojo:CVE-2024-6104/mce-2.3

Conversation

@2uasimojo
Copy link
Member

@2uasimojo 2uasimojo commented Aug 2, 2024
edited by openshift-ci bot
Loading

✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp Description: Insertion of Sensitive Information into Log File Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036 Introduced through: github.com/IBM/go-sdk-core/v5/core@5.16.3, github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0, github.com/IBM/networking-go-sdk/zonesv1@0.45.0, github.com/IBM/vpc-go-sdk/vpcv1@0.50.0, github.com/IBM/platform-services-go-sdk/resourcecontrollerv2@0.62.0, github.com/IBM/platform-services-go-sdk/resourcemanagerv2@0.62.0, github.com/IBM/platform-services-go-sdk/iamidentityv1@0.62.0, github.com/openshift/installer/pkg/asset/machines/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/destroy/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/gcp@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/aws@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/azure@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/openstack@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/vsphere@#304af6735c65 From: github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/zonesv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 and 25 more...
Fixed in: 0.7.7

CVE-2024-6104
ACM-12348

(not successfully cherry picked from commit b9bebcf)

@openshift-ci openshift-ci bot requested review from jstuever and suhanime August 2, 2024 21:34
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 2, 2024
@2uasimojo
CVE-2024-6104: go-retryablehttp 0.7.7
e861e1c 
Manual bump due to cherry-pick conflicts

✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp Description: Insertion of Sensitive Information into Log File Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036 Introduced through: github.com/IBM/go-sdk-core/v5/core@5.16.3, github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0, github.com/IBM/networking-go-sdk/zonesv1@0.45.0, github.com/IBM/vpc-go-sdk/vpcv1@0.50.0, github.com/IBM/platform-services-go-sdk/resourcecontrollerv2@0.62.0, github.com/IBM/platform-services-go-sdk/resourcemanagerv2@0.62.0, github.com/IBM/platform-services-go-sdk/iamidentityv1@0.62.0, github.com/openshift/installer/pkg/asset/machines/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/destroy/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/gcp@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/aws@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/azure@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/openstack@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/vsphere@#304af6735c65 From: github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/zonesv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 and 25 more...
Fixed in: 0.7.7

CVE-2024-6104
ACM-12348

(not successfully cherry picked from commit b9bebcf)
@2uasimojo 2uasimojo force-pushed the CVE-2024-6104/mce-2.3 branch from a6fe898 to e861e1c Compare August 2, 2024 21:38
@2uasimojo 2uasimojo changed the title Manual bump due to cherry-pick conflicts CVE-2024-6104: go-retryablehttp 0.7.7 Aug 2, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Aug 2, 2024

@2uasimojo: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

✗ Medium severity vulnerability found in github.com/hashicorp/go-retryablehttp Description: Insertion of Sensitive Information into Log File Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHASHICORPGORETRYABLEHTTP-7362036 Introduced through: github.com/IBM/go-sdk-core/v5/core@5.16.3, github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0, github.com/IBM/networking-go-sdk/zonesv1@0.45.0, github.com/IBM/vpc-go-sdk/vpcv1@0.50.0, github.com/IBM/platform-services-go-sdk/resourcecontrollerv2@0.62.0, github.com/IBM/platform-services-go-sdk/resourcemanagerv2@0.62.0, github.com/IBM/platform-services-go-sdk/iamidentityv1@0.62.0, github.com/openshift/installer/pkg/asset/machines/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/destroy/ibmcloud@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/gcp@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/aws@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/azure@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/openstack@#304af6735c65, github.com/openshift/installer/pkg/asset/machines/vsphere@#304af6735c65 From: github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/dnsrecordsv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 From: github.com/IBM/networking-go-sdk/zonesv1@0.45.0 > github.com/IBM/go-sdk-core/v5/core@5.16.3 > github.com/hashicorp/go-retryablehttp@0.7.5 and 25 more...
Fixed in: 0.7.7

CVE-2024-6104
ACM-12348

(not successfully cherry picked from commit b9bebcf)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@codecov
Copy link

codecov bot commented Aug 2, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 57.80%. Comparing base (db99388) to head (e861e1c).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff            @@
##           mce-2.3    #2401   +/-   ##
========================================
  Coverage    57.80%   57.80%           
========================================
  Files          186      186           
  Lines        25333    25333           
========================================
  Hits         14645    14645           
  Misses        9437     9437           
  Partials      1251     1251

@2uasimojo
Copy link
Member Author

2uasimojo commented Aug 5, 2024

/override ci/prow/security

Backport of #2387 will fix

/assign @suhanime

@suhanime
Copy link
Contributor

suhanime commented Aug 5, 2024

/lgtm

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 5, 2024

@2uasimojo: Overrode contexts on behalf of 2uasimojo: ci/prow/security

Details

In response to this:

/override ci/prow/security

Backport of #2387 will fix

/assign @suhanime

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 5, 2024

@2uasimojo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 5, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 5, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, suhanime

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 1009029 into openshift:mce-2.3 Aug 5, 2024
@2uasimojo 2uasimojo deleted the CVE-2024-6104/mce-2.3 branch August 5, 2024 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jstuever jstuever Awaiting requested review from jstuever

@suhanime suhanime Awaiting requested review from suhanime

Assignees

@suhanime suhanime

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@2uasimojo @openshift-ci-robot @suhanime