Skip to content

OCPBUGS-5782: CVE-2021-4235: Denial of Service in go-yaml #6769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 3 commits into from
Jan 27, 2023
Merged

OCPBUGS-5782: CVE-2021-4235: Denial of Service in go-yaml #6769

openshift-merge-robot merged 3 commits into from
Jan 27, 2023

Conversation

@r4f4
Copy link
Contributor

@r4f4 r4f4 commented Jan 12, 2023

Manual cherry-pick of #6741

r4f4 added 3 commits January 12, 2023 14:40
@r4f4
pkg/asset/manifests/vsphere: use correct import path for go-yaml
55f7939 
`github.com/go-yaml/yaml` is where the project lives but the package
should be imported with `gopkg.in/yaml.v2` (https://gopkg.in/yaml.v2)
@r4f4
go-yaml: bump version to fix DoS in go-yaml
04b9ea6 
A flaw was found in go-yaml < 2.2.3. This issue occurs due to unbounded
alias chasing, where a maliciously crafted YAML file can cause the
system to consume significant system resources. If parsing user input,
this may be used as a denial of service vector.
@r4f4
terraform: bump go-yaml to fix DoS
98a2050
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 12, 2023

@r4f4: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

Details

In response to this:

CVE-2021-4235: Denial of Service in go-yaml

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@r4f4
Copy link
Contributor Author

r4f4 commented Jan 12, 2023

/jira cherrypick OCPBUGS-5324

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 12, 2023

@r4f4: Jira Issue OCPBUGS-5324 has been cloned as Jira Issue OCPBUGS-5782. Retitling PR to link against new bug.
/retitle OCPBUGS-5782: CVE-2021-4235: Denial of Service in go-yaml

Details

In response to this:

/jira cherrypick OCPBUGS-5324

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot changed the title CVE-2021-4235: Denial of Service in go-yaml OCPBUGS-5782: CVE-2021-4235: Denial of Service in go-yaml Jan 12, 2023
@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jan 12, 2023
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 12, 2023

@r4f4: This pull request references Jira Issue OCPBUGS-5782, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.12.0) matches configured target version for branch (4.12.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • dependent bug Jira Issue OCPBUGS-5324 is in the state ON_QA, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
  • dependent Jira Issue OCPBUGS-5324 targets the "4.13.0" version, which is one of the valid target versions: 4.13.0
  • bug has dependents

Requesting review from QA contact:
/cc @gpei

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Manual cherry-pick of #6741

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Jan 12, 2023
@openshift-ci openshift-ci bot requested a review from gpei January 12, 2023 13:46
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 12, 2023

@r4f4: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

Retaining the bugzilla/valid-bug label as it was manually added.

Details

In response to this:

OCPBUGS-5782: CVE-2021-4235: Denial of Service in go-yaml

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot requested review from barbacbd and rna-afk January 12, 2023 13:47
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 12, 2023
edited
Loading

@r4f4: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-disruptive 98a2050 link false /test e2e-aws-ovn-disruptive
ci/prow/okd-e2e-aws-ovn-upgrade 98a2050 link false /test okd-e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-workers-rhel8 98a2050 link false /test e2e-aws-ovn-workers-rhel8
ci/prow/okd-e2e-aws-ovn 98a2050 link false /test okd-e2e-aws-ovn
ci/prow/okd-scos-e2e-aws-upgrade 98a2050 link false /test okd-scos-e2e-aws-upgrade
ci/prow/okd-scos-e2e-aws-ovn 98a2050 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-upgrade 98a2050 link false /test e2e-aws-ovn-upgrade
ci/prow/e2e-crc 98a2050 link false /test e2e-crc

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

barbacbd
barbacbd reviewed Jan 18, 2023
View reviewed changes
Copy link
Contributor

@barbacbd barbacbd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this it the fix for the CVE, but there are also newer versions of this software. It looks like if we do decide to move to newer versions though there are some considerations and possible differences in function calls based on the comments here: go-yaml/yaml@7649d45

However this looks good to me
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 18, 2023
@patrickdillon
Copy link
Contributor

patrickdillon commented Jan 26, 2023

/approve
/label backport-risk-assessed

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jan 26, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 26, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 26, 2023
@gpei
Copy link
Contributor

gpei commented Jan 27, 2023

/label cherry-pick-approved

@openshift-ci openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jan 27, 2023
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 27, 2023

/retest-required

Remaining retests: 0 against base HEAD 59bb8eb and 2 for PR HEAD 98a2050 in total

@openshift-merge-robot openshift-merge-robot merged commit 7fea1c4 into openshift:release-4.12 Jan 27, 2023
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 27, 2023

@r4f4: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-5782 has been moved to the MODIFIED state.

Details

In response to this:

Manual cherry-pick of #6741

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpei gpei Awaiting requested review from gpei

@rna-afk rna-afk Awaiting requested review from rna-afk

1 more reviewer

@barbacbd barbacbd barbacbd left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@barbacbd barbacbd

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@r4f4 @openshift-ci-robot @patrickdillon @gpei @barbacbd @openshift-merge-robot