OCPBUGS-46260: CVE-2024-45337 bump crypto pkg to v0.31.0 #9314
Conversation
The installer does not run any ssh servers or use ServerConfig.PublicKeyCallback, so is not affected by CVE-2024-45337, but we might as well upgrade to the safe version to avoid any potential confusion from scanners. go mod edit -require=golang.org/x/[email protected]
go mod tidy && go mod vendor
openshift-ci-robot
added
jira/severity-important
|
@patrickdillon: This pull request references Jira Issue OCPBUGS-46260, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/invalid-bug
|
/jira refresh |
openshift-ci-robot
added
the
jira/valid-bug
|
@patrickdillon: This pull request references Jira Issue OCPBUGS-46260, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
removed
the
jira/invalid-bug
|
@patrickdillon: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: barbacbd The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Do we care about the crypto version used by terraform and cluster-api + providers? $ fd -e mod -x rg -l "golang\.org/x/crypto v"
./go.mod
./terraform/terraform/go.mod
./terraform/providers/ignition/go.mod
./cluster-api/cluster-api/go.mod
./terraform/providers/azurestack/go.mod
./terraform/providers/ibm/go.mod
./cluster-api/providers/nutanix/go.mod
./cluster-api/providers/ibmcloud/go.mod
./cluster-api/providers/azureaso/go.mod
./cluster-api/providers/aws/go.mod
./cluster-api/providers/azure/go.mod
./cluster-api/providers/gcp/go.mod
$ fd -e mod -x rg "golang\.org/x/crypto v"
golang.org/x/crypto v0.29.0
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/crypto v0.25.0 // indirect
golang.org/x/crypto v0.25.0 // indirect
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/crypto v0.29.0 // indirect
golang.org/x/crypto v0.15.0 // indirect
golang.org/x/crypto v0.25.0 // indirect
golang.org/x/crypto v0.19.0 // indirect
golang.org/x/crypto v0.24.0 // indirect
golang.org/x/crypto v0.25.0 // indirect
golang.org/x/crypto v0.14.0 // indirect |
Good question. I did search through the vendored code to ensure that none of the packages are vulnerable, so it is not critical that we update. But thinking about it fresh after your question, it would be best imho to approach it upstream as we are here. We should bump the packages in the upstream repos (at least capi), like we are doing in the installer. I will add this as a task for our incoming intern. |
The installer does not run any ssh servers or use ServerConfig.PublicKeyCallback, so is not affected by CVE-2024-45337 , but we might as well upgrade to the safe version to avoid any potential confusion from scanners. We will fix this at main, but don't plan any backports (as we are not actually vulnerable).