Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build, vendor: address CVE-2024-45338 #86

Merged
merged 1 commit into from
Jan 9, 2025
Merged

build, vendor: address CVE-2024-45338 #86

merged 1 commit into from
Jan 9, 2025

Conversation

maiqueb
Copy link
Collaborator

@maiqueb maiqueb commented Jan 9, 2025
edited
Loading

What this PR does / why we need it:
Bump golang.org/x/net to v0.34.0, which is the latest released version.
The aforementioned CVE is fixed in v0.33.0.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes: https://github.com/kubevirt/ipam-extensions/security/dependabot/3
Fixes: https://github.com/kubevirt/ipam-extensions/security/dependabot/4

Special notes for your reviewer:

Release note:

NONE

@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Jan 9, 2025
@kubevirt-bot kubevirt-bot requested review from oshoval and qinqon January 9, 2025 11:39
@oshoval
Copy link
Collaborator

oshoval commented Jan 9, 2025

nice thanks
fyi, this script can auto do those bumps unless they require manual intervention
kubevirt/cluster-network-addons-operator#1968

oshoval
oshoval approved these changes Jan 9, 2025
View reviewed changes
Copy link
Collaborator

@oshoval oshoval left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth to make sure we run make vendor on CI (i will check later)
because otherwise we had already cases stuff was forgotten

go.mod Outdated
@@ -57,13 +58,13 @@ require (
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
golang.org/x/net v0.23.0 // indirect
golang.org/x/net v0.33.0 // indirect
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is already 0.34.0 if you want

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 9, 2025
@maiqueb maiqueb force-pushed the bump-golang-net-lib-CVE-2024-45338 branch from cdfe916 to 34858a2 Compare January 9, 2025 11:49
@kubevirt-bot kubevirt-bot removed the lgtm Indicates that a PR is ready to be merged. label Jan 9, 2025
@maiqueb maiqueb force-pushed the bump-golang-net-lib-CVE-2024-45338 branch from 34858a2 to 05e2b47 Compare January 9, 2025 11:52
@oshoval
Copy link
Collaborator

oshoval commented Jan 9, 2025

Seems there isnt make vendor target that does go mod tidy go mod vendor nor on Makefile, not on git actions right ?
worth to add on a follow-up if so

@oshoval
Copy link
Collaborator

oshoval commented Jan 9, 2025

/lgtm

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 9, 2025
@maiqueb
Copy link
Collaborator Author

maiqueb commented Jan 9, 2025

nice thanks fyi, this script can auto do those bumps unless they require manual intervention kubevirt/cluster-network-addons-operator#1968

I'd rather rely on dependabot for this kind of stuff ...

@maiqueb
build, vendor: address CVE-2024-45338
0237c0d 
Bump golang.org/x/net to v0.34.0, which is the latest released version.
The aforementioned CVE is fixed in v0.33.0.

Signed-off-by: Miguel Duarte Barroso <[email protected]>
@maiqueb maiqueb force-pushed the bump-golang-net-lib-CVE-2024-45338 branch from 05e2b47 to 0237c0d Compare January 9, 2025 11:55
@kubevirt-bot kubevirt-bot removed the lgtm Indicates that a PR is ready to be merged. label Jan 9, 2025
@oshoval
Copy link
Collaborator

oshoval commented Jan 9, 2025

/lgtm

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 9, 2025
@maiqueb
Copy link
Collaborator Author

maiqueb commented Jan 9, 2025

/approve

@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maiqueb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 9, 2025
@kubevirt-bot kubevirt-bot merged commit 6c2fc33 into kubevirt:main Jan 9, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oshoval oshoval oshoval approved these changes

@qinqon qinqon Awaiting requested review from qinqon

Assignees

@oshoval oshoval

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maiqueb @oshoval @kubevirt-bot