[Backport release-1.28] Fixes for CVE-2023-44487 #3576

twz123 · 2023-10-11T15:14:13Z

Fixes CVE-2023-44487. Golang has probably its own CVE number assigned for their patches (they refer to it as CVE-2023-39325).

Backport to release-1.28:

Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.12.0 to 0.13.0. - [Commits](golang/sys@v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 4eeb4f5)

Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.3.0 to 0.4.0. - [Commits](golang/sync@v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 2512292)

Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.12.0 to 0.13.0. - [Commits](golang/mod@v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit c2172d5)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.13.0 to 0.14.0. - [Commits](golang/crypto@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 8985fcf)

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 6f87023)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.2 to 1.58.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.58.2...v1.58.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 054ef1a)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0. - [Commits](golang/net@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit c6209a8)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.13.0 to 0.17.0. - [Commits](golang/net@v0.13.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit a2a4468)

k0s-bot · 2023-10-23T11:03:17Z

Backport failed for release-1.27, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-1.27
git worktree add -d .worktree/backport-3576-to-release-1.27 origin/release-1.27
cd .worktree/backport-3576-to-release-1.27
git checkout -b backport-3576-to-release-1.27
ancref=$(git merge-base 806cb560e39e7e13d7e04906755161b8867c07e2 9661a8da22e1fa41b02a35b0125df67b5a0810b4)
git cherry-pick -x $ancref..9661a8da22e1fa41b02a35b0125df67b5a0810b4

twz123 added security fix dependencies Pull requests that update a dependency file go Pull requests that update Go code backport/release-1.27 PR that needs to be backported/cherrypicked to release-1.27 branch labels Oct 11, 2023

twz123 mentioned this pull request Oct 11, 2023

[Backport release-1.27] Fixes for CVE-2023-44487 #3577

Merged

twz123 force-pushed the backport-3573-to-release-1.28 branch from fd3988c to 587ed42 Compare October 12, 2023 10:58

twz123 changed the title ~~[Backport release-1.28] Bump google.golang.org/grpc from 1.58.2 to 1.58.3~~ [Backport release-1.28] Fixes for CVE-2023-44487 Oct 12, 2023

twz123 force-pushed the backport-3573-to-release-1.28 branch from 587ed42 to dab34aa Compare October 12, 2023 11:29

dependabot bot added 6 commits October 12, 2023 13:53

twz123 force-pushed the backport-3573-to-release-1.28 branch from dab34aa to 64d0bf2 Compare October 12, 2023 12:35

dependabot bot added 2 commits October 12, 2023 14:43

twz123 marked this pull request as ready for review October 23, 2023 07:12

twz123 requested a review from a team as a code owner October 23, 2023 07:12

twz123 requested review from ncopa and jnummelin October 23, 2023 07:12

ncopa approved these changes Oct 23, 2023

View reviewed changes

ncopa merged commit 2977909 into k0sproject:release-1.28 Oct 23, 2023
71 checks passed

twz123 deleted the backport-3573-to-release-1.28 branch October 23, 2023 14:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Backport release-1.28] Fixes for CVE-2023-44487 #3576

[Backport release-1.28] Fixes for CVE-2023-44487 #3576

twz123 commented Oct 11, 2023 •

edited

Loading

k0s-bot commented Oct 23, 2023

[Backport release-1.28] Fixes for CVE-2023-44487 #3576

[Backport release-1.28] Fixes for CVE-2023-44487 #3576

Conversation

twz123 commented Oct 11, 2023 • edited Loading

k0s-bot commented Oct 23, 2023

twz123 commented Oct 11, 2023 •

edited

Loading