[Backport release-1.27] Fixes for CVE-2023-44487 #3577
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
twz123
added
security fix
dependencies
twz123
force-pushed
the
backport-3576-to-release-1.27
branch
from
4f04659 to
fa2b063
Compare
twz123
changed the title
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.54.0 to 1.55.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.54.0...v1.55.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 1bbd387)
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.7.0 to 0.8.0. - [Commits](golang/sys@v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 993e5d2)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.8.0 to 0.9.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit a93cc8c)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.8.0 to 0.9.0. - [Commits](golang/crypto@v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 3a7fbee)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 591460e)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.3. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.9.1...v0.9.3) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit a79def6)
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.8.0 to 0.9.0. - [Commits](golang/sys@v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 451c99c)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.9.0 to 0.10.0. - [Commits](golang/crypto@v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 6eec654)
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.10.0 to 0.11.0. - [Commits](golang/mod@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit f9a0dcf)
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.2.0 to 0.3.0. - [Commits](golang/sync@v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 670dae4)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.3 to 0.10.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.9.3...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 4034c61)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.55.0 to 1.56.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.55.0...v1.56.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit c6cd5a6)
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.11.0 to 0.12.0. - [Commits](golang/mod@v0.11.0...v0.12.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 6d31572)
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.9.0 to 0.10.0. - [Commits](golang/sys@v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 36a6e8f)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.10.0 to 0.11.0. - [Commits](golang/crypto@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 9121f1a)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.56.1 to 1.56.2. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.56.1...v1.56.2) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit f6dd695)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit c9e9365)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.56.2 to 1.57.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.56.2...v1.57.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit c053307)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.11.0 to 0.11.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.11.0...v0.11.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 5abdb39)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.11.0 to 0.12.0. - [Commits](golang/crypto@v0.11.0...v0.12.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit cd74894)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.11.1 to 0.12.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.11.1...v0.12.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 67f6afe)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.12.0 to 0.13.0. - [Commits](golang/crypto@v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 951c31c)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.57.0 to 1.58.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.57.0...v1.58.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 56eefe1)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.12.0 to 0.13.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit d06e99a)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.0 to 1.58.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.58.0...v1.58.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 3d8aff2)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.1 to 1.58.2. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.58.1...v1.58.2) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 91ffada)
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.12.0 to 0.13.0. - [Commits](golang/sys@v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 4eeb4f5) (cherry picked from commit 28a9b10)
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.3.0 to 0.4.0. - [Commits](golang/sync@v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 2512292) (cherry picked from commit 41075ed)
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.12.0 to 0.13.0. - [Commits](golang/mod@v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit c2172d5) (cherry picked from commit f1dd707)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.13.0 to 0.14.0. - [Commits](golang/crypto@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 8985fcf) (cherry picked from commit b03d62b)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 6f87023) (cherry picked from commit f23349f)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.2 to 1.58.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.58.2...v1.58.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 054ef1a) (cherry picked from commit 64d0bf2)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0. - [Commits](golang/net@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit c6209a8) (cherry picked from commit e1032fd)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.8.0 to 0.17.0. - [Commits](golang/net@v0.8.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... See: 9661a8d ("Bump golang.org/x/net from 0.13.0 to 0.17.0 in /hack/tool") Signed-off-by: Tom Wieczorek <[email protected]>
twz123
force-pushed
the
backport-3576-to-release-1.27
branch
from
fa2b063 to
2252f27
Compare
twz123
added
the
backport/release-1.26
16 tasks
ncopa
approved these changes
Oct 24, 2023
|
Backport failed for Please cherry-pick the changes locally. git fetch origin release-1.26
git worktree add -d .worktree/backport-3577-to-release-1.26 origin/release-1.26
cd .worktree/backport-3577-to-release-1.26
git checkout -b backport-3577-to-release-1.26
ancref=$(git merge-base 621e6c09f2ceb53abb47b38f2226d167736fe504 2252f27e232acd3b10e7d8c66f149ac4045fdaf4)
git cherry-pick -x $ancref..2252f27e232acd3b10e7d8c66f149ac4045fdaf4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes CVE-2023-44487. Golang has probably its own CVE number assigned for their patches (they refer to it as CVE-2023-39325).
Backport to
release-1.27:See: