[Snyk] Fix for 2 vulnerabilities #121
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The TestSecondWatcherAcquiresReleasedLease test was racy concerning which of the two pools would acquire the lease first. As a result, the test would either fail due to an unexpected event order, or hang until aborted because the pools wouldn't emit enough events for the event collection loop to terminate. This behavior was apparently only observable on Windows. Fix this by adding appropriate values for AcquireTime, RenewTime and LeaseDurationSeconds to the pre-created lease, so that it properly reflects its acquisition by the first pool. Also remove the namespace and pool creations from the other tests, as they were unnecessary. Inline the last required lease creation into the racy test case. Remove the WithRenewDeadline options from the pools under test, as they didn't have any impact on the test, neither semantically nor in terms of execution times. Reduce the RetryPeriod to 10 milliseconds to provide even more immediate test feedback. Rename some local variables and rephrase some log strings to make them more consistent. Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit 544307d)
https://go.dev/doc/devel/release#go1.20.4 https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU/m/QvrjqM4XAgAJ Fixes CVE-2023-24539, CVE-2023-24540 and CVE-2023-29400. Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit 1fed414)
* Use WithError to report errors in logs * Use error wrapping in fmt.Errorf where applicable * Raise log level from trace to debug for some log statements * Don't log-and-return errors * Fix typo: reconcilation Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit 03ec4f0)
Whenever errors occur during the reconciliation of Helm charts, they are recorded in the error field of the Chart resource. However, the error status field was not cleared after a subsequent successful reconciliation, which caused the Chart resource's status to erroneously report the chart application as failed, even if it had recovered. To address this, the error status should be cleared whenever there are no errors. Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit d9bc239)
…elease-1.27 [Backport release-1.27] Bump Go to v1.20.4
…elease-1.27 [Backport release-1.27] Clear error in Helm chart status after successful reconciliation
Signed-off-by: Alexey Makhov <[email protected]> (cherry picked from commit ada2eaa)
…elease-1.27 [Backport release-1.27] Helm upgrade bug fix
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.1.0 to 0.2.0. - [Commits](golang/sync@v0.1.0...v0.2.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit c9596e4)
This makes oras-go compatible to recent Docker versions. Updating this avoids dependency conflicts, as more and more transitive k0s dependencies start to adopt those Docker verisons. The changes to oras-go are solely dependency bumps, including the Docker compatibility fix. See: * oras-project/oras-go@v1.2.2...f923978 * oras-project/oras-go@b35b7cb Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit e2095ae)
https://github.com/containerd/containerd/releases/tag/v1.7.1 Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit 53988f2)
https://github.com/opencontainers/runc/releases/tag/v1.1.7 Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit 1e9b6b7)
…elease-1.27 [Backport release-1.27] Bump containerd to v1.7.1
Signed-off-by: Alexey Makhov <[email protected]> (cherry picked from commit 26ceb23)
https://github.com/etcd-io/etcd/releases/tag/v3.5.9 Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit d7c5129)
…elease-1.27 [Backport release-1.27] Bump calico image version (vuln fixes)
Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](distribution/distribution@v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit c413441)
…se-1.27 [Backport release-1.27] Bump runc to v1.1.7
…elease-1.27 [Backport release-1.27] Bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible
…elease-1.27 [Backport release-1.27] Fix racy leader pool test
This fixes CVE-2023-25151. (Maybe this is a false report, as there are only very minimal changes compared to the allegedly affected version 0.38, all of which are cosmetic.) Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit 8975a17)
…elease-1.27 [Backport release-1.27] Bump etcd to v3.5.9
Bumps [pymdown-extensions](https://github.com/facelessuser/pymdown-extensions) from 9.11 to 10.0. - [Release notes](https://github.com/facelessuser/pymdown-extensions/releases) - [Commits](facelessuser/pymdown-extensions@9.11...10.0) --- updated-dependencies: - dependency-name: pymdown-extensions dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> (cherry picked from commit 1ef00da)
…elease-1.27 [Backport release-1.27] Bump pymdown-extensions from 9.11 to 10.0 in /docs
…elease-1.27 [Backport release-1.27] Update otelhttp to v0.39.0
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1271 Signed-off-by: Juan-Luis de Sousa-Valadas Castaño <[email protected]>
[Backport release-1.27] Bump Kubernetes to v1.27.2
Signed-off-by: Juan-Luis de Sousa-Valadas Castaño <[email protected]> (cherry picked from commit 6071a68)
…elease-1.27 [Backport release-1.27] Bump sonobuoy to v0.56.16
Signed-off-by: Natanael Copa <[email protected]> (cherry picked from commit d56f58b)
[Release-1.27] Fix workerprofile data types on the generated CRD
…se-1.27 [Backport release-1.27] Bump runc to 1.1.9
The 3.18 includes a fix for a bug in musl libc when there is a `search .` in /etc/resolv.conf. Fixes: k0sproject#3351 Ref: https://www.openwall.com/lists/musl/2022/08/31/5 Signed-off-by: Natanael Copa <[email protected]>
[release-1.27] Use go with alpine 3.18 (k0sproject#3351)
https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3 https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.4 Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit b7636e5)
…elease-1.27 [Backport release-1.27] Bump metrics-server to v0.6.4
…se it is not set for the component Signed-off-by: Mikhail Sakhnov <[email protected]> (cherry picked from commit e3323b8)
…elease-1.27 [Backport release-1.27] Distinguish if feature gate false because it is set as false or by default
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1274 Fixes CVE-2023-3955 and CVE-2023-3676. Signed-off-by: Tom Wieczorek <[email protected]>
[release-1.27] Bump Kubernetes to v1.27.5
https://github.com/containerd/containerd/releases/tag/v1.7.4 Signed-off-by: Jussi Nummelin <[email protected]> (cherry picked from commit 12ac830)
There's no need to do it on the self-hosted runners and makes the job's maintenance easier. In fact, docker-buildx is not working properly on the self-hosted runners at the moment. Signed-off-by: Tom Wieczorek <[email protected]> (cherry picked from commit fffa625)
…elease-1.27 [Backport release-1.27] Bump containerd to 1.7.4
…elease-1.27 [Backport release-1.27] Build k0s Docker image on GitHub managed runners
Uses https://github.com/mesosphere/toml-merge for merging the CRI config snippets. If a config drop-in is not a CRI config, it behaves as previously and just adds it to imports. Fixes k0sproject#3283 Signed-off-by: Jussi Nummelin <[email protected]> (cherry picked from commit 3fa95ec)
…se-1.27 [Backport release-1.27] Actually merge CRI configs from drop-ins instead of concatenating them
https://github.com/containerd/containerd/releases/tag/v1.7.5 Signed-off-by: Natanael Copa <[email protected]> (cherry picked from commit 46ee6e5)
…elease-1.27 [Backport release-1.27] Bump containerd 1.7.5
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-CERTIFI-5805047 - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-5595532
twz123
force-pushed
the
main
branch
3 times, most recently
from
0f91feb to
e19102f
Compare
twz123
force-pushed
the
main
branch
6 times, most recently
from
2d02817 to
57b5560
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
By pinning:
SNYK-PYTHON-CERTIFI-5805047
certifi:2022.12.7 -> 2023.7.22SNYK-PYTHON-REQUESTS-5595532
requests:2.28.2 -> 2.31.0Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.