New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed CVE-2022-27664 Bump golang.org/x/net to v0.1.1-0.20221027164007-c63010009c80 #112693
Conversation
Hi @aimuz. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
@aimuz: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
fae8cf0
to
4b2ddfa
Compare
/unhold |
Upstream work is done, this PR can continue |
…07-c63010009c80 Fixed https://pkg.go.dev/vuln/GO-2022-0969 Signed-off-by: aimuz <mr.imuz@gmail.com>
4b2ddfa
to
78c704d
Compare
/test pull-kubernetes-unit |
/test pull-kubernetes-e2e-capz-windows-containerd |
/lgtm |
Do you need a cherry pick for this? |
I don't see a reason we wouldn't pick this to 1.23 as well (it will likely result in bumps to other golang.org/x/... deps as well) |
https://pkg.go.dev/vuln/GO-2022-0969 According to @xmudrii description, in 1.23 using go1.17 compilation, in the vulnerability description, go 1.18.6 before the version of the standard library net/http also has the problem, if in 1.23 cherry-pick past, may not be able to completely solve the problem, next, I will try to first this pr cherry-pick to 1.23, I will verify him in the 1.17 version of go |
@aimuz Reading the vulnerability report that you linked, it seems like updating the |
…3-upstream-release-1.25 Automated cherry pick of #112693: Fixed (CVE-2022-27664) Bump golang.org/x/net to
…3-upstream-release-1.24 Automated cherry pick of #112693: Fixed (CVE-2022-27664) Bump golang.org/x/net to
Signed-off-by: aimuz mr.imuz@gmail.com
What type of PR is this?
/kind bug
What this PR does / why we need it:
Which issue(s) this PR fixes:
fix https://pkg.go.dev/vuln/GO-2022-0969
Fixes #112758
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: