Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-v0.14] Update golang.org/x/crypto to v0.31.0 #1755

Open
wants to merge 1 commit into
base: release-v0.14
Choose a base branch
from
Open

[release-v0.14] Update golang.org/x/crypto to v0.31.0 #1755

wants to merge 1 commit into from
+1,563 −1,563

Conversation

adambkaplan
Copy link
Member

Changes

Update golang.org/x/crypto to mitigate CVE-2024-45337. This has a severity grade of "Important" from Red Hat.

Cherry-pick of #1752

/kind dependency-change

Submitter Checklist

  • Includes tests if functionality changed/was added
  • Includes docs if changes are user-facing
  • Set a kind label on this PR
  • Release notes block has been filled in, or marked NONE

See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.

Release Notes

Update golang.org/x/crypto to v0.31.0, to mitigate CVE-2024-45337

@adambkaplan
[release-v0.14] Update golang.org/x/crypto to v0.31.0
1da0b4c 
Update golang.org/x/crypto to mitigate CVE-2024-45337.

Cherry-pick of shipwright-io#1752

Signed-off-by: Adam Kaplan <[email protected]>
@openshift-ci openshift-ci bot added release-note Label for when a PR has specified a release note kind/dependency-change Categorizes issue or PR as related to changing dependencies labels Dec 17, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Dec 17, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from adambkaplan. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pull-request-size pull-request-size bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Dec 17, 2024
@adambkaplan
Copy link
Member Author

@SaschaSchwarze0 @qu1queee I more or less cherry-picked #1752 to mitigate this vulnerability. Do we want to merge this and release a v0.14.1?

@adambkaplan adambkaplan mentioned this pull request Dec 17, 2024
Open
@SaschaSchwarze0
Copy link
Member

SaschaSchwarze0 commented Dec 18, 2024
edited
Loading

@adambkaplan

To get a green PR, you need to cherry-pick #1731 first (edit: did that, #1757).

We can release v0.14.1, but unless you have time pressure, we can then also get #1751 reviewed and let the automation create the release automatically. Though, it would actually NOT create a release because of the crypto vulnerability because that is not relevant to our code base (I know why one would still want to bump it, the scanning tools ...), but there are other vulnerabilities that it can mitigate. (edit: just noticed that it lists the vulnerability, just not in all images)

Another reason to wait for tomorrow is to pick up the ubi9-minimal update from today and let the next base image build pick that up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apoorvajagtap apoorvajagtap Awaiting requested review from apoorvajagtap

@karanibm6 karanibm6 Awaiting requested review from karanibm6

Assignees
No one assigned
Labels
kind/dependency-change Categorizes issue or PR as related to changing dependencies release-note Label for when a PR has specified a release note size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
Shipwright Overview
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adambkaplan @SaschaSchwarze0