Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upticking cryptography to address 41.0.5 security vulnerability. #852

Merged
merged 4 commits into from
Nov 29, 2023

Conversation

VersusFacit
Copy link
Contributor

resolves #845

Problem

DDOS vulnerability. Timely fix.

Solution

Uptick it past 41.0.5.

Checklist

  • I have read the contributing guide and understand what's expected of me
  • I have run this code in development and it appears to resolve the stated issue
  • This PR includes tests, or tests are not required/relevant for this PR
  • This PR has no interface changes (e.g. macros, cli, logs, json artifacts, config files, adapter interface, etc) or this PR has already received feedback and approval from Product or DX

@VersusFacit VersusFacit requested a review from a team as a code owner November 28, 2023 23:19
@VersusFacit VersusFacit requested a review from Fleid November 28, 2023 23:19
@VersusFacit VersusFacit self-assigned this Nov 28, 2023
Copy link
Contributor

Thank you for your pull request! We could not find a changelog entry for this change. For details on how to document a change, see the dbt-snowflake contributing guide.

@VersusFacit VersusFacit force-pushed the ADAP-1045/security_issue_in_cryptography_package branch from 9f43e67 to 6fdcb88 Compare November 28, 2023 23:21
@cla-bot cla-bot bot added the cla:yes label Nov 28, 2023
@dbt-labs dbt-labs deleted a comment from cla-bot bot Nov 28, 2023
@VersusFacit VersusFacit force-pushed the ADAP-1045/security_issue_in_cryptography_package branch from 6fdcb88 to 43ac4dd Compare November 28, 2023 23:23
@VersusFacit VersusFacit added the Skip Changelog Skips GHA to check for changelog file label Nov 28, 2023
@mikealfare
Copy link
Contributor

I noticed you skipped the changelog. I think we have a type for security fixes. Is there a reason to not use that?

How far back do we need to backport this?

@VersusFacit VersusFacit removed the Skip Changelog Skips GHA to check for changelog file label Nov 29, 2023
@VersusFacit
Copy link
Contributor Author

VersusFacit commented Nov 29, 2023

@mikealfare oop! Glad you pointed out the changelog. I'm still coming to our current state of affairs process-wise. Added changelog!

As for how far to backport, not sure. Does it make sense to cover each of the versions we host in Cloud? So the last 4 inclusive? 1.7, 1.6, 1.5, 1.4?

@VersusFacit VersusFacit merged commit b75f26a into main Nov 29, 2023
13 checks passed
@VersusFacit VersusFacit deleted the ADAP-1045/security_issue_in_cryptography_package branch November 29, 2023 02:46
@VersusFacit VersusFacit added backport 1.4.latest backport 1.7.latest Tag for PR to be backported to the 1.7.latest branch labels Nov 29, 2023
Copy link
Contributor

The backport to 1.4.latest failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.4.latest 1.4.latest
# Navigate to the new working tree
cd .worktrees/backport-1.4.latest
# Create a new branch
git switch --create backport-852-to-1.4.latest
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b75f26a7243dc69d3f16a75620e2fb79bfd1bf9a
# Push it to GitHub
git push --set-upstream origin backport-852-to-1.4.latest
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.4.latest

Then, create a pull request where the base branch is 1.4.latest and the compare/head branch is backport-852-to-1.4.latest.

Copy link
Contributor

The backport to 1.5.latest failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.5.latest 1.5.latest
# Navigate to the new working tree
cd .worktrees/backport-1.5.latest
# Create a new branch
git switch --create backport-852-to-1.5.latest
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b75f26a7243dc69d3f16a75620e2fb79bfd1bf9a
# Push it to GitHub
git push --set-upstream origin backport-852-to-1.5.latest
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.5.latest

Then, create a pull request where the base branch is 1.5.latest and the compare/head branch is backport-852-to-1.5.latest.

Copy link
Contributor

The backport to 1.6.latest failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.6.latest 1.6.latest
# Navigate to the new working tree
cd .worktrees/backport-1.6.latest
# Create a new branch
git switch --create backport-852-to-1.6.latest
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b75f26a7243dc69d3f16a75620e2fb79bfd1bf9a
# Push it to GitHub
git push --set-upstream origin backport-852-to-1.6.latest
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.6.latest

Then, create a pull request where the base branch is 1.6.latest and the compare/head branch is backport-852-to-1.6.latest.

Copy link
Contributor

The backport to 1.7.latest failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.7.latest 1.7.latest
# Navigate to the new working tree
cd .worktrees/backport-1.7.latest
# Create a new branch
git switch --create backport-852-to-1.7.latest
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b75f26a7243dc69d3f16a75620e2fb79bfd1bf9a
# Push it to GitHub
git push --set-upstream origin backport-852-to-1.7.latest
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.7.latest

Then, create a pull request where the base branch is 1.7.latest and the compare/head branch is backport-852-to-1.7.latest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 1.7.latest Tag for PR to be backported to the 1.7.latest branch cla:yes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[ADAP-1045] [CT-3413] Vulnerability in cryptography package used in DBT
2 participants