Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-32844: bump go-jose to fix CVE-2024-28180 #398

Open
wants to merge 1 commit into
base: release-4.14
Choose a base branch
from
Open

OCPBUGS-32844: bump go-jose to fix CVE-2024-28180 #398

wants to merge 1 commit into from

Conversation

avinal
Copy link
Member

@avinal avinal commented Jun 19, 2024
edited
Loading

Changes

  • gopkg.in/square/go-jose.v2 has been deprecated
  • replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple
    imports issue
  • replaced with security release github.com/go-jose/go-jose v2.6.3
  • fixes GHSA-c5q2-7r4c-mv6g

Signed-off-by: Avinal Kumar avinal@redhat.com

Release note

CVE-2024-28180: Upgrade go-jose to mitigate potential denial of service attacks.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 19, 2024
@openshift-ci-robot
Copy link
Contributor

@avinal: This pull request references Jira Issue OCPBUGS-32844, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"
  • expected dependent Jira Issue OCPBUGS-32845 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Changes

  • Bump gopkg.in/go-jose/go-jose.v2 to 2.6.3

Signed-off-by: Avinal Kumar avinal@redhat.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jun 19, 2024
@avinal
Copy link
Member Author

avinal commented Jun 19, 2024

/jira-refresh

@avinal avinal force-pushed the avinal/ocpbugs-32844 branch 2 times, most recently from db300b2 to 5b66a25 Compare June 24, 2024 08:26
@avinal
Copy link
Member Author

avinal commented Jun 24, 2024

/retest

@avinal avinal force-pushed the avinal/ocpbugs-32844 branch from 5b66a25 to ad4e6d2 Compare June 24, 2024 08:29
adambkaplan
adambkaplan requested changes Jun 24, 2024
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 24, 2024
@avinal avinal force-pushed the avinal/ocpbugs-32844 branch from ad4e6d2 to 121582b Compare June 25, 2024 10:53
@openshift-ci-robot
Copy link
Contributor

@avinal: This pull request references Jira Issue OCPBUGS-32844, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Changes

  • gopkg.in/square/go-jose.v2 has been deprecated
  • replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple
    imports issue
  • replaced with security release github.com/go-jose/go-jose v2.6.3
  • fixes GHSA-c5q2-7r4c-mv6g

Signed-off-by: Avinal Kumar avinal@redhat.com

Release note

CVE-2024-28180: Upgrade go-jose to mitigate potential denial of service attacks.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@avinal
Copy link
Member Author

avinal commented Jun 26, 2024

/retest

@adambkaplan
Copy link
Contributor

Is this blocked by openshift/origin#28904 and its cherry-picks?

@adambkaplan
Copy link
Contributor

/jira refresh

@openshift-ci-robot
Copy link
Contributor

@adambkaplan: This pull request references Jira Issue OCPBUGS-32844, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@avinal
Copy link
Member Author

avinal commented Aug 6, 2024

/retest

@avinal
OCPBUGS-32844: bump go-jose to mitigate cve
595313f 
- gopkg.in/square/go-jose.v2 has been deprecated
- replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple
  imports issue
- replaced with security release github.com/go-jose/go-jose v2.6.3
- fixes CVE-2024-28180

Signed-off-by: Avinal Kumar <avinal@redhat.com>
@avinal avinal force-pushed the avinal/ocpbugs-32844 branch from 121582b to 595313f Compare October 22, 2024 11:23
@sayan-biswas
Copy link

/test e2e-aws-ovn-builds-techpreview
/test e2e-aws-ovn-builds

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 29, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: avinal, sayan-biswas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 29, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 29, 2024

@avinal: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 595313f link false /test security
ci/prow/e2e-aws-ovn-builds 595313f link true /test e2e-aws-ovn-builds
ci/prow/e2e-aws-ovn-builds-techpreview 595313f link false /test e2e-aws-ovn-builds-techpreview

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adambkaplan adambkaplan adambkaplan requested changes

@sayan-biswas sayan-biswas sayan-biswas approved these changes

@divyansh42 divyansh42 Awaiting requested review from divyansh42

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@avinal @openshift-ci-robot @adambkaplan @sayan-biswas