Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix /x/net and /x/sys #5360

Merged
merged 2 commits into from
Aug 3, 2022
Merged

Fix /x/net and /x/sys #5360

merged 2 commits into from
Aug 3, 2022

Conversation

SgtCoDFish
Copy link
Member

Pull Request Motivation

Two commits, each self contained:

  1. Adds go.mod and go.sum as sources so that we'll rebuild binaries locally if they change
  2. Fixes CVEs in /x/net and /x/sys which we probably weren't actually vulnerable to but it's worth keeping on top of these things

Kind

/kind bug

Release Note

NONE

@SgtCoDFish
add go.mod and go.sum as sources
e4dca7a 
this will trigger binaries to be rebuilt when go.mod and go.sum change

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
@jetstack-bot jetstack-bot added kind/bug Categorizes issue or PR as related to a bug. release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Aug 3, 2022
@SgtCoDFish SgtCoDFish mentioned this pull request Aug 3, 2022
Merged
wallrj
wallrj approved these changes Aug 3, 2022
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for digging into this @SgtCoDFish

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Aug 3, 2022
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish, wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@SgtCoDFish
remove replacement for /x/net and update /x/net + /x/sys
01d8994 
the replaced version had several CVEs as reported by Trivy:

CVE-2021-44716 - golang.org/x/net:
golang: net/http: limit growth of header canonicalization cache

CVE-2021-31525 - golang.org/x/net:
golang: net/http: panic in ReadRequest and ReadResponse when reading a
very large header

CVE-2022-29526 - golang.org/x/sys:
golang: syscall: faccessat checks wrong group

this commit fixes those reported CVEs

Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
@jetstack-bot jetstack-bot removed the lgtm Indicates that a PR is ready to be merged. label Aug 3, 2022
@SgtCoDFish
Copy link
Member Author

@wallrj I'd missed updating the LICENSES file, which I've now done. Could I get another LGTM?

@munnerz
Copy link
Member

munnerz commented Aug 3, 2022

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Aug 3, 2022
@jetstack-bot jetstack-bot merged commit 0c15857 into cert-manager:master Aug 3, 2022
@jetstack-bot jetstack-bot added this to the v1.9 milestone Aug 3, 2022
@SgtCoDFish SgtCoDFish deleted the fixxnet branch August 3, 2022 14:21
@SgtCoDFish SgtCoDFish mentioned this pull request Dec 12, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wallrj wallrj wallrj approved these changes

Assignees

@munnerz munnerz

@wallrj wallrj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.9
Development

Successfully merging this pull request may close these issues.
4 participants
@SgtCoDFish @jetstack-bot @munnerz @wallrj