etcdserver: upgrade the golang.org/x/crypto dependency #13669
Conversation
|
There are multiple go.mod files, so can you update all of them? |
To rectify the vulnerability found in a version of golang.org/x/crypto (https://avd.aquasec.com/nvd/cve-2020-29652), upgrade the dependency to its latest version. Alternatively, version v0.0.0-20201216223049-8b5274cf687f could be used, where the fixed was introduced, but the latest is preferable.
maxsokolovsky
force-pushed
the
upgrade-server-dependency-golang.org/x/crypto
branch
from
c9d8832
to
f4708ae
Compare
|
@ahrtr, updated the dependency version in |
| @@ -341,8 +341,8 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U | |||
| golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= | |||
There was a problem hiding this comment.
Why didn't you update etcdctl/go.mod?
There was a problem hiding this comment.
This is for the release-3.5 branch, the dependency is not listed in etcdctl/go.mod.
There was a problem hiding this comment.
Got it, thanks for the clarification.
I see some go.sum files also contain old crypto versions, such as api/go.sum#L57. Can you fix them?
There was a problem hiding this comment.
I had run go mod tidy in the api module, but this produced no changes at all. If I remove the references to the crypto dependency manually from go.sum, then running go mod tidy brings them back in.
There was a problem hiding this comment.
They might be dependencies' dependency.
There was a problem hiding this comment.
Yes, I've looked at the api module dependency graph, looks like no top-level dependency bump will cause those transient dependencies to be upgraded the way we want. Some are already at their latest versions, like protobuf.
There was a problem hiding this comment.
@ahrtr, is there still something that needs to be done on my part?
There was a problem hiding this comment.
Ideally it would be better if you can fix all the old crypto versions, especially which are only in go.sum files. It may need some effort to figure out what's the exact dependencies which causes the golang.org/x/crypto being added into go.sum files.
It's OK to do it in a separate PR(s) or raise a ticket to track it.
There was a problem hiding this comment.
$ cd etcdctl
$go get golang.org/x/crypto@v0.0.0-20220131195533-30dcbda58838
Forces the dependency to be upgraded, even if its a transitive dependency.
go.mod gets modified by:
golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838 // indirect
and go.sum as well.
go mod tidy is not removing that change.
|
Hi Max. Thank you for the fix. |
|
Hi Piotr, thanks to you and Benjamin for reviewing! Sure, that would work! |
|
Would like to have the fix in v3.5.3, as the author is not responding will handle the change on main. |
|
@serathius i can do this :) let me file a PR against master/main! |
|
no worries @serathius i was joking with @ahrtr that this was probably the only thing i could help with :) glad you all are working hard to set the ship right. thanks for doing that! |
To rectify the vulnerability found in a version of golang.org/x/crypto
(https://avd.aquasec.com/nvd/cve-2020-29652), upgrade the dependency to
its latest version.
Alternatively,
v0.0.0-20201216223049-8b5274cf687fcould be used,where the fixed was introduced, but the latest is preferable.