OCPBUGS-35524: update to go 1.20 and k8s.io mods to v0.28.3 #86
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jluhrsen The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jluhrsen
force-pushed
the
CVE-2023-48795-release-4.15
branch
from
d30a810 to
0f9ef80
Compare
jluhrsen
changed the title
jluhrsen
changed the title
openshift-ci-robot
added
jira/valid-reference
|
@jluhrsen: This pull request references Jira Issue OCPBUGS-35524, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
jluhrsen
force-pushed
the
CVE-2023-48795-release-4.15
branch
from
0f9ef80 to
db1e992
Compare
as part of fixing CVE-2023-48795 [0], the golang.org/x/crypto fixed this in v0.17 [1]. ❯ go list -m -mod=mod all | rg crypto golang.org/x/crypto v0.14.0 => golang.org/x/crypto v0.17.0 this also updated kubernetes.NewForConfig() which now requires context.Context as the first argument so that was updated. [0] https://www.cve.org/CVERecord?id=CVE-2023-48795 [1] : ❯ git remote -v origin https://go.googlesource.com/crypto (fetch) origin https://go.googlesource.com/crypto (push) ❯ git br * (HEAD detached at v0.17.0) master ❯ git log -1 commit 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (HEAD, tag: v0.17.0) Author: Roland Shoemaker <bracewell@google.com> Date: Mon Nov 20 12:06:18 2023 -0800 ssh: implement strict KEX protocol changes Implement the "strict KEX" protocol changes, as described in section 1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1). Namely this makes the following changes: * Both the server and the client add an additional algorithm to the initial KEXINIT message, indicating support for the strict KEX mode. * When one side of the connection sees the strict KEX extension algorithm, the strict KEX mode is enabled for messages originating from the other side of the connection. If the sequence number for the side which requested the extension is not 1 (indicating that it has already received non-KEXINIT packets), the connection is terminated. * When strict kex mode is enabled, unexpected messages during the handshake are considered fatal. Additionally when a key change occurs (on the receipt of the NEWKEYS message) the message sequence numbers are reset. Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum for reporting this issue. Fixes CVE-2023-48795 Fixes golang/go#64784 Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715 Reviewed-by: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Signed-off-by: Jamo Luhrsen <jluhrsen@gmail.com>
jluhrsen
force-pushed
the
CVE-2023-48795-release-4.15
branch
from
db1e992 to
c8b82cf
Compare
|
/lgtm |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@zshi-redhat: This pull request references Jira Issue OCPBUGS-35524, which is valid. 7 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
knobunc
added
backport-risk-assessed
|
/label cherry-pick-approved |
openshift-ci
bot
assigned anuragthehatter, asood-rh, huiran0826, jechen0648, mffiedler, qiowang721 and rbbratta
|
/label cherry-pick-approved |
knobunc
added
the
cherry-pick-approved
|
@jluhrsen: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-merge-bot
bot
merged commit f8ec690
into
openshift:release-4.15
|
@jluhrsen: Jira Issue OCPBUGS-35524: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-35524 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] Distgit: egress-router-cni |
|
Fix included in accepted release 4.15.0-0.nightly-2024-07-31-035211 |
as part of fixing CVE-2023-48795 [0], the golang.org/x/crypto fixed this in v0.17 [1]. this brings in 0.22:
❯ go list -m -mod=mod all | rg crypto
golang.org/x/crypto v0.14.0 => golang.org/x/crypto v0.17.0
this also updated kubernetes.NewForConfig() which now requires context.Context as the first argument so that was updated.
[0] https://www.cve.org/CVERecord?id=CVE-2023-48795 [1] :
❯ git remote -v
origin https://go.googlesource.com/crypto (fetch)
origin https://go.googlesource.com/crypto (push)
❯ git br
(HEAD detached at v0.17.0) master ❯ git log -1
commit 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (HEAD, tag: v0.17.0)
Author: Roland Shoemaker bracewell@google.com
Date: Mon Nov 20 12:06:18 2023 -0800
ssh: implement strict KEX protocol changes
Implement the "strict KEX" protocol changes, as described in section
1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1).
Namely this makes the following changes:
* Both the server and the client add an additional algorithm to the initial KEXINIT message, indicating support for the strict KEX mode.
* When one side of the connection sees the strict KEX extension algorithm, the strict KEX mode is enabled for messages originating from the other side of the connection. If the sequence number for the side which requested the extension is not 1 (indicating that it has already received non-KEXINIT packets), the connection is terminated. * When strict kex mode is enabled, unexpected messages during the handshake are considered fatal. Additionally when a key change occurs (on the receipt of the NEWKEYS message) the message sequence numbers are reset.
Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum for reporting this issue.
Fixes CVE-2023-48795 Fixes x/crypto/ssh: implement strict KEX protocol changes golang/go#64784
Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715
Reviewed-by: Nicola Murino nicola.murino@gmail.com
Reviewed-by: Tatiana Bradley tatianabradley@google.com
TryBot-Result: Gopher Robot gobot@golang.org
Run-TryBot: Roland Shoemaker roland@golang.org
Reviewed-by: Damien Neil dneil@google.com
LUCI-TryBot-Result: Go LUCI golang-scoped@luci-project-accounts.iam.gserviceaccount.com