Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG 2312515: CVE-2024-6104 cephcsi-container: go-retryablehttp: url might write sensitive information to log file #381

Open
wants to merge 3 commits into
base: release-4.12
Choose a base branch
from

Conversation

iPraveenParihar
Copy link
Member

Bumps github.com/hashicorp/go-retryablehttp from 0.7.1 to 0.7.7.


updated-dependencies:

  • dependency-name: github.com/hashicorp/go-retryablehttp dependency-type: indirect ...

Signed-off-by: dependabot[bot] support@github.com
(cherry picked from commit 2131a84)

Describe what this PR does

Provide some context for the reviewer

Is there anything that requires special attention

Do you have any questions?

Is the change backward compatible?

Are there concerns around backward compatibility?

Provide any external context for the change, if any.

For example:

  • Kubernetes links that explain why the change is required
  • CSI spec related changes/catch-up that necessitates this patch
  • golang related practices that necessitates this change

Related issues

Mention any github issues relevant to this PR. Adding below line
will help to auto close the issue once the PR is merged.

Fixes: #issue_number

Future concerns

List items that are not part of the PR and do not impact it's
functionality, but are work items that can be taken up subsequently.

Checklist:

  • Commit Message Formatting: Commit titles and messages follow
    guidelines in the developer
    guide
    .
  • Reviewed the developer guide on Submitting a Pull
    Request
  • Pending release
    notes

    updated with breaking and/or notable changes for the next major release.
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.

Show available bot commands

These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:

  • /retest ci/centos/<job-name>: retest the <job-name> after unrelated
    failure (please report the failure too!)

Copy link

openshift-ci bot commented Sep 16, 2024

@iPraveenParihar: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "ODF 4.16.2" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

BUG 2312515: CVE-2024-6104 cephcsi-container: go-retryablehttp: url might write sensitive information to log file

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Bumps [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp) from 0.7.1 to 0.7.7.
- [Changelog](https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md)
- [Commits](hashicorp/go-retryablehttp@v0.7.1...v0.7.7)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-retryablehttp
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 2131a84)
@nixpanic
Copy link
Member

/hold

Before fixing 4.12, make sure all newer versions have the fixes too already. We have templates for backport PRs, see the redhat/README.md.

@iPraveenParihar
Copy link
Member Author

/hold

Before fixing 4.12, make sure all newer versions have the fixes too already. We have templates for backport PRs, see the redhat/README.md.

@nixpanic, backport PRs were already created & merged to newer versions (4.17 to 4.13).

@nixpanic
Copy link
Member

/hold
Before fixing 4.12, make sure all newer versions have the fixes too already. We have templates for backport PRs, see the redhat/README.md.

@nixpanic, backport PRs were already created & merged to newer versions (4.17 to 4.13).

Thanks, in the future, use the backport tempate for the PR, so that it is clear the whole process is followed.
As you mentioned other versions had their backports already, I was able to find them with https://github.com/red-hat-storage/ceph-csi/pulls?q=is%3Apr+CVE-2024-6104+

/unhold

@iPraveenParihar
Copy link
Member Author

iPraveenParihar commented Oct 7, 2024

I have cherry-picked around 6 commits related to lint failures. And not sure still how many needed to make lint CI green ✅.
@Madhu-1, In CVE PRs do we really need to fix the lint failures? We'll be just adding more and more commits not related to CVE as we Backport on lower versions.

WDYT?

@Madhu-1
Copy link
Member

Madhu-1 commented Oct 7, 2024

I have cherry-picked around 6 commits related to lint failures. And not sure still how many needed to make lint CI green ✅. @Madhu-1, In CVE PRs do we really need to fix the lint failures? We'll be just adding more and more commits not related to CVE as we Backport on lower versions.

WDYT?

In most of the cases we will try to fix it but not like we pick more commits and it's not getting fixed like this, we can make an exception for pretty older releases and do what is only required and get it merged.

@nixpanic
Copy link
Member

nixpanic commented Oct 8, 2024

Creating the test container-image seems to be problematic. Can you check if a fix for that can be backported as well? I can be as part of this PR, so that CI jobs provide some confidence of the build.

https://github.com/red-hat-storage/ceph-csi/actions/runs/11211368084/job/31160100707?pr=381#step:3:824

@nixpanic
Copy link
Member

nixpanic commented Oct 8, 2024

@iPraveenParihar , you probably need ceph#3540 to get the CI to pass

nixpanic and others added 2 commits October 8, 2024 20:22
GitHub Workflows fail installing Helm if the `openssl` package is not
available. Fedora 36 installs `openssl` by default, Fedora 37 does not.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 774beef)
Since CentOS Stream 8 is EOL, this commit updates the
config to use vault.centos.org for CentOS Stream 8.
This should be removed once the base image (ceph) is
updated to a version with a newer CentOS.

Signed-off-by: Praveen M <m.praveen@ibm.com>
(cherry picked from commit 5809628)
@nixpanic
Copy link
Member

nixpanic commented Oct 8, 2024

Thanks! CI jobs that are really required pass now.

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Code looks good label Oct 8, 2024
Copy link

openshift-ci bot commented Oct 8, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iPraveenParihar, nixpanic

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Its a good idea label Oct 8, 2024
@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Copy link

openshift-ci bot commented Oct 29, 2024

@openshift-bot: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Copy link

openshift-ci bot commented Oct 30, 2024

@openshift-bot: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Copy link

openshift-ci bot commented Oct 31, 2024

@openshift-bot: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Copy link

openshift-ci bot commented Nov 1, 2024

@openshift-bot: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Copy link

openshift-ci bot commented Nov 2, 2024

@openshift-bot: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Copy link

openshift-ci bot commented Nov 3, 2024

@openshift-bot: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Copy link

openshift-ci bot commented Nov 4, 2024

@openshift-bot: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Copy link

openshift-ci bot commented Nov 5, 2024

@openshift-bot: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Copy link

openshift-ci bot commented Nov 6, 2024

@openshift-bot: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Copy link

openshift-ci bot commented Nov 7, 2024

@openshift-bot: This pull request references Bugzilla bug 2312515, which is invalid:

  • expected the bug to target the "ODF 4.12.15" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

9 similar comments
@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-bot
Copy link

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants