Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vendor: golang.org/x/text v0.3.3 (CVE-2020-14040) #4328

Merged
merged 1 commit into from
Jun 17, 2020
Merged

vendor: golang.org/x/text v0.3.3 (CVE-2020-14040) #4328

merged 1 commit into from
Jun 17, 2020

Conversation

thaJeztah
Copy link
Member

full diff: golang/text@19e5161...v0.3.3

includes a fix for CVE-2020-14040

@thaJeztah
Copy link
Member Author

perhaps needs to be back ported to 1.2.x and 1.3.x

@theopenlab-ci
Copy link

theopenlab-ci bot commented Jun 17, 2020

Build succeeded.

estesp
estesp approved these changes Jun 17, 2020
View reviewed changes
Copy link
Member

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah
Copy link
Member Author

@estesp ok to add this to 1.3 (possibly 1.2) backports you think?

Zyqsempai
Zyqsempai approved these changes Jun 17, 2020
View reviewed changes
Copy link
Contributor

@Zyqsempai Zyqsempai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@AkihiroSuda AkihiroSuda merged commit bf672cc into containerd:master Jun 17, 2020
@thaJeztah thaJeztah deleted the bump_x_text branch June 17, 2020 15:35
This was referenced Jun 17, 2020
Closed
Closed
@dmcgowan
Copy link
Member

golang.org/x/text is an indirect dependency. Had it already diverged from library which was using it? Looks like it comes from golang.org/x/net, but don't see that updated.

How might this CVE affect 1.2.x or 1.3.x. The fix seems related to handling utf16. If this bug is manifesting in the network code, is there more details about it and how golang.org/x/net/idna/ is effected and updated.

I think more justification is needed before backporting, especially to 1.2 with such a large diff.

@estesp
Copy link
Member

estesp commented Jun 17, 2020

Similar thoughts from me in the 1.2 backport PR: #4331 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@Zyqsempai Zyqsempai Zyqsempai approved these changes

@estesp estesp estesp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@thaJeztah @dmcgowan @estesp @Zyqsempai @AkihiroSuda