Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v4.0 backport] Bump golang.org/x/crypto to 7b82a4e #13843

Merged
merged 1 commit into from
Apr 12, 2022
Merged

[v4.0 backport] Bump golang.org/x/crypto to 7b82a4e #13843

merged 1 commit into from
Apr 12, 2022

Conversation

lsm5
Copy link
Member

@lsm5 lsm5 commented Apr 12, 2022

Resolves: GHSA-8c26-wmh5-6g9v - CVE-2022-27191

Podman doesn't seem to be directly affected as the logic in question
is not called.

golang.org/x/crypto@1baeb1ce contains the actual CVE fix. Using the
latest upstream commit to also include support for SHA-2.

Signed-off-by: Lokesh Mandvekar [email protected]
(cherry picked from commit 5e680d5)
Signed-off-by: Lokesh Mandvekar [email protected]

@rhatdan @mheon @TomSweeneyRedHat @Luap99 PTAL
/cc @containers/podman-maintainers

@lsm5
Bump golang.org/x/crypto to 7b82a4e
6a6e033 
Resolves: GHSA-8c26-wmh5-6g9v - CVE-2022-27191

Podman doesn't seem to be directly affected as the logic in question
is not called.

golang.org/x/crypto@1baeb1ce contains the actual CVE fix. Using the
latest upstream commit to also include support for SHA-2.

Signed-off-by: Lokesh Mandvekar <[email protected]>
(cherry picked from commit 5e680d5)
Signed-off-by: Lokesh Mandvekar <[email protected]>
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Apr 12, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lsm5

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 12, 2022
@lsm5
Copy link
Member Author

lsm5 commented Apr 12, 2022

@edsantiago @mheon any idea if buildah is broken with this change RE: bud podman fedora-35 root host or just a false positive?

@edsantiago
Copy link
Member 

         # Error: error creating build container: initializing source docker://alpine:latest: reading manifest latest in quay.io/libpod/alpine: received unexpected HTTP status: 500 Internal Server Error

This is our current flake nightmare, a quay.io flake. I've restarted.

@mheon
Copy link
Member

mheon commented Apr 12, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 12, 2022
@openshift-merge-robot openshift-merge-robot merged commit caef981 into containers:v4.0 Apr 12, 2022
@lsm5 lsm5 deleted the v4.0-cve-2022-27191-backport branch April 12, 2022 20:38
@edsantiago edsantiago mentioned this pull request May 10, 2022
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@mheon mheon

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lsm5 @edsantiago @mheon @openshift-merge-robot