Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v3.4 backport] Bump github.com/containers/psgo to v1.7.2 #13862

Closed
wants to merge 1 commit into from
Closed

[v3.4 backport] Bump github.com/containers/psgo to v1.7.2 #13862

wants to merge 1 commit into from

Conversation

lsm5
Copy link
Member

@lsm5 lsm5 commented Apr 13, 2022

Resolves: CVE-2022-1227

Upstream fix: containers/psgo#92

Signed-off-by: Lokesh Mandvekar [email protected]

main branch is on v1.7.2 so that's what I bumped this branch to.

@mheon @rhatdan @vrothberg @TomSweeneyRedHat @Luap99 PTAL
/cc @containers/podman-maintainers

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Apr 13, 2022

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lsm5
To complete the pull request process, please assign umohnani8 after the PR has been reviewed.
You can assign the PR to them by writing /assign @umohnani8 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rhatdan
Copy link
Member

rhatdan commented Apr 13, 2022

This code requires golang 1.16.

@lsm5
Copy link
Member Author

lsm5 commented Apr 13, 2022

ugh .. i'll update it, thanks

@mheon
Copy link
Member

mheon commented Apr 13, 2022

@vrothberg PTAL

@lsm5 lsm5 changed the title Bump github.com/containers/psgo to v1.7.2 [v3.4 backport] Bump github.com/containers/psgo to v1.7.2 Apr 13, 2022
Luap99
Luap99 reviewed Apr 13, 2022
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This bumps way to many dependencies for a backport, it should only include the fix.

@lsm5
Copy link
Member Author

lsm5 commented Apr 13, 2022
edited
Loading

This bumps way to many dependencies for a backport, it should only include the fix.

Looking at psgo commit logs, there's only an extra opencontainers/runc module update from v1.0.2 to v1.0.3, in addition to the actual fix for the cve. Is that still a deal breaker?

Also, i guess backport is a misnomer here, since I didn't actually cherry-pick the commit from main, but manually ran go get ...

@Luap99
Copy link
Member

Luap99 commented Apr 13, 2022

This bumps way to many dependencies for a backport, it should only include the fix.

Looking at psgo commit logs, there's only an extra opencontainers/runc module update from v1.0.2 to v1.0.3, in addition to the actual fix for the cve. Is that still a deal breaker?

No that would be fine for me, it is just that he current PR bumps minor and major versions such as c/storage which we should never do for patch releases unless absolutely necessary. Patch releases should only add bug/security fixes.

@vrothberg
Copy link
Member

All the BZs are assigned to me. I appreciate helping hands but note that it's already chaotic to handle. We need backports in psgo first.

@vrothberg
Copy link
Member

I started the backports. Need to go through c/storage -> c/psgo -> c/podman for all kinds of versions. Let's start with v3.4 first since that's upstream.

@lsm5
Copy link
Member Author

lsm5 commented Apr 14, 2022

All the BZs are assigned to me. I appreciate helping hands but note that it's already chaotic to handle. We need backports in psgo first.

Closing. I'll build podman for f35 only after we have v3.4 updated upstream.

@lsm5 lsm5 closed this Apr 14, 2022
@lsm5 lsm5 deleted the v3.4-cve-2022-1227-backport branch April 14, 2022 13:45
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Luap99 Luap99 Luap99 left review comments

Assignees
No one assigned
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@lsm5 @rhatdan @mheon @Luap99 @vrothberg