-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DAOS-16607 control: Update vendored version of grpc-go #15161
Conversation
This update addresses CVE-2023-44487. Features: control Signed-off-by: Kris Jacque <[email protected]>
Ticket title is 'Project is vulnerable to: CVE-2023-44487' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we have to change the minimum go version in any other files? and do all the distros we support have go >= 1.21? last time I checked they didn't
Digging into Rocky Linux EL8's current package list, it looks like golang is at version 1.21. It doesn't look like there's a Go package in EPEL anymore. On the SUSE/SLES side, Leap 15.5 doesn't appear to have an OS-supplied package, but has a number of community-provided packages providing 1.23. So this bump shouldn't be too inconvenient for folks using packaged versions of Go. I think the version increase is necessary. After increasing the grpc package version, I used the |
This update addresses CVE-2023-44487. Signed-off-by: Kris Jacque <[email protected]>
This update addresses CVE-2023-44487. Signed-off-by: Kris Jacque <[email protected]>
We should update the rpm and debian spec files and the scons check at https://github.com/daos-stack/daos/blob/master/site_scons/site_tools/go_builder.py#L11 when we bump the minimum go version. We could probably just drop the scons check at this point however. |
Thanks @ashleypittman, good catches all around. I created a ticket and will address: https://daosio.atlassian.net/browse/DAOS-16621 |
This update addresses CVE-2023-44487.
Features: control
Before requesting gatekeeper:
Features:
(orTest-tag*
) commit pragma was used or there is a reason documented that there are no appropriate tags for this PR.Gatekeeper: