Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DAOS-16607 control: Update vendored version of grpc-go #15161

Merged
merged 1 commit into from
Sep 20, 2024

Conversation

kjacque
Copy link
Contributor

@kjacque kjacque commented Sep 19, 2024

This update addresses CVE-2023-44487.

Features: control

Before requesting gatekeeper:

  • Two review approvals and any prior change requests have been resolved.
  • Testing is complete and all tests passed or there is a reason documented in the PR why it should be force landed and forced-landing tag is set.
  • Features: (or Test-tag*) commit pragma was used or there is a reason documented that there are no appropriate tags for this PR.
  • Commit messages follows the guidelines outlined here.
  • Any tests skipped by the ticket being addressed have been run and passed in the PR.

Gatekeeper:

  • You are the appropriate gatekeeper to be landing the patch.
  • The PR has 2 reviews by people familiar with the code, including appropriate owners.
  • Githooks were used. If not, request that user install them and check copyright dates.
  • Checkpatch issues are resolved. Pay particular attention to ones that will show up on future PRs.
  • All builds have passed. Check non-required builds for any new compiler warnings.
  • Sufficient testing is done. Check feature pragmas and test tags and that tests skipped for the ticket are run and now pass with the changes.
  • If applicable, the PR has addressed any potential version compatibility issues.
  • Check the target branch. If it is master branch, should the PR go to a feature branch? If it is a release branch, does it have merge approval in the JIRA ticket.
  • Extra checks if forced landing is requested
    • Review comments are sufficiently resolved, particularly by prior reviewers that requested changes.
    • No new NLT or valgrind warnings. Check the classic view.
    • Quick-build or Quick-functional is not used.
  • Fix the commit message upon landing. Check the standard here. Edit it to create a single commit. If necessary, ask submitter for a new summary.

This update addresses CVE-2023-44487.

Features: control

Signed-off-by: Kris Jacque <[email protected]>
@kjacque kjacque self-assigned this Sep 19, 2024
@kjacque kjacque requested review from a team as code owners September 19, 2024 19:33
Copy link

github-actions bot commented Sep 19, 2024

Ticket title is 'Project is vulnerable to: CVE-2023-44487'
Status is 'In Review'
Labels: 'Go,SDLe'
https://daosio.atlassian.net/browse/DAOS-16607

Copy link
Contributor

@tanabarr tanabarr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we have to change the minimum go version in any other files? and do all the distros we support have go >= 1.21? last time I checked they didn't

@kjacque
Copy link
Contributor Author

kjacque commented Sep 20, 2024

do we have to change the minimum go version in any other files? and do all the distros we support have go >= 1.21? last time I checked they didn't

Digging into Rocky Linux EL8's current package list, it looks like golang is at version 1.21. It doesn't look like there's a Go package in EPEL anymore. On the SUSE/SLES side, Leap 15.5 doesn't appear to have an OS-supplied package, but has a number of community-provided packages providing 1.23. So this bump shouldn't be too inconvenient for folks using packaged versions of Go.

I think the version increase is necessary. After increasing the grpc package version, I used the go mod automated tools to update the rest of the dependencies. It bumped the Go minimum version automatically.

@kjacque kjacque requested review from tanabarr and mjmac September 20, 2024 00:04
@mjmac mjmac merged commit 38bd176 into master Sep 20, 2024
57 of 58 checks passed
@mjmac mjmac deleted the kjacque/CVE-2023-44487 branch September 20, 2024 11:26
kjacque added a commit that referenced this pull request Sep 20, 2024
phender pushed a commit that referenced this pull request Sep 21, 2024
@ashleypittman
Copy link
Contributor

do we have to change the minimum go version in any other files? and do all the distros we support have go >= 1.21? last time I checked they didn't

We should update the rpm and debian spec files and the scons check at https://github.com/daos-stack/daos/blob/master/site_scons/site_tools/go_builder.py#L11 when we bump the minimum go version. We could probably just drop the scons check at this point however.

@kjacque
Copy link
Contributor Author

kjacque commented Sep 23, 2024

We should update the rpm and debian spec files and the scons check at https://github.com/daos-stack/daos/blob/master/site_scons/site_tools/go_builder.py#L11 when we bump the minimum go version. We could probably just drop the scons check at this point however.

Thanks @ashleypittman, good catches all around. I created a ticket and will address: https://daosio.atlassian.net/browse/DAOS-16621

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

4 participants