From 1710a68cba09227148c174defd201922f4c15953 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 15 Mar 2022 11:26:56 +0100 Subject: [PATCH 1/5] Update containerd to v1.5.10 This mitigates CVE-2022-23648. Signed-off-by: Hidde Beydals --- go.mod | 51 ++++++++++++++++++++++++++------------------------- go.sum | 4 ++-- 2 files changed, 28 insertions(+), 27 deletions(-) diff --git a/go.mod b/go.mod index 11432f380..549af1a1a 100644 --- a/go.mod +++ b/go.mod @@ -27,6 +27,32 @@ require ( sigs.k8s.io/yaml v1.3.0 ) +// Pin kustomize to v4.4.1 +replace ( + sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.10.1 + sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.0 +) + +// Fix CVE-2021-41092 +// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L14 +// pulled in by Helm. +replace github.com/docker/cli => github.com/docker/cli v20.10.9+incompatible + +// Fix CVE-2021-30465 +// Fix CVE-2021-43784 +// Fix GO-2021-0085 +// Fix GO-2021-0087 +replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3 + +// Fix CVE-2021-41190 +// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L21, +// pulled in by Helm. +replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 + +// Fix CVE-2021-43816 +// Fix CVE-2022-23648 +replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.10 + require ( cloud.google.com/go v0.99.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect @@ -155,28 +181,3 @@ require ( sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect ) - -// pin kustomize to v4.4.1 -replace ( - sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.10.1 - sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.0 -) - -// Fix CVE-2021-41092 -// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L14 -// pulled in by Helm. -replace github.com/docker/cli => github.com/docker/cli v20.10.9+incompatible - -// Fix CVE-2021-30465 -// Fix CVE-2021-43784 -// Fix GO-2021-0085 -// Fix GO-2021-0087 -replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3 - -// Fix CVE-2021-41190 -// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L21, -// pulled in by Helm. -replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 - -// Fix CVE-2021-43816 -replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.9 diff --git a/go.sum b/go.sum index 5ef1076e1..41532f821 100644 --- a/go.sum +++ b/go.sum @@ -199,8 +199,8 @@ github.com/containerd/cgroups v1.0.2 h1:mZBclaSgNDfPWtfhj2xJY28LZ9nYIgzB0pwSURPl github.com/containerd/cgroups v1.0.2/go.mod h1:qpbpJ1jmlqsR9f2IyaLPsdkCdnt0rbDVqIDlhuu5tRY= github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw= github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= -github.com/containerd/containerd v1.5.9 h1:rs6Xg1gtIxaeyG+Smsb/0xaSDu1VgFhOCKBXxMxbsF4= -github.com/containerd/containerd v1.5.9/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ= +github.com/containerd/containerd v1.5.10 h1:3cQ2uRVCkJVcx5VombsE7105Gl9Wrl7ORAO3+4+ogf4= +github.com/containerd/containerd v1.5.10/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ= github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ= github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM= github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= From 1e894fde4f74887a9c6f0d937859e3c7acb73a50 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 15 Mar 2022 11:32:37 +0100 Subject: [PATCH 2/5] Remove opencontainers/image-spec overwrite Helm now depends on Oras v1.0.x, which contains the right version. Signed-off-by: Hidde Beydals --- go.mod | 5 ----- go.sum | 1 + 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 549af1a1a..f63dcc53d 100644 --- a/go.mod +++ b/go.mod @@ -44,11 +44,6 @@ replace github.com/docker/cli => github.com/docker/cli v20.10.9+incompatible // Fix GO-2021-0087 replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3 -// Fix CVE-2021-41190 -// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L21, -// pulled in by Helm. -replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 - // Fix CVE-2021-43816 // Fix CVE-2022-23648 replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.10 diff --git a/go.sum b/go.sum index 41532f821..f91fabb89 100644 --- a/go.sum +++ b/go.sum @@ -757,6 +757,7 @@ github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= From 9551df3a0a6cf3458ec460cd20d74474ae292c13 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 15 Mar 2022 11:35:06 +0100 Subject: [PATCH 3/5] Remove docker/cli overwrite Helm now depends on Oras v1.0.x, which contains a newer version. Signed-off-by: Hidde Beydals --- go.mod | 5 ----- go.sum | 5 +++-- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index f63dcc53d..85843b8b9 100644 --- a/go.mod +++ b/go.mod @@ -33,11 +33,6 @@ replace ( sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.0 ) -// Fix CVE-2021-41092 -// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L14 -// pulled in by Helm. -replace github.com/docker/cli => github.com/docker/cli v20.10.9+incompatible - // Fix CVE-2021-30465 // Fix CVE-2021-43784 // Fix GO-2021-0085 diff --git a/go.sum b/go.sum index f91fabb89..7724806d8 100644 --- a/go.sum +++ b/go.sum @@ -258,8 +258,9 @@ github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8 github.com/distribution/distribution/v3 v3.0.0-20211118083504-a29a3c99a684 h1:DBZ2sN7CK6dgvHVpQsQj4sRMCbWTmd17l+5SUCjnQSY= github.com/distribution/distribution/v3 v3.0.0-20211118083504-a29a3c99a684/go.mod h1:UfCu3YXJJCI+IdnqGgYP82dk2+Joxmv+mUTVBES6wac= github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= -github.com/docker/cli v20.10.9+incompatible h1:OJ7YkwQA+k2Oi51lmCojpjiygKpi76P7bg91b2eJxYU= -github.com/docker/cli v20.10.9+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v20.10.11+incompatible h1:tXU1ezXcruZQRrMP8RN2z9N91h+6egZTS1gsPsKantc= +github.com/docker/cli v20.10.11+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.8.0+incompatible h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY= github.com/docker/distribution v2.8.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= From ac1eeb9122e995f002a1e74dddbe76ba388f7cc3 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 15 Mar 2022 11:42:03 +0100 Subject: [PATCH 4/5] Overwrite fuzz dependencies to use current Signed-off-by: Hidde Beydals --- tests/fuzz/go.mod | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/fuzz/go.mod b/tests/fuzz/go.mod index bea70c011..bf198f479 100644 --- a/tests/fuzz/go.mod +++ b/tests/fuzz/go.mod @@ -3,3 +3,9 @@ module github.com/fluxcd/helm-controller/tests/fuzz // with fuzz dependencies. go 1.17 + +// Overwrite with local replace to ensure tests run with current state. +replace ( + github.com/fluxcd/helm-controller/api => ../../api + github.com/fluxcd/helm-controller => ../../ +) From 7f42997c565e9e2ec96eb236f0eeb9ebec4a0bcd Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 15 Mar 2022 12:23:36 +0100 Subject: [PATCH 5/5] Update kustomize to v4.5.2 Signed-off-by: Hidde Beydals --- go.mod | 10 +++++----- go.sum | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 85843b8b9..06b43aed5 100644 --- a/go.mod +++ b/go.mod @@ -23,14 +23,14 @@ require ( k8s.io/cli-runtime v0.23.4 k8s.io/client-go v0.23.4 sigs.k8s.io/controller-runtime v0.11.0 - sigs.k8s.io/kustomize/api v0.10.1 + sigs.k8s.io/kustomize/api v0.11.2 sigs.k8s.io/yaml v1.3.0 ) -// Pin kustomize to v4.4.1 +// Pin kustomize to v4.5.2 replace ( - sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.10.1 - sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.0 + sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.11.2 + sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.3 ) // Fix CVE-2021-30465 @@ -168,6 +168,6 @@ require ( k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 // indirect oras.land/oras-go v1.1.0 // indirect sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect - sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect + sigs.k8s.io/kustomize/kyaml v0.13.3 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect ) diff --git a/go.sum b/go.sum index 7724806d8..fac5cf542 100644 --- a/go.sum +++ b/go.sum @@ -1624,12 +1624,12 @@ sigs.k8s.io/controller-runtime v0.11.0/go.mod h1:KKwLiTooNGu+JmLZGn9Sl3Gjmfj66eM sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= -sigs.k8s.io/kustomize/api v0.10.1 h1:KgU7hfYoscuqag84kxtzKdEC3mKMb99DPI3a0eaV1d0= -sigs.k8s.io/kustomize/api v0.10.1/go.mod h1:2FigT1QN6xKdcnGS2Ppp1uIWrtWN28Ms8A3OZUZhwr8= +sigs.k8s.io/kustomize/api v0.11.2 h1:6YvCJHFDwsLwAX7zNHBxMZi3k7dGIXI8G9l0saYQI0E= +sigs.k8s.io/kustomize/api v0.11.2/go.mod h1:GZuhith5YcqxIDe0GnRJNx5xxPTjlwaLTt/e+ChUtJA= sigs.k8s.io/kustomize/cmd/config v0.10.2/go.mod h1:K2aW7nXJ0AaT+VA/eO0/dzFLxmpFcTzudmAgDwPY1HQ= sigs.k8s.io/kustomize/kustomize/v4 v4.4.1/go.mod h1:qOKJMMz2mBP+vcS7vK+mNz4HBLjaQSWRY22EF6Tb7Io= -sigs.k8s.io/kustomize/kyaml v0.13.0 h1:9c+ETyNfSrVhxvphs+K2dzT3dh5oVPPEqPOE/cUpScY= -sigs.k8s.io/kustomize/kyaml v0.13.0/go.mod h1:FTJxEZ86ScK184NpGSAQcfEqee0nul8oLCK30D47m4E= +sigs.k8s.io/kustomize/kyaml v0.13.3 h1:tNNQIC+8cc+aXFTVg+RtQAOsjwUdYBZRAgYOVI3RBc4= +sigs.k8s.io/kustomize/kyaml v0.13.3/go.mod h1:/ya3Gk4diiQzlE4mBh7wykyLRFZNvqlbh+JnwQ9Vhrc= sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=