1.9 CVE fix

[Bslabe123]

Description

Fixes for GHSA-3wx7-46ch-7rq2, GHSA-vc3p-29h2-gpcp and GHSA-3wx7-46ch-7rq2

Checklist:

• I included a concise, user-facing changelog (for details, see https://github.com/solo-io/go-utils/tree/master/changelogutils) which references the issue that is resolved.
• If I updated APIs (our protos) or helm values, I ran make -B install-go-tools generated-code to ensure there will be no code diff
• I followed guidelines laid out in the Gloo Edge contribution guide
• I opened a draft PR or added the work in progress label if my PR is not ready for review
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[ianmacclancy]

Failure in Ci
https://storage.googleapis.com/solo-public-build-logs/logs.html?buildid=c7198ad5-3930-417d-87b6-89b770d592ac

This looks like a go version issue

Step #10 - "test": Failed to compile test: Step #10 - "test": Step #10 - "test": # golang.org/x/net/http2 Step #10 - "test": /go/pkg/mod/golang.org/x/[email protected]/http2/transport.go:417:45: undefined: os.ErrDeadlineExceeded Step #10 - "test": Step #10 - "test": Ginkgo ran 2 suites in 39.281033077s Step #10 - "test": Test Suite Failed Step #10 - "test": Step #10 - "test": �[38;5;228mGinkgo 2.0 is coming soon!�[0m

/kick

[inFocus7]

/kick (A just-in-case, while looking into it some more.)

---

Agree(d) with Ian after I saw this post.

Although weirdly enough, it looks like gloo 1.10 did this net bump as well and passed. From what I saw, both use go1.16.3 (based on searching in their repos), so I'm confused on what the difference would be...

Update:

• v1.10.x uses e2e-go-mod-ginkgo:0.4.15 which uses go1.16.3.
• v1.9.x uses e2e-go-mod-ginkgo:0.2.1 which uses go1.13.4.

I'll check golang updates to see where os.ErrDeadlineExceeded was introduced and get the e2e-go-mod-ginkgo closest in versioning to the current one, but safest/easiest bet would be to use e2e-go-mod-ginkgo:0.4.15.

Update 2
Introduced in go1.15; yeah we should bump the e2e-go-mod-ginkgo.
golang/go@d422f54

[sam-heilbron]

Can we also bump go-utils to pull in the fix for the logging npe if it's affected (solo-io/go-utils#487)

In the original PR that bumped go-utils to pull in the logging handler npe fix (solo-io#6709), I added logic to one of our kube2e tests to hit the logging endpoint. The idea was that this test will only pass if the request can be made. Since it's recommended in our production docs I think it's valuable that we have automated testing to confirm that it works. Can we add the same check to this branch as well?

[ianmacclancy]

LGTM