Tracking issue for releases v1.9.3 and v1.8.4

[rikatz]

We need new releases due to:

• New curl release (CVE-2023-38545 and CVE-2023-38546)
• New Go release (CVE-2023-44487 and CVE-2023-39325)
• Patched NGINX - Thanks @Hacks4Snacks for quickly adding the patch on NGINX compilation add upstream patch for CVE-2023-44487 #10494

/priority urgent
/kind bug
/triage accepted

Tasks

Preview Give feedback

1. Promote test-runner and base image after Bump curl and Go version #10503 update nginx, test runner and others k8s.io#5962
2. Change the building and testing tags on main and do it again update nginx base, httpbun, e2e, helm webhook cert gen #10506
3. Cherry pick the image and go changes for release 1.8, Cherry pick image bump and re-add AJP as dynamic module #10509 and release 1.9, [release-1.9] update nginx base, httpbun, e2e, helm webhook cert gen #10507
4. Release 1.9.3 release 1.9.3 #10520 and 1.8.4 controller 1.8.4 and helm 4.7.2 release #10519

[k8s-ci-robot]

@rikatz: The label(s) priority/urgent cannot be applied, because the repository doesn't have them.

In response to this:

We need new releases due to:

• New curl release (upcoming CVE)
• New Go release (CVE-2023-44487 and CVE-2023-39325)
• Patched NGINX - Thanks @Hacks4Snacks for quickly adding the patch on NGINX compilation

/priority urgent
/kind bug
/triage accepted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rikatz]

#10503

[strongjz]

open kubernetes/k8s.io#5962 for nginx and test runner

[strongjz]

update all the images now that they have been promoted #10506

[strongjz]

1.8 cherry pick #10508

1.9 cherry pick #10507

[rikatz]

Release 1.8.3 will be stuck with the fact that we've removed AJP module from build. We need to think on a way to get around it now :/

[rikatz]

#10509 for 1.8. I'm closing the original cherry-pick

[rikatz]

kubernetes/k8s.io#5965 for image promotion

[chris-ng-scmp]

Hi, how about 1.7? Is it still a supported version, or the CVEs are not affecting 1.7?

Many thanks

[rikatz]

1.7 is not supported anymore

[rikatz]

Update of release status: it is 1am here, @tao12345666333 is taking over now on manifests, chart and other stuff generation for v1.8 and v1.9

I need soon to fix mage again (sorry @strongjz I keep breaking stuff)

[vinay01tech]

@rikatz Where I can find release cycle, to make sure we are up-to-date ?

[rikatz]

Required new PRs to bump go/x/net (forgot to cherry pick it, sorry....)
#10515
#10517

Once merged, we will post trivy and grype results here

[rikatz]

Release will be a bit delayed due to problems with release script and me forgetting the bump of x/net, I will work on it during my afternoon

[strongjz]

Bumping x net

1.8.4 https://github.com/kubernetes/ingress-nginx/pull/10515/files
1.9.3 https://github.com/kubernetes/ingress-nginx/pull/10517/checks

[strongjz]

There was also an issue with 1.8 release since we deprecated AJP in 1.9, so the back port to 1.8 for the CVE fix break CI. @rikatz as always did great work and fixed it. We should have both 1.8.4 and 1.9.3 out today.

[strongjz]

promotion job kubernetes/k8s.io#5968

[strongjz]

1.9.3 #10520

1.8.4 #10519

[strongjz]

https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.8.4

https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.9.3