Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-6296: Address CVE-2022-41717 #87

Closed
wants to merge 1 commit into from
Closed

OCPBUGS-6296: Address CVE-2022-41717 #87

wants to merge 1 commit into from

Conversation

alebedev87
Copy link

@alebedev87 alebedev87 commented Jan 25, 2023
edited
Loading

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Jan 25, 2023
@openshift-ci-robot
Copy link

@alebedev87: This pull request references Jira Issue OCPBUGS-6296, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.13.0) matches configured target version for branch (4.13.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link

openshift-ci bot commented Jan 25, 2023

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: lihongan.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

@alebedev87: This pull request references Jira Issue OCPBUGS-6296, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.13.0) matches configured target version for branch (4.13.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot requested review from gcs278 and knobunc January 25, 2023 23:12
@openshift-ci-robot
Copy link

@alebedev87: This pull request references Jira Issue OCPBUGS-6296, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.13.0) matches configured target version for branch (4.13.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

CVE-2022-41717

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link

openshift-ci bot commented Jan 25, 2023

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: lihongan.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

@alebedev87: This pull request references Jira Issue OCPBUGS-6296, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.13.0) matches configured target version for branch (4.13.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

CVE-2022-41717

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@alebedev87
Copy link
Author

/test images

@alebedev87
Copy link
Author

PR to fix the job names: openshift/release#35752

@alebedev87
Copy link
Author

/test images

@alebedev87
Copy link
Author

/test e2e-gcp-serial

3 similar comments
@alebedev87
Copy link
Author

/test e2e-gcp-serial

@alebedev87
Copy link
Author

/test e2e-gcp-serial

@alebedev87
Copy link
Author

/test e2e-gcp-serial

@alebedev87
Copy link
Author

Discussion on the disruption test failures: https://redhat-internal.slack.com/archives/CBWMXQJKD/p1675177679304379.
Not many paths forwards, retrying for now...

@alebedev87
Copy link
Author

/test e2e-gcp-serial

@alebedev87
UPSTREAM: <carry>: openshift: address CVE-2022-41717
67f89ff 
To be dropped if golang.org/x/net upstream is >= v0.5.0.
@alebedev87 alebedev87 force-pushed the x-net-http2-cve-2022-41717 branch from e45f62a to 67f89ff Compare February 22, 2023 11:53
@openshift-ci
Copy link

openshift-ci bot commented Feb 22, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from alebedev87. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@alebedev87
Copy link
Author

/retest-required

@alebedev87
Copy link
Author 

We currently do not have sufficient m6a.xlarge capacity in the Availability Zone you requested (us-east-1d)

/test e2e-aws-upgrade

@alebedev87
Copy link
Author

/test e2e-gcp-serial

1 similar comment
@alebedev87
Copy link
Author

/test e2e-gcp-serial

@melvinjoseph86
Copy link

/retest

@melvinjoseph86
Copy link

Verifying using pre-merge image.
oc NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.13.0-0.ci.test-2023-03-03-051147-ci-ln-7qvj5i2-latest True False 60m Cluster version is 4.13.0-0.ci.test-2023-03-03-051147-ci-ln-7qvj5i2-latest

melvinjoseph@mjoseph-mac Downloads % oc get po -n openshift-dns
NAME READY STATUS RESTARTS AGE
dns-default-74qnf 2/2 Running 0 3m31s
dns-default-8jkk9 2/2 Running 0 73m
dns-default-k87pw 2/2 Running 0 69m
dns-default-kq2zr 2/2 Running 0 73m
dns-default-rhvls 2/2 Running 0 69m
dns-default-zmtw6 2/2 Running 0 73m
node-resolver-64chj 1/1 Running 0 73m
node-resolver-f888d 1/1 Running 0 69m
node-resolver-fw2fh 1/1 Running 0 73m
node-resolver-jqxtd 1/1 Running 0 69m
node-resolver-q7vl8 1/1 Running 0 73m
node-resolver-z7m2l 1/1 Running 0 4m14s

melvinjoseph@mjoseph-mac Downloads % oc rsync -n openshift-dns dns-default-74qnf:/usr/bin/coredns .
receiving file list ... done
coredns

sent 38 bytes received 72817404 bytes 2240536.68 bytes/sec
total size is 72799544 speedup is 1.00
Defaulted container "dns" out of: dns, kube-rbac-proxy
melvinjoseph@mjoseph-mac Downloads %
melvinjoseph@mjoseph-mac Downloads % strings ./coredns >> forbug.txt

melvinjoseph@mjoseph-mac Downloads % grep -B1 "1.19.4" forbug.txt
+mG|
go1.19.4

Go buildinf:
go1.19.4
melvinjoseph@mjoseph-mac Downloads % grep -B1 "v0.5.0" forbug.txt
github.com/openzipkin-contrib/zipkin-go-opentracing
v0.5.0

golang.org/x/sys
v0.5.0
golang.org/x/term
v0.5.0

github.com/openzipkin-contrib/zipkin-go-opentracing
v0.5.0

golang.org/x/sys
v0.5.0
golang.org/x/term
v0.5.0
melvinjoseph@mjoseph-mac Downloads % grep -B1 "v0.7.0" forbug.txt
golang.org/x/net
v0.7.0

golang.org/x/text
v0.7.0

golang.org/x/net
v0.7.0

golang.org/x/text
v0.7.0

Hence marking a verified

@melvinjoseph86
Copy link

/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Mar 3, 2023
@alebedev87
Copy link
Author

/test e2e-gcp-serial

@melvinjoseph86
Copy link

/retest-required

@alebedev87
Copy link
Author

/test e2e-gcp-serial

@openshift-ci
Copy link

openshift-ci bot commented Mar 31, 2023
edited
Loading

@alebedev87: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-serial 67f89ff link true /test e2e-gcp-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@gcs278
Copy link

gcs278 commented Apr 3, 2023

CI is fixed.
/retest-required

gcs278
gcs278 reviewed Apr 4, 2023
View reviewed changes
go.mod
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the CVE, it's x/net < 0.4.0 that is affected.

I think the CVE is already satisfied without the updates, right?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know how I overlooked that. Yes, it's <0.4.0, have to close this PR.

Copy link
Author

@alebedev87 alebedev87 Apr 4, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: the rebase PR which was created after this one bumped the new version of x/net. So, initially the PR was doing the right thing but the rebase PR got merged first.

@alebedev87
Copy link
Author

Current x/net version is v0.4.0 which is unaffected by CVE2022-41717.

@alebedev87 alebedev87 closed this Apr 4, 2023
@openshift-ci-robot
Copy link

@alebedev87: This pull request references Jira Issue OCPBUGS-6296. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

In response to this:

CVE-2022-41717

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gcs278 gcs278 gcs278 left review comments

@knobunc knobunc Awaiting requested review from knobunc

Assignees
No one assigned
Labels
bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alebedev87 @openshift-ci-robot @melvinjoseph86 @gcs278