-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-35525: update to go 1.21 and k8s.io mods to v0.29.2 #85
OCPBUGS-35525: update to go 1.21 and k8s.io mods to v0.29.2 #85
Conversation
94a1b0e
to
9babaac
Compare
@jluhrsen: This pull request references Jira Issue OCPBUGS-35525, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
9babaac
to
0637a2f
Compare
as part of fixing CVE-2023-48795 [0], the golang.org/x/crypto fixed this in v0.17 [1]. ❯ go list -m -mod=mod all | rg crypto golang.org/x/crypto v0.16.0 => golang.org/x/crypto v0.17.0 this also updated kubernetes.NewForConfig() which now requires context.Context as the first argument so that was updated. [0] https://www.cve.org/CVERecord?id=CVE-2023-48795 [1] : ❯ git remote -v origin https://go.googlesource.com/crypto (fetch) origin https://go.googlesource.com/crypto (push) ❯ git br * (HEAD detached at v0.17.0) master ❯ git log -1 commit 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (HEAD, tag: v0.17.0) Author: Roland Shoemaker <[email protected]> Date: Mon Nov 20 12:06:18 2023 -0800 ssh: implement strict KEX protocol changes Implement the "strict KEX" protocol changes, as described in section 1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1). Namely this makes the following changes: * Both the server and the client add an additional algorithm to the initial KEXINIT message, indicating support for the strict KEX mode. * When one side of the connection sees the strict KEX extension algorithm, the strict KEX mode is enabled for messages originating from the other side of the connection. If the sequence number for the side which requested the extension is not 1 (indicating that it has already received non-KEXINIT packets), the connection is terminated. * When strict kex mode is enabled, unexpected messages during the handshake are considered fatal. Additionally when a key change occurs (on the receipt of the NEWKEYS message) the message sequence numbers are reset. Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum for reporting this issue. Fixes CVE-2023-48795 Fixes golang/go#64784 Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715 Reviewed-by: Nicola Murino <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Signed-off-by: Jamo Luhrsen <[email protected]>
0637a2f
to
9d59fc7
Compare
/jira refresh |
@jluhrsen: This pull request references Jira Issue OCPBUGS-35525, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/jira refresh |
@jluhrsen: This pull request references Jira Issue OCPBUGS-35525, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/jira refresh |
@jluhrsen: This pull request references Jira Issue OCPBUGS-35525, which is valid. 7 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, jluhrsen The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/label backport-risk-assessed |
@danwinship: Can not set label backport-risk-assessed: Must be member in one of these teams: [openshift-patch-managers openshift-staff-engineers openshift-release-oversight] In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/label cherry-pick-approved |
@jluhrsen: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
7089efe
into
openshift:release-4.16
@jluhrsen: Jira Issue OCPBUGS-35525: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-35525 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
[ART PR BUILD NOTIFIER] This PR has been included in build ose-egress-router-cni-container-v4.16.0-202407180206.p0.g7089efe.assembly.stream.el9 for distgit egress-router-cni. |
Fix included in accepted release 4.16.0-0.nightly-2024-07-19-103710 |
as part of fixing CVE-2023-48795 [0], the golang.org/x/crypto fixed this in v0.17 [1]. this brings in 0.22:
❯ go list -m -mod=mod all | rg crypto
golang.org/x/crypto v0.16.0 => golang.org/x/crypto v0.17.0
this also updated kubernetes.NewForConfig() which now requires context.Context as the first argument so that was updated.
[0] https://www.cve.org/CVERecord?id=CVE-2023-48795 [1] :
❯ git remote -v
origin https://go.googlesource.com/crypto (fetch) origin https://go.googlesource.com/crypto (push)
❯ git br
(HEAD detached at v0.17.0) master
❯ git log -1
commit 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d (HEAD, tag: v0.17.0)
Author: Roland Shoemaker [email protected]
Date: Mon Nov 20 12:06:18 2023 -0800
ssh: implement strict KEX protocol changes
Implement the "strict KEX" protocol changes, as described in section
1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1).
Namely this makes the following changes:
* Both the server and the client add an additional algorithm to the initial KEXINIT message, indicating support for the strict KEX mode.
* When one side of the connection sees the strict KEX extension algorithm, the strict KEX mode is enabled for messages originating from the other side of the connection. If the sequence number for the side which requested the extension is not 1 (indicating that it has already received non-KEXINIT packets), the connection is terminated. * When strict kex mode is enabled, unexpected messages during the handshake are considered fatal. Additionally when a key change occurs (on the receipt of the NEWKEYS message) the message sequence numbers are reset.
Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum for reporting this issue.
Fixes CVE-2023-48795 Fixes x/crypto/ssh: implement strict KEX protocol changes golang/go#64784
Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715
Reviewed-by: Nicola Murino [email protected]
Reviewed-by: Tatiana Bradley [email protected]
TryBot-Result: Gopher Robot [email protected]
Run-TryBot: Roland Shoemaker [email protected]
Reviewed-by: Damien Neil [email protected]
LUCI-TryBot-Result: Go LUCI [email protected]