Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/1.7] deps: update golang.org/x/ #11178

Merged
merged 1 commit into from
Dec 31, 2024
Merged

[release/1.7] deps: update golang.org/x/ #11178

merged 1 commit into from
Dec 31, 2024

Conversation

ErikJiang
Copy link
Contributor

@ErikJiang ErikJiang commented Dec 18, 2024
edited
Loading

backport: #11145

during a vulnerability scan of containerd version 1.7.24,
we found that the golang.org/x/crypto package has vulnerabilities CVE-2022-30636 and CVE-2024-45337.
to eliminate these false positives, we need updating the relevant dependency versions.

full diff:

@k8s-ci-robot
Copy link

Hi @ErikJiang. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dosubot dosubot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Dec 18, 2024
@ErikJiang ErikJiang force-pushed the update_crypto branch 3 times, most recently from 071d67a to e03a762 Compare December 18, 2024 09:37
@austinvazquez
Copy link
Member

austinvazquez commented Dec 18, 2024
edited
Loading

@ErikJiang, to be clear neither of the CVEs listed affect containerd as it does not use either golang.org/x/crypto/acme nor golang.org/x/crypto/ssh packages. These are strictly false positives here by security scanners. Can you update your PR description accordingly to explicitly state the change is only to silence false positives?

@ErikJiang ErikJiang force-pushed the update_crypto branch 4 times, most recently from 62f0db6 to 11cac87 Compare December 20, 2024 00:21
@mxpv mxpv merged commit e9ce1e9 into containerd:release/1.7 Dec 31, 2024
55 checks passed
@jamie-albert jamie-albert mentioned this pull request Jan 2, 2025
Closed
@dmcgowan dmcgowan mentioned this pull request Jan 9, 2025
Merged
@WillardHu WillardHu mentioned this pull request Jan 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mxpv mxpv mxpv approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code needs-ok-to-test size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ErikJiang @k8s-ci-robot @austinvazquez @mxpv @AkihiroSuda