Skip to content

[release/1.7] deps: update golang.org/x/#11178

Merged
mxpv merged 1 commit intocontainerd:release/1.7from
ErikJiang:update_crypto
Dec 31, 2024
Merged

[release/1.7] deps: update golang.org/x/#11178
mxpv merged 1 commit intocontainerd:release/1.7from
ErikJiang:update_crypto

Conversation

@ErikJiang
Copy link
Copy Markdown
Contributor

@ErikJiang ErikJiang commented Dec 18, 2024
edited
Loading

backport: #11145

during a vulnerability scan of containerd version 1.7.24,
we found that the golang.org/x/crypto package has vulnerabilities CVE-2022-30636 and CVE-2024-45337.
to eliminate these false positives, we need updating the relevant dependency versions.

full diff:

@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Dec 18, 2024

Hi @ErikJiang. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dosubot dosubot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Dec 18, 2024
@austinvazquez
Copy link
Copy Markdown
Member

austinvazquez commented Dec 18, 2024
edited
Loading

@ErikJiang, to be clear neither of the CVEs listed affect containerd as it does not use either golang.org/x/crypto/acme nor golang.org/x/crypto/ssh packages. These are strictly false positives here by security scanners. Can you update your PR description accordingly to explicitly state the change is only to silence false positives?

@mxpv mxpv merged commit e9ce1e9 into containerd:release/1.7 Dec 31, 2024
@jamie-albert jamie-albert mentioned this pull request Jan 2, 2025
Closed
@dmcgowan dmcgowan mentioned this pull request Jan 9, 2025
Merged
@WillardHu WillardHu mentioned this pull request Jan 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mxpv mxpv mxpv approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code needs-ok-to-test size/XXL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ErikJiang @k8s-ci-robot @austinvazquez @mxpv @AkihiroSuda