Skip to content

[Release/1.6] CVE-2022-1996 fix for go-restful#9385

Merged
estesp merged 1 commit intocontainerd:release/1.6from
hightoxicity:cve-less-go-restful
Nov 16, 2023
Merged

[Release/1.6] CVE-2022-1996 fix for go-restful#9385
estesp merged 1 commit intocontainerd:release/1.6from
hightoxicity:cve-less-go-restful

Conversation

@hightoxicity
Copy link
Copy Markdown

@hightoxicity hightoxicity commented Nov 16, 2023

Remove CVE-2022-1996 from containerd binary upgrading go-restful to 2.16.0

GHSA-r48q-9g5r-8q2h

@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Nov 16, 2023

Hi @hightoxicity. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@hightoxicity
Copy link
Copy Markdown
Author

hightoxicity commented Nov 16, 2023

/test all

@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Nov 16, 2023

@hightoxicity: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/test all

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dmcgowan
Copy link
Copy Markdown
Member

dmcgowan commented Nov 16, 2023

Can you remove the accidental README change from the commit

Signed-off-by: hightoxicity <[email protected]> also please sign with your real name here rather than username.

@Kern-- Kern-- mentioned this pull request Nov 16, 2023
Closed
thaJeztah
thaJeztah reviewed Nov 16, 2023
View reviewed changes
Comment thread go.mod Outdated
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c
github.com/docker/go-metrics v0.0.1
github.com/docker/go-units v0.4.0
github.com/docker/go-units v0.5.0
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah Nov 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this update related or a manual change? I notice that #9388 did not update this dependency

Copy link
Copy Markdown
Author

@hightoxicity hightoxicity Nov 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed this bump

@hightoxicity
Copy link
Copy Markdown
Author

hightoxicity commented Nov 16, 2023

Hi @dmcgowan, sorry for the new line in the readme, I tried to force CI to rerun, I was thinking it was an unexpected failure.
I have re-pushed a new commit with proper username.

Thx

@hightoxicity
Remove CVE-2022-1996 from containerd binary upgrading go-restful to 2…
62d4022 
….16.0

Signed-off-by: hightoxicity <[email protected]>
Signed-off-by: Tony Fouchard <[email protected]>
@hightoxicity hightoxicity changed the title CVE-2022-1996 fix for go-restful [Release/1.6] CVE-2022-1996 fix for go-restful Nov 16, 2023
Kern--
Kern-- approved these changes Nov 16, 2023
View reviewed changes
Copy link
Copy Markdown

@Kern-- Kern-- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me, for what it's worth.

thaJeztah
thaJeztah approved these changes Nov 16, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@estesp estesp merged commit a971f55 into containerd:release/1.6 Nov 16, 2023
@hightoxicity hightoxicity deleted the cve-less-go-restful branch November 17, 2023 07:38
@hightoxicity
Copy link
Copy Markdown
Author

hightoxicity commented Nov 17, 2023
edited
Loading

Thanks @thaJeztah, what is the process to get a 1.6.25 version tagged and available in nighly channels of the docker repositories (example: https://download.docker.com/linux/ubuntu/dists/jammy/pool/nightly/amd64/)?

Maybe I can get some nightly binaries here https://github.com/containerd/containerd/actions/workflows/nightly.yml ?
Thx

@akhilerm akhilerm mentioned this pull request Nov 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@estesp estesp estesp approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@henry118 henry118 henry118 approved these changes

+1 more reviewer

@Kern-- Kern-- Kern-- approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@hightoxicity @k8s-ci-robot @dmcgowan @estesp @thaJeztah @Kern-- @henry118