Skip to content

[release/1.6] upgrade OpenTelemetry to v1.21.0 / v0.46.0 (CVE-2023-47108) etc.#9707

Merged
AkihiroSuda merged 4 commits intocontainerd:release/1.6from
aepifanov:fix-cves
Jan 30, 2024
Merged

[release/1.6] upgrade OpenTelemetry to v1.21.0 / v0.46.0 (CVE-2023-47108) etc.#9707
AkihiroSuda merged 4 commits intocontainerd:release/1.6from
aepifanov:fix-cves

Conversation

@aepifanov
Copy link
Copy Markdown

@aepifanov aepifanov commented Jan 29, 2024
edited
Loading

Fixing the following CVEs:

  • golang://golang.org/x/crypto:v0.15.0 CVE-2023-48795 Medium v0.17.0 /usr/bin/containerd
  • golang://go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc:v0.28.0 CVE-2023-47108 High
    v0.46.0 /usr/bin/containerd

@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Jan 29, 2024

Hi @aepifanov. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@aepifanov aepifanov force-pushed the fix-cves branch 3 times, most recently from e8ef5c8 to d777aad Compare January 30, 2024 05:43
@aepifanov aepifanov changed the title Fix cves [release/1.6] Fix cves Jan 30, 2024
@aepifanov aepifanov changed the title [release/1.6] Fix cves [release/1.6] Fix CVEs Jan 30, 2024
@AkihiroSuda
Copy link
Copy Markdown
Member

AkihiroSuda commented Jan 30, 2024

golang://golang.org/x/crypto:v0.15.0 GHSA-45x7-px36-x8w8 Medium v0.17.0 /usr/bin/containerd

This is a false alarm. containerd does not use x/crypto for SSH.

@AkihiroSuda
Copy link
Copy Markdown
Member

AkihiroSuda commented Jan 30, 2024

/ok-to-test

@AkihiroSuda AkihiroSuda changed the title [release/1.6] Fix CVEs [release/1.6] upgrade OpenTelemetry to v1.21.0 / v0.46.0 (CVE-2023-47108) etc. Jan 30, 2024
@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Jan 30, 2024

Is there an equivalent PR for the 1.7 release branch? (looks like that one is on an older version)

@AkihiroSuda AkihiroSuda merged commit cf4f85a into containerd:release/1.6 Jan 30, 2024
@aepifanov aepifanov deleted the fix-cves branch January 31, 2024 05:12
@dmcgowan dmcgowan mentioned this pull request Jan 31, 2024
Merged
@austinvazquez austinvazquez mentioned this pull request May 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@estesp estesp estesp approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

ok-to-test size/XXL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@aepifanov @k8s-ci-robot @AkihiroSuda @thaJeztah @estesp