Skip to content

[NET-4865] security: Bump golang.org/x/net to 0.12.0#18186

Merged
zalimeni merged 1 commit intomainfrom
zalimeni/net-4865-bump-net_http-cve
Jul 19, 2023
Merged

[NET-4865] security: Bump golang.org/x/net to 0.12.0#18186
zalimeni merged 1 commit intomainfrom
zalimeni/net-4865-bump-net_http-cve

Conversation

@zalimeni
Copy link
Copy Markdown
Member

@zalimeni zalimeni commented Jul 19, 2023

While not necessary to directly address CVE-2023-29406 (which should be handled by using a patched version of Go when building), an accompanying change to HTTP/2 error handling does impact agent code.

See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2 change.

Bump this dependency across our submodules as well for the sake of potential indirect consumers of x/net/http.

Description

Resolves CVE-2023-29406 regarding net/http in consul and submodules.

Testing & Reproduction steps

Tests should continue to pass.

Links

https://nvd.nist.gov/vuln/detail/CVE-2023-29406
https://go-review.googlesource.com/c/go/+/506996
https://go-review.googlesource.com/c/net/+/506995

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern - addresses CVE

@zalimeni zalimeni added theme/security backport/1.14 backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. labels Jul 19, 2023
@zalimeni zalimeni requested review from DanStough and picatz July 19, 2023 15:06
@github-actions github-actions bot added pr/dependencies PR specifically updates dependencies of project theme/api Relating to the HTTP API interface labels Jul 19, 2023
@zalimeni zalimeni force-pushed the zalimeni/net-4865-bump-net_http-cve branch from 1964386 to 9e395b5 Compare July 19, 2023 15:07
DanStough
DanStough approved these changes Jul 19, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@DanStough DanStough left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but I think you'll want to run a go mod tidy in test/integration/consul-container to update there as well and prevent linting errors.

zalimeni
zalimeni commented Jul 19, 2023
View reviewed changes
go.mod Outdated
Copy link
Copy Markdown
Member Author

@zalimeni zalimeni Jul 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a pretty notable side-effect of this bump. The first release was Oct '22, so not as long ago as it might seem.

@zalimeni
Bump golang.org/x/net to 0.12.0
84cbf09 
While not necessary to directly address CVE-2023-29406 (which should be
handled by using a patched version of Go when building), an
accompanying change to HTTP/2 error handling does impact agent code.

See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2
change.

Bump this dependency across our submodules as well for the sake of
potential indirect consumers of `x/net/http`.
@zalimeni zalimeni force-pushed the zalimeni/net-4865-bump-net_http-cve branch from 9e395b5 to 84cbf09 Compare July 19, 2023 15:20
@zalimeni
Copy link
Copy Markdown
Member Author

zalimeni commented Jul 19, 2023
edited
Loading

LGTM, but I think you'll want to run a go mod tidy in test/integration/consul-container to update there as well and prevent linting errors.

Thanks @DanStough , good catch. Did there and in envoyextensions.

I also realized I should go ahead and set Go build versions across the board - first pass (failed) grepping led me to believe that had been moved to a common repo, but just found them based on an old PR. Until #18124 is resolved, I'll leave those test-specific versions pinned on 1.20.5. I'll do the Go bump in a follow-up PR for the sake of brevity.

@zalimeni zalimeni marked this pull request as ready for review July 19, 2023 15:37
@zalimeni zalimeni merged commit 29cdb75 into main Jul 19, 2023
@zalimeni zalimeni deleted the zalimeni/net-4865-bump-net_http-cve branch July 19, 2023 15:38
This was referenced Jul 19, 2023
Merged
Merged
Merged
@zalimeni zalimeni mentioned this pull request Jul 19, 2023
Merged
4 tasks
@zalimeni zalimeni changed the title [NET-4865] Bump golang.org/x/net to 0.12.0 [NET-4865] security: Bump golang.org/x/net to 0.12.0 Jul 19, 2023
This was referenced Jul 19, 2023
Merged
Merged
Merged
hc-github-team-consul-core added a commit that referenced this pull request Aug 1, 2023
@hc-github-team-consul-core @zalimeni
@roncodingenthusiast @erichaberkorn @lkysow @rboyer @trujillo-adam @boruszak @mkeeler @nathancoleman @JadhavPoonam @im2nguyen @cthain @ramramhariram @sfarkas-hashicorp @Jeff-Apple @asheshvidyut @DanStough @curtbushko @tcraxs @jkirschner-hashicorp @analogue @dependabot @chapmanc @hashi-derek @jmurret @markcampv @boxofrad @stevenzamborsky @gbolo @xwa153 @huikang @cn0047 @ishustava @shamil @loshz @sarahalsmiller @mr-miles @natemollica-nm @jm96441n @beautifulentropy @Ranjandas @evanphx @karras @jcjones @fulviodenza @krastin @david3a @nfi-hashicorp @t-davies @vijayraghav-io @eddie-rowe @nv-hashi @cocolavayen @joselo85 @freddygv @NiniOak @hashicorp-tsccr @blake @iberlot @ezfepo @ndhanushkodi @jjacobson93 @lornasong @judithpatudith