Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.29][CVE-2024-24786] Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0 #123763

Merged
merged 1 commit into from
Mar 12, 2024
Merged

[1.29][CVE-2024-24786] Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0 #123763

merged 1 commit into from
Mar 12, 2024
+4,129 −1,428

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Mar 6, 2024
edited

Manual pick of #123758

What type of PR is this?

/kind bug
/kind security

What this PR does / why we need it:

Updates protobuf dependencies for CVE-2024-24786

Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786

/assign @dims

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. labels Mar 6, 2024
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Mar 6, 2024
@k8s-ci-robot
Copy link
Contributor

@liggitt: The label(s) kind/security cannot be applied, because the repository doesn't have them.

In response to this:

Manually pick of #123758

What type of PR is this?

/kind bug
/kind security

What this PR does / why we need it:

Updates protobuf dependencies for CVE-2024-24786

Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786

/assign @dims

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/cloudprovider approved Indicates a PR has been approved by an approver from all required OWNERS files. area/code-generation do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. area/dependency Issues or PRs related to dependency changes needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 6, 2024
@k8s-ci-robot k8s-ci-robot requested a review from a team March 6, 2024 15:42
@k8s-ci-robot k8s-ci-robot added area/kubectl needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/kubelet sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 6, 2024
@liggitt liggitt changed the title [CVE-2024-24786] Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0 [1.29][CVE-2024-24786] Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0 Mar 6, 2024
@k8s-ci-robot k8s-ci-robot added sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage. labels Mar 6, 2024
@liggitt
Copy link
Member Author

liggitt commented Mar 6, 2024

@enj is the kms test job failing on release branches? appears to be dying with this error on all release branches:

Error: unknown flag: --v
Usage of /home/prow/go/bin/kubetest2-tester-ginkgo:
      --env strings                   List of env variables to pass to ginkgo libraries (default [])
      --focus-regex string            Regular expression of jobs to focus on.
      --ginkgo-args string            Additional arguments supported by the ginkgo binary.
  -h, --help           
...

@aramase
Copy link
Member

aramase commented Mar 6, 2024

@enj is the kms test job failing on release branches? appears to be dying with this error on all release branches:

Error: unknown flag: --v
Usage of /home/prow/go/bin/kubetest2-tester-ginkgo:
      --env strings                   List of env variables to pass to ginkgo libraries (default [])
      --focus-regex string            Regular expression of jobs to focus on.
      --ginkgo-args string            Additional arguments supported by the ginkgo binary.
  -h, --help           
...

This was fixed in master with #123251. Do we want to cherry-pick this to the release branches?

@liggitt
Copy link
Member Author

liggitt commented Mar 6, 2024

if we're going to run that test in release branches, I guess so. not urgent, but would help avoid confusing signal

@aramase
Copy link
Member

aramase commented Mar 6, 2024

if we're going to run that test in release branches, I guess so. not urgent, but would help avoid confusing signal

opened cherry-picks for 1.29, 1.28 and 1.27. I wasn't sure if we needed it for 1.26 (EOL).

@jiahuif
Copy link
Member

jiahuif commented Mar 12, 2024

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 12, 2024
@liggitt
Copy link
Member Author

liggitt commented Mar 12, 2024

cc @kubernetes/release-managers

@puerco
Copy link
Member

puerco commented Mar 12, 2024

Job timed out: Process did not finish before 2h30m0s timeout

/test pull-kubernetes-e2e-kind-kms

@dims
Copy link
Member

dims commented Mar 12, 2024

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 12, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 9bf3fa4ba7a995110f209f7d469c6f5e347145f7

puerco
puerco approved these changes Mar 12, 2024
View reviewed changes
Copy link
Member

@puerco puerco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
@liggitt is this going to the older branches too? Since it is a CVE I'm approving it to get it in ASAP.

@k8s-ci-robot k8s-ci-robot added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. and removed do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. labels Mar 12, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, puerco

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@puerco
Copy link
Member

puerco commented Mar 12, 2024

/test pull-kubernetes-unit-go-compatibility

@liggitt
Copy link
Member Author

liggitt commented Mar 12, 2024

is this going to the older branches too?

Already merged: https://github.com/kubernetes/kubernetes/pulls?q=is%3Apr+%22CVE-2024-24786%22

@k8s-ci-robot k8s-ci-robot merged commit a6fe782 into kubernetes:release-1.29 Mar 12, 2024
18 checks passed
SIG Node PR Triage automation moved this from Triage to Done Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@puerco puerco puerco approved these changes

@andrewsykim andrewsykim Awaiting requested review from andrewsykim

@aramase aramase Awaiting requested review from aramase

Assignees

@dims dims

@puerco puerco

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/cloudprovider area/code-generation area/dependency Issues or PRs related to dependency changes area/kube-proxy area/kubectl area/kubelet cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
SIG CLI
Archived in project
SIG Node PR Triage
Archived in project
[sig-release] Bug Triage
Archived in project
SIG Node PR Triage
Done
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@liggitt @k8s-ci-robot @aramase @jiahuif @puerco @dims