Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to go1.22.3 due to CVE #5681

Closed
Tracked by #9
MisterMX opened this issue May 13, 2024 · 5 comments
Closed
Tracked by #9

Update to go1.22.3 due to CVE #5681

MisterMX opened this issue May 13, 2024 · 5 comments
Labels
bug Something isn't working
Milestone
v1.16

Comments

@MisterMX
Copy link
Contributor

What happened?

go1.22.3 fixes two critical security issues regarding the DNS resolution and code compilation on Darwin. See golang/go#67119 and golang/go#66754.

CVE: GHSA-5fq7-4mxc-535h

Google Group Announcement: https://groups.google.com/g/golang-announce/c/wkkO4P9stm0

How can we reproduce it?

n.a.

What environment did it happen in?

All Crossplane versions running go < 1.21.10 and go < 1.22.3.
@MisterMX MisterMX added the bug Something isn't working label May 13, 2024
@negz
Copy link
Member

negz commented May 13, 2024

I don't think there's much to do here.

#5684 already bumped this in master.

https://github.com/crossplane/crossplane/blob/release-1.14/go.mod#L3 - Appears unaffected.
https://github.com/crossplane/crossplane/blob/release-1.15/go.mod#L5 - Appears unaffected.

We'll need to make sure 1.16 gets released (crossplane/release#9) with a patched version of Go. I expect Renovate will bump the release-1.16 branch.

@jbw976 jbw976 mentioned this issue May 14, 2024
Closed
49 tasks
@jbw976
Copy link
Member

jbw976 commented May 15, 2024

Trying to make sure this gets taken care of before v1.16 goes out today.

@phisco I haven't seen a PR for this go1.22.3 update from Renovate on the release-1.16 branch and that branch isn't even listed in the dependency dashboard. Is that because release-1.16 isn't listed in the baseBranches in https://github.com/crossplane/crossplane/blob/master/.github/renovate.json5#L15?

If that's the case, we should probably update the release steps to add the release branch to baseBranches right after creating it for code freeze, instead of waiting for the full release, so Renovate can keep it up to date right away starting with code freeze. What do you think?

@phisco
Copy link
Contributor

phisco commented May 15, 2024
edited

Yes, that's because we forgot to update the branch list:

crossplane/.github/renovate.json5

Line 15 in 0d0473e

"baseBranches": ["master","release-1.13","release-1.14","release-1.15"],

I was sure we had a step for it.

@phisco
Copy link
Contributor

phisco commented May 15, 2024

We do, but it's misplaced: https://github.com/crossplane/release/blob/e6d04f89834b298c68b9fbda8b240fc372a03da0/.github/ISSUE_TEMPLATE/release.md?plain=1#L63

It should be in the code freeze section.

@jbw976
Copy link
Member

jbw976 commented May 15, 2024
edited

I'll do the following:

This was referenced May 15, 2024
Merged
Merged
@jbw976 jbw976 added this to the v1.16 milestone May 15, 2024
@jbw976 jbw976 closed this as completed May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Crossplane Roadmap
Status: Done
Milestone
v1.16
Development

No branches or pull requests
4 participants
@negz @jbw976 @phisco @MisterMX