karmada icon indicating copy to clipboard operation
karmada copied to clipboard

Published 20 hours ago verified publisher icon karmada-io

Fixed (CVE-2022-27664) Bump golang.org/x/net to v0.1.1-0.20221027164007-c63010009c80

Open chaunceyjiang opened this issue 2 years ago • 9 comments

Signed-off-by: chaunceyjiang [email protected]

What type of PR is this? golang.org/x/net is too old and vulnerable to https://pkg.go.dev/vuln/GO-2022-0969

image

What this PR does / why we need it:

Which issue(s) this PR fixes: Fixes #

Special notes for your reviewer: like https://github.com/kubernetes/kubernetes/issues/112758 Does this PR introduce a user-facing change?:

NONE

chaunceyjiang avatar Nov 01 '22 06:11 chaunceyjiang

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: To complete the pull request process, please assign kevin-wangzefeng after the PR has been reviewed. You can assign the PR to them by writing /assign @kevin-wangzefeng in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

karmada-bot avatar Nov 01 '22 06:11 karmada-bot

/assign @RainbowMango

XiShanYongYe-Chang avatar Nov 01 '22 07:11 XiShanYongYe-Chang

I'm trying to figure out how this affects Karmada. @chaunceyjiang do you know?

RainbowMango avatar Nov 01 '22 09:11 RainbowMango

main module does not need module golang.org/x/net/http2, but I saw that in the vendor directory

image

chaunceyjiang avatar Nov 01 '22 09:11 chaunceyjiang

The package in the vendor is probably because of a transitive dependency.

RainbowMango avatar Nov 01 '22 09:11 RainbowMango

I found this. 😂 image

chaunceyjiang avatar Nov 01 '22 10:11 chaunceyjiang

https://go.dev/ref/mod#go-mod-why

Use go mod why without -m gives this result.

$ go mod why golang.org/x/net/http2
# golang.org/x/net/http2
github.com/karmada-io/karmada/cmd/agent
k8s.io/apiserver/pkg/server
golang.org/x/net/http2

This is the file that uses golang.org/x/net/http2

k8s.io/apiserver/pkg/server/secure_serving.go

cmicat avatar Nov 04 '22 07:11 cmicat

By the way, the link you given also mentioned net/http this standard library is affected.

I think github workflow need to be updated too. Otherwise, the release binary will still use older version of go sdk.

search go-version in https://github.com/karmada-io/karmada/tree/ac7619fb1393b880bd1666ed17b609a552cdc0bc/.github/workflows

cmicat avatar Nov 04 '22 07:11 cmicat

I think github workflow need to be updated too. Otherwise, the release binary will still use older version of go SDK.

+1, I haven't finished the investigation but seems to update the Golang version could avoid this risk.

RainbowMango avatar Nov 04 '22 09:11 RainbowMango

I haven't finished the investigation but seems to update the Golang version could avoid this risk.

Any progress?

chaunceyjiang avatar Nov 07 '22 01:11 chaunceyjiang

The latest stable version of golang.org/x/net is "v0.1.0". It seems you used unpublished version?

yes, I borrowed from k/k. Refer to https://github.com/kubernetes/kubernetes/pull/112693

chaunceyjiang avatar Nov 09 '22 02:11 chaunceyjiang

@chaunceyjiang I don't think we are affected by this CVE.

The affected packages are:

  • net/http but his only happen with Golang version before go1.18.6, from go1.19.0 before go1.19.1. Now we are using go.19.4(master and release-1.4), go1.18.9(release-1.3), go1.17.13(release-1.2), still not sure if release-1.2 is affected.
  • golang.org/x/net/http2 we don't use this package now.

RainbowMango avatar Dec 09 '22 01:12 RainbowMango

But, since Kubernetes released v1.25.5, we can update the dependencies to address potential threats.

RainbowMango avatar Dec 09 '22 01:12 RainbowMango