java icon indicating copy to clipboard operation
java copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-client

Request 16.0.x release (please)

Open rjeberhard opened this issue 3 years ago • 6 comments

Can we please have a 16.0.x release to pick-up all of the dependency updates that have been committed?

rjeberhard avatar Oct 10 '22 16:10 rjeberhard

@rjeberhard to do this, we will need cherry-picks of the relevant dependency PRs into the release-16 branch.

If you can send those PRs I'm happy to merge them and cut a release.

brendandburns avatar Oct 10 '22 22:10 brendandburns

Side note to @yue9944882: we should consider turning on dependabot for release branches.

brendandburns avatar Oct 10 '22 22:10 brendandburns

@brendandburns, the SnakeYAML dependency is the only one I see on our security scans:

"MEDIUM","CVE-2022-38749","Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow." "MEDIUM","CVE-2022-38750","Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow." "MEDIUM","CVE-2022-38751","Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow." "MEDIUM","CVE-2022-38752","Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow."

https://github.com/kubernetes-client/java/pull/2391

rjeberhard avatar Oct 11 '22 13:10 rjeberhard

@rjeberhard go ahead and create a cherry-pick PR for that dependency bump (PR to the release-16 branch instead of the main branch) and then we can cut a new release.

brendandburns avatar Oct 11 '22 21:10 brendandburns

Side note to @yue9944882: we should consider turning on dependabot for release branches.

i'm a bit worried if the dependabot will be spammy (opening too many PRs). i can constantly see 4-5 pending PRs even tho we merely enabled the bot on the master branch. how about we enable the bot for the latest release branch (release-16 this time and shift to release-17 the next)

yue9944882 avatar Oct 13 '22 04:10 yue9944882

Is there any plan to upgrade okhttp3:okhttp, okhttp3:logging-interceptor (depending on kotlin-stdlib) and protobuf-java in this release? (CVE-2020-29582, CVE-2022-24329, CVE-2022-3171)

Babak-abd avatar Oct 13 '22 11:10 Babak-abd

Would it be possible to include on this version the commits related to those PRs, please?

  • https://github.com/kubernetes-client/java/pull/2366
  • https://github.com/kubernetes-client/java/pull/2387
  • https://github.com/kubernetes-client/java/pull/2388

@brendandburns I was waiting for a long time to be released, It would be great if you guys included them in the next release.

Thanks!

dani8art avatar Oct 18 '22 14:10 dani8art

I've been sick for a few days and am back in the office now... I see that a cherry-pick PR has already been created for SnakeYAML 1.33. Shall I create cherry-pick PR's for the other dependencies or are you doing this already, @yue9944882?

I've not seen issues in our environment with exec requests or web sockets, but we use these heavily, so I wouldn't be opposed to having these fixes in a bug-fix release.

rjeberhard avatar Oct 20 '22 12:10 rjeberhard

@dani8art if you send cherry-pick PRs I'm happy to cut them into a release.

brendandburns avatar Oct 20 '22 19:10 brendandburns

@rjeberhard I just pushed 16.0.1 with the snake yaml cherry pick up to sonotype, should be in maven central in 24h or so.

@dani8art it is easy to cut a 16.0.2 once the cherry-picks are in.

brendandburns avatar Oct 20 '22 20:10 brendandburns

I'm going to close this issue because 16.0.1 was released.

@dani8art, perhaps open a new issue for the items that you wanted backported?

@brendandburns, the good news is that https://mvnrepository.com/artifact/io.kubernetes/client-java/16.0.1 shows that the CVE's related to SnakeYAML that were displayed for 16.0.0 are gone... the bad news is that there is still a CVE related to protobuf.

rjeberhard avatar Oct 23 '22 12:10 rjeberhard

Great to see the CVE has gone. 👏

@rjeberhard I've already done a PR with those commits https://github.com/kubernetes-client/java/pull/2429, @brendandburns do we need an issue to perform the new version cut? I think you asked me for the PR and then you are going to cut the version, right?

Thanks!

dani8art avatar Oct 24 '22 08:10 dani8art

@dani8art @rjeberhard Is it possible to cherry-pick these 2 PRs to next release? I was hoping to see these in 16.0.1

https://github.com/kubernetes-client/java/pull/2362 to fix kotlin-stdlib security issue: CVE-2020-29582, CVE-2022-24329

https://github.com/kubernetes-client/java/pull/2421 to fix protobuf-java security issue CVE-2022-3171

Babak-abd avatar Oct 26 '22 16:10 Babak-abd