Skip to content

[release/1.7] Update x/net to 0.13#9134

Merged
estesp merged 1 commit intocontainerd:release/1.7from
Kern--:release/1.7
Oct 4, 2023
Merged

[release/1.7] Update x/net to 0.13#9134
estesp merged 1 commit intocontainerd:release/1.7from
Kern--:release/1.7

Conversation

@Kern--
Copy link

@Kern-- Kern-- commented Sep 23, 2023

This silences govulncheck detecting
https://pkg.go.dev/vuln/GO-2023-1988.

containerd only uses x/net for context and httpcontext which do not render html.

Before this change:

$ govulncheck --mode binary bin/containerd
Scanning your binary for known vulnerabilities...

Vulnerability #1: GO-2023-1988
    Improper rendering of text nodes in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2023-1988
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: html.Render

Your code is affected by 1 vulnerability from 1 module.

After this change:

$ govulncheck --mode binary bin/containerd
Scanning your binary for known vulnerabilities...

No vulnerabilities found.

Equivalent release/1.6 change #9130

@k8s-ci-robot
Copy link

k8s-ci-robot commented Sep 23, 2023

Hi @Kern--. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Bump x/net to 0.13
b3db314 
This silences govulncheck detecting
https://pkg.go.dev/vuln/GO-2023-1988.

containerd only uses x/net for context and httpcontext which do not
render html.

Signed-off-by: Kern Walster <[email protected]>
thaJeztah
thaJeztah reviewed Oct 2, 2023
View reviewed changes
go.mod
golang.org/x/crypto v0.11.0 // indirect
golang.org/x/mod v0.9.0 // indirect
golang.org/x/net v0.8.0 // indirect
golang.org/x/net v0.13.0 // indirect
Copy link
Member

@thaJeztah thaJeztah Oct 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this moves the 1.7 branch ahead of main; do we need 0.13 or is 0.12 enough for the cve? (potentially backporting from main)

Otherwise if we really need v0.13 we should make sure main is updated first

containerd/go.mod

Line 127 in e1655fe

golang.org/x/net v0.12.0 // indirect

Copy link
Member

@samuelkarp samuelkarp Oct 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

➕ If we want 0.13.0, let's update main first.

Copy link
Author

@Kern-- Kern-- Oct 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. I created #9184. 0.13.0 is the version that fixes this issue.

@Kern-- Kern-- mentioned this pull request Oct 3, 2023
Merged
@estesp estesp merged commit 814f6c2 into containerd:release/1.7 Oct 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samuelkarp samuelkarp samuelkarp left review comments

@thaJeztah thaJeztah thaJeztah left review comments

@dmcgowan dmcgowan dmcgowan approved these changes

@estesp estesp estesp approved these changes

@henry118 henry118 henry118 approved these changes

Assignees

No one assigned

Labels

needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@Kern-- @k8s-ci-robot @dmcgowan @samuelkarp @estesp @thaJeztah @henry118