Skip to content

Update golang.org/protobuf version to fix CVE-2024-24786 #3618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Mar 19, 2024
Merged

Update golang.org/protobuf version to fix CVE-2024-24786 #3618

merged 7 commits into from
Mar 19, 2024

Conversation

@shraddhabang
Copy link
Collaborator

Issue

CVE-2024-24786

Description

Update golang.org/protobuf version to fix CVE-2024-24786

Trivy scan result on test image

2024-03-19T13:53:23.621-0700 INFO Vulnerability scanning is enabled 2024-03-19T13:53:23.622-0700 INFO Secret scanning is enabled 2024-03-19T13:53:23.622-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-03-19T13:53:23.622-0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection 2024-03-19T13:53:32.085-0700 INFO Detected OS: amazon 2024-03-19T13:53:32.086-0700 INFO Detecting Amazon Linux vulnerabilities... 2024-03-19T13:53:32.088-0700 INFO Number of language-specific files: 1 2024-03-19T13:53:32.088-0700 INFO Detecting gobinary vulnerabilities... Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the docs directory)
  • Manually tested
  • Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

  • Backfilled missing tests for code in same general area 🎉
  • Refactored something and made the world a better place 🌟
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 19, 2024
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Mar 19, 2024
@oliviassss
Copy link
Collaborator

/lgtm
/approve
@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Mar 19, 2024
M00nF1sh
M00nF1sh approved these changes Mar 19, 2024
View reviewed changes
Copy link
Member

@M00nF1sh M00nF1sh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: M00nF1sh, oliviassss, shraddhabang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [M00nF1sh,oliviassss]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
@M00nF1sh M00nF1sh merged commit 8393192 into kubernetes-sigs:main Mar 19, 2024
@oliviassss oliviassss added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Mar 19, 2024
shraddhabang added a commit to shraddhabang/aws-load-balancer-controller that referenced this pull request Mar 20, 2024
@shraddhabang
Update golang.org/protobuf version to fix CVE-2024-24786 (kubernetes-…
9ae4080 
…sigs#3618) * Add a note to recommend to use compatible chart and image versions * Update golang.org/protobuf version to fix CVE-2024-24786
M00nF1sh pushed a commit that referenced this pull request Mar 22, 2024
@shraddhabang @oliviassss
@alebedev87 @the-technat @jukie @xdu31 @haouc @alex-berger
Release v2.7.2 - Cherry picked the commits from main (#3620)
61e0135 
* fix log level in listener manager and tagging manager (#3573) * bump up controller-gen version and update manifests (#3580) * docs: ingress subnets annotation - clarify locale differences (#3579) * feat: allowed ACM cert discovery to filter on CA ARNs (#3565) (#3591) * Add example for NLB target-group-attributes to enable unhealthy target connection draining (#3577) * Add example annotation for NLB unhealthy target connection draining * Add emtpyline back in * fix: ca-filter causing expontentially more api-calls (#3608) due to missing cache * Repo controlled build go version (#3598) * update go version to mitigate CVE (#3615) * Adding support for Availability Zone Affinity (#3470) Fixes #3431 Signed-off-by: Alex Berger <alex-berger@gmx.ch> * Update golang.org/protobuf version to fix CVE-2024-24786 (#3618) * Add a note to recommend to use compatible chart and image versions * Update golang.org/protobuf version to fix CVE-2024-24786 --------- Signed-off-by: Alex Berger <alex-berger@gmx.ch> Co-authored-by: Olivia Song <sonyingy@amazon.com> Co-authored-by: Andrey Lebedev <alebedev87@gmail.com> Co-authored-by: Nathanael Liechti <technat@technat.ch> Co-authored-by: Isaac Wilson <10012479+jukie@users.noreply.github.com> Co-authored-by: Nathanael Liechti <nathanael.liechti@post.ch> Co-authored-by: Jason Du <jasonxdu@amazon.com> Co-authored-by: Hao Zhou <haouc@users.noreply.github.com> Co-authored-by: Alexander Berger <alex-berger@users.noreply.github.com>
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 55.43%. Comparing base (8296620) to head (9257e2f).
Report is 276 commits behind head on main.

Additional details and impacted files 
@@ Coverage Diff @@ ## main #3618 +/- ## ======================================= Coverage 55.43% 55.43% ======================================= Files 149 149 Lines 9027 9027 ======================================= Hits 5004 5004 Misses 3685 3685 Partials 338 338

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

5 participants

@shraddhabang @oliviassss @k8s-ci-robot @codecov-commenter @M00nF1sh