builder icon indicating copy to clipboard operation
builder copied to clipboard
verified publisher icon openshift

OCPBUGS-32844: bump go-jose to fix CVE-2024-28180

Open avinal opened this issue 1 year ago • 11 comments

Changes

  • gopkg.in/square/go-jose.v2 has been deprecated
  • replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple imports issue
  • replaced with security release github.com/go-jose/go-jose v2.6.3
  • fixes https://github.com/advisories/GHSA-c5q2-7r4c-mv6g

Signed-off-by: Avinal Kumar [email protected]

Release note

CVE-2024-28180: Upgrade go-jose to mitigate potential denial of service attacks.

avinal avatar Jun 19 '24 12:06 avinal

@avinal: This pull request references Jira Issue OCPBUGS-32844, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"
  • expected dependent Jira Issue OCPBUGS-32845 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Changes

  • Bump gopkg.in/go-jose/go-jose.v2 to 2.6.3

Signed-off-by: Avinal Kumar [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Jun 19 '24 12:06 openshift-ci-robot

/jira-refresh

avinal avatar Jun 19 '24 12:06 avinal

/retest

avinal avatar Jun 24 '24 08:06 avinal

@avinal: This pull request references Jira Issue OCPBUGS-32844, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Changes

  • gopkg.in/square/go-jose.v2 has been deprecated
  • replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple imports issue
  • replaced with security release github.com/go-jose/go-jose v2.6.3
  • fixes https://github.com/advisories/GHSA-c5q2-7r4c-mv6g

Signed-off-by: Avinal Kumar [email protected]

Release note

CVE-2024-28180: Upgrade go-jose to mitigate potential denial of service attacks.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Jun 25 '24 10:06 openshift-ci-robot

/retest

avinal avatar Jun 26 '24 08:06 avinal

Is this blocked by https://github.com/openshift/origin/pull/28904 and its cherry-picks?

adambkaplan avatar Jun 26 '24 20:06 adambkaplan

/jira refresh

adambkaplan avatar Jul 09 '24 12:07 adambkaplan

@adambkaplan: This pull request references Jira Issue OCPBUGS-32844, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Jul 09 '24 12:07 openshift-ci-robot

/retest

avinal avatar Aug 06 '24 12:08 avinal

/test e2e-aws-ovn-builds-techpreview /test e2e-aws-ovn-builds

sayan-biswas avatar Oct 29 '24 11:10 sayan-biswas

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: avinal, sayan-biswas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Oct 29 '24 11:10 openshift-ci[bot]

@avinal: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 595313fbca0e6bb9f7b58ccc9ce3e231b9da2f12 link false /test security
ci/prow/e2e-aws-ovn-builds 595313fbca0e6bb9f7b58ccc9ce3e231b9da2f12 link true /test e2e-aws-ovn-builds
ci/prow/e2e-aws-ovn-builds-techpreview 595313fbca0e6bb9f7b58ccc9ce3e231b9da2f12 link false /test e2e-aws-ovn-builds-techpreview

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Oct 29 '24 13:10 openshift-ci[bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot avatar Jan 28 '25 01:01 openshift-bot

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot avatar Feb 27 '25 08:02 openshift-bot

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-bot avatar Mar 30 '25 00:03 openshift-bot

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-merge-robot avatar Mar 30 '25 00:03 openshift-merge-robot

@openshift-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci[bot] avatar Mar 30 '25 00:03 openshift-ci[bot]

@avinal: This pull request references Jira Issue OCPBUGS-32844. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

In response to this:

Changes

  • gopkg.in/square/go-jose.v2 has been deprecated
  • replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple imports issue
  • replaced with security release github.com/go-jose/go-jose v2.6.3
  • fixes https://github.com/advisories/GHSA-c5q2-7r4c-mv6g

Signed-off-by: Avinal Kumar [email protected]

Release note

CVE-2024-28180: Upgrade go-jose to mitigate potential denial of service attacks.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Mar 30 '25 00:03 openshift-ci-robot