OCPBUGS-32843: replace square/go-jose to fix cve
Changes
- gopkg.in/square/go-jose.v2 has been deprecated
- replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple imports issue
- replaced with security release github.com/go-jose/go-jose v2.6.3
- fixes CVE-2024-28180
Signed-off-by: Avinal Kumar [email protected]
Release Note
CVE-2024-28180: Upgrade go-jose to mitigate potential denial of service attacks.
@avinal: This pull request references Jira Issue OCPBUGS-32843, which is invalid:
- expected the bug to target either version "4.17." or "openshift-4.17.", but it targets "4.13.z" instead
Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
In response to this:
Changes
- gopkg.in/square/go-jose.v2 has been deprecated
- replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple imports issue
- replaced with security release github.com/go-jose/go-jose v2.6.3
- fixes CVE-2024-28180
Signed-off-by: Avinal Kumar [email protected]
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@avinal: This pull request references Jira Issue OCPBUGS-32843, which is invalid:
- release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"
- expected dependent Jira Issue OCPBUGS-32844 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead
Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
In response to this:
Changes
- gopkg.in/square/go-jose.v2 has been deprecated
- replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple imports issue
- replaced with security release github.com/go-jose/go-jose v2.6.3
- fixes CVE-2024-28180
Signed-off-by: Avinal Kumar [email protected]
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@avinal: An error was encountered adding this pull request to the external tracker bugs for bug OCPBUGS-32843 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.
Full error message.
failed to get remote links: You do not have the permission to see the specified issue.: request failed. Please analyze the request body for more details. Status code: 401:
Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.
In response to this:
Changes
- gopkg.in/square/go-jose.v2 has been deprecated
- replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple imports issue
- replaced with security release github.com/go-jose/go-jose v2.6.3
- fixes CVE-2024-28180
Signed-off-by: Avinal Kumar [email protected]
Release Note
CVE-2024-28180: Upgrade go-jose to mitigate potential denial of service attacks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
/retest
/hold
Need to understand why one of the s2i tests are failing. Perhaps we need https://github.com/openshift/origin/pull/28904 cherry picked to 4.13 too?
/jira refresh
@adambkaplan: This pull request references Jira Issue OCPBUGS-32843, which is invalid:
- release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"
- expected dependent Jira Issue OCPBUGS-32844 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead
Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
In response to this:
/jira refresh
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
/retest
New changes are detected. LGTM label has been removed.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: adambkaplan, avinal
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [adambkaplan]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
@avinal: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/e2e-aws-ovn-builds-techpreview | 5f5feb2969d175a96b69bdcc629bb27f3e09e711 | link | false | /test e2e-aws-ovn-builds-techpreview |
| ci/prow/security | 5f5feb2969d175a96b69bdcc629bb27f3e09e711 | link | false | /test security |
| ci/prow/e2e-aws-ovn-builds | 5f5feb2969d175a96b69bdcc629bb27f3e09e711 | link | true | /test e2e-aws-ovn-builds |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle rotten /remove-lifecycle stale
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.
/close
@openshift-bot: Closed this PR.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting
/reopen. Mark the issue as fresh by commenting/remove-lifecycle rotten. Exclude this issue from closing again by commenting/lifecycle frozen./close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@avinal: This pull request references Jira Issue OCPBUGS-32843. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.
In response to this:
Changes
- gopkg.in/square/go-jose.v2 has been deprecated
- replacing with equivalent gopkg.in/go-jose/go-jose.v2 causes multiple imports issue
- replaced with security release github.com/go-jose/go-jose v2.6.3
- fixes CVE-2024-28180
Signed-off-by: Avinal Kumar [email protected]
Release Note
CVE-2024-28180: Upgrade go-jose to mitigate potential denial of service attacks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.