Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Upgrade Go dependencies to address CVEs #76

Merged
merged 1 commit into from
Dec 12, 2023
Merged

chore: Upgrade Go dependencies to address CVEs #76

merged 1 commit into from
Dec 12, 2023

Conversation

spolti
Copy link
Contributor

@spolti spolti commented Nov 30, 2023

chore: This commit fixes the following CVEs:

  • CVE-2023-37788: github.com/elazarl/goproxy Denial of Service (DoS)
  • CVE-2022-1996: github.com/emicklei/go-restful Authorization Bypass Through User-Controlled Key
  • CWE-285: github.com/emicklei/go-restful Authorization Bypass
  • CWE-400: github.com/prometheus/client_golang Denial of Service (DoS)

Motivation

Modifications

Result

@spolti
CVEs fixes
f25aeb4 
chore: This commit fixes the following CVEs:
- [CVE-2023-37788](https://www.cve.org/CVERecord?id=CVE-2023-37788):  github.com/elazarl/goproxy Denial of Service (DoS)
- [CVE-2022-1996](https://www.cve.org/CVERecord?id=CVE-2022-1996): github.com/emicklei/go-restful Authorization Bypass Through User-Controlled Key
- [CWE-285](https://cwe.mitre.org/data/definitions/285.html): github.com/emicklei/go-restful Authorization Bypass
- [CWE-400](https://cwe.mitre.org/data/definitions/400.html): github.com/prometheus/client_golang Denial of Service (DoS)

Signed-off-by: Spolti <[email protected]>
@oss-prow-bot oss-prow-bot bot requested review from ckadner and joerunde November 30, 2023 18:13
This was referenced Dec 5, 2023
Closed
Closed
ckadner
ckadner approved these changes Dec 12, 2023
View reviewed changes
Copy link
Member

@ckadner ckadner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@oss-prow-bot oss-prow-bot bot added the lgtm label Dec 12, 2023
@oss-prow-bot OSS-prow-bot
Copy link

oss-prow-bot bot commented Dec 12, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ckadner, spolti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ckadner ckadner changed the title CVEs fixes chore: Upgrade Go dependencies to address CVEs Dec 12, 2023
@ckadner ckadner merged commit 014856c into kserve:main Dec 12, 2023
6 checks passed
@spolti spolti deleted the odh-issue256 branch December 12, 2023 18:36
spolti referenced this pull request in spolti/modelmesh-runtime-adapter Jan 11, 2024
@spolti
chore: Upgrade Go dependencies to address CVEs (opendatahub-io#76)
f2a0f50 
- elazarl/goproxy [CVE-2023-37788] Denial of Service (DoS)
- emicklei/go-restful [CVE-2022-1996] Authorization Bypass Through User-Controlled Key
- prometheus/client_golang [CWE-400] Denial of Service (DoS)

-----

Signed-off-by: Spolti <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ckadner ckadner ckadner approved these changes

@joerunde joerunde Awaiting requested review from joerunde

Assignees

@ckadner ckadner

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spolti @ckadner