Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump up golang.org/x/crypto pkg to fix vuln #1981

Merged
merged 1 commit into from
Dec 12, 2024
Merged

chore: bump up golang.org/x/crypto pkg to fix vuln #1981

merged 1 commit into from
Dec 12, 2024

Conversation

junczhu
Copy link
Collaborator

@junczhu junczhu commented Dec 12, 2024

Description

What this PR does / why we need it:

The CVE-2024-45337 vulnerability in the golang.org/x/crypto package poses a significant risk due to the potential for authorization bypass through improper use of the ServerConfig.PublicKeyCallback.
Updated dependencies to fix this vulnerability.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes CVE-2024-45337

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

  • Test A
  • Test B

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

@junczhu junczhu changed the title chore: bump up pkg to fix vuln chore: bump up golang.org/x/crypto pkg to fix vuln Dec 12, 2024
@codecov Codecov
Copy link

codecov bot commented Dec 12, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

see 4 files with indirect coverage changes

@junczhu junczhu enabled auto-merge (squash) December 12, 2024 04:52
susanshi
susanshi approved these changes Dec 12, 2024
View reviewed changes
Copy link
Collaborator

@susanshi susanshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. thankyou Juncheng!

@junczhu junczhu merged commit 252afd8 into ratify-project:dev Dec 12, 2024
20 checks passed
junczhu added a commit to junczhu/ratify that referenced this pull request Dec 18, 2024
@junczhu
feat: update kmp crds
7c4b788 
Signed-off-by: Juncheng Zhu <[email protected]>

chore: update config

Signed-off-by: Juncheng Zhu <[email protected]>

feat: update crl config

Signed-off-by: Juncheng Zhu <[email protected]>

chore: Bump github/codeql-action from 3.27.3 to 3.27.4 (ratify-project#1929)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump alpine from `beefdbd` to `1e42bbe` (ratify-project#1937)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump golang from `4cfe4a9` to `147f428` in /httpserver (ratify-project#1936)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump distroless/static from `3a03fc0` to `d71f4b2` in /httpserver (ratify-project#1935)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/aliyun/credentials-go from 1.3.10 to 1.3.11 (ratify-project#1934)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.44 to 1.17.45 (ratify-project#1933)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump codecov/codecov-action from 4.6.0 to 5.0.2 (ratify-project#1932)

Signed-off-by: dependabot[bot] <[email protected]>

chore: Replace deprecated autorest SDK with azidentity (ratify-project#1904)

Signed-off-by: Shahram Kalantari <[email protected]>

chore: Bump step-security/harden-runner from 2.10.1 to 2.10.2 (ratify-project#1938)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump codecov/codecov-action from 5.0.2 to 5.0.4 (ratify-project#1939)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump codecov/codecov-action from 5.0.4 to 5.0.7 (ratify-project#1946)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github/codeql-action from 3.27.4 to 3.27.5 (ratify-project#1945)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump anchore/sbom-action from 0.17.7 to 0.17.8 (ratify-project#1948)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.45 to 1.17.46 (ratify-project#1953)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

fix: add missing pod annotations and labels to deployment spec (ratify-project#1949)

Signed-off-by: akashsinghal <[email protected]>

chore: Bump github.com/sigstore/rekor from 1.3.6 to 1.3.7 (ratify-project#1952)

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Susan Shi <[email protected]>
Signed-off-by: Binbin Li <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: bump up golangci-lint version (ratify-project#1961)

Signed-off-by: Binbin Li <[email protected]>

fix(tls): allowing TLS when crd-manager disabled (ratify-project#1954)

Signed-off-by: Jordan Langue <[email protected]>

chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.28.3 to 1.28.6 (ratify-project#1957)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump distroless/static from `d71f4b2` to `6cd937e` in /httpserver (ratify-project#1960)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github/codeql-action from 3.27.5 to 3.27.6 (ratify-project#1963)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

build: add image signing for all release images (ratify-project#1947)

Signed-off-by: Akash Singhal <[email protected]>

chore: Bump golang from `73f06be` to `574185e` in /httpserver (ratify-project#1973)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

docs: update dev image release guidance (ratify-project#1974)

Signed-off-by: Akash Singhal <[email protected]>

feat: Implementation of KMP CRL revocation factory with cache (ratify-project#1900)

Signed-off-by: Juncheng Zhu <[email protected]>
Co-authored-by: Binbin Li <[email protected]>
Co-authored-by: Susan Shi <[email protected]>

chore: Bump alpine from `1e42bbe` to `21dc606` (ratify-project#1972)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump google.golang.org/grpc from 1.68.0 to 1.68.1 (ratify-project#1971)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump actions/cache from 4.1.2 to 4.2.0 (ratify-project#1967)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump codecov/codecov-action from 5.0.7 to 5.1.1 (ratify-project#1966)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/notaryproject/notation-core-go from 1.2.0-rc.1 to 1.2.0-rc.2 (ratify-project#1970)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump actions/setup-go from 5.1.0 to 5.2.0 (ratify-project#1979)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github/codeql-action from 3.27.6 to 3.27.7 (ratify-project#1978)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: bump K8s versions (ratify-project#1975)

Signed-off-by: Akash Singhal <[email protected]>

chore: bump makefile tool dependency version (ratify-project#1976)

Signed-off-by: Akash Singhal <[email protected]>

chore: bump up golang.org/x/crypto pkg to fix vuln (ratify-project#1981)

Signed-off-by: Juncheng Zhu <[email protected]>

chore: Bump github/codeql-action from 3.27.7 to 3.27.9 (ratify-project#1983)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump anchore/sbom-action from 0.17.8 to 0.17.9 (ratify-project#1988)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/sigstore/sigstore from 1.8.10 to 1.8.11 (ratify-project#1986)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/notaryproject/notation-go from 1.3.0-rc.1 to 1.3.0-rc.2 (ratify-project#1987)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: bump GK support to 3.18 (ratify-project#1980)

Signed-off-by: Akash Singhal <[email protected]>
@junczhu junczhu deleted the crypto-vuln branch January 13, 2025 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@susanshi susanshi susanshi approved these changes

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

@binbin-li binbin-li Awaiting requested review from binbin-li binbin-li is a code owner

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@junczhu @susanshi