Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update module github.com/golang/glog to v1.2.4 [SECURITY] #14

Merged
merged 1 commit into from
Jan 31, 2025
Merged

Update module github.com/golang/glog to v1.2.4 [SECURITY] #14

merged 1 commit into from
Jan 31, 2025

Conversation

turkenf
Copy link
Contributor

@turkenf turkenf commented Jan 29, 2025
edited
Loading

Description of your changes

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/golang/glog v1.2.1 -> v1.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45339

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable to ensure this PR is ready for review.
  • Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

https://github.com/upbound/provider-upjet-gcp-beta/actions/runs/13041907120

@turkenf
Copy link
Contributor Author

turkenf commented Jan 29, 2025

/test-examples="examples/container/v1beta2/nodepool.yaml"

@turkenf turkenf marked this pull request as ready for review January 30, 2025 10:06
sergenyalcin
sergenyalcin approved these changes Jan 31, 2025
View reviewed changes
Copy link
Member

@sergenyalcin sergenyalcin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @turkenf LGTM!

@turkenf turkenf merged commit eba227d into upbound:main Jan 31, 2025
9 checks passed
@turkenf turkenf deleted the vulnerability-glog branch January 31, 2025 09:53
@github-actions GitHub Actions
Copy link

Successfully created backport PR for release-0.4:

@github-actions github-actions bot mentioned this pull request Jan 31, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergenyalcin sergenyalcin sergenyalcin approved these changes

@ulucinar ulucinar Awaiting requested review from ulucinar ulucinar is a code owner

Assignees
No one assigned
Labels
backport release-0.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@turkenf @sergenyalcin