linkerd2/24.11.8-r0: cve remediation #36772

octo-sts · 2024-12-13T03:12:33Z

linkerd2/24.11.8-r0: fix GHSA-h97m-ww89-6jmq/GHSA-v778-237x-gjrc/

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/linkerd2.advisories.yaml

octo-sts · 2024-12-13T03:15:29Z

Gen AI suggestions to solve the build error:

Based on the build log and error output, here's my analysis:

• Detected Error: Not explicitly shown in logs, but appears to fail during "go/bump" step with Go module dependency updates

• Error Category: Version/Dependency

• Failure Point: During go/bump step trying to update dependencies:

  - uses: go/bump
    with:
      deps: golang.org/x/[email protected] [email protected]

• Root Cause Analysis: The go/bump step is trying to update dependencies to specific versions that may be incompatible with the project's Go module requirements

• Suggested Fix:

Update the go/bump step to use compatible versions:

  - uses: go/bump
    with:
      deps: golang.org/x/crypto@latest golang.org/x/net@latest

Or remove the go/bump step entirely if the project manages its own dependencies.

• Explanation:

The linkerd2 project likely has specific version requirements defined in go.mod
Forcing specific versions via go/bump may break dependency graph resolution
Letting the project manage its own dependencies through go.mod is safer
The idna package is part of golang.org/x/net, so specifying it separately may cause conflicts

• Additional Notes:

Linkerd2 is a complex Go project with many dependencies
Version bumps should ideally be coordinated with upstream releases
Consider checking go.mod in the upstream repository for proper version constraints

• References:

Try either removing the go/bump step or updating it to use latest tagged versions that are compatible with the project's requirements.

linkerd2.yaml

Signed-off-by: kranurag7 <[email protected]>

Signed-off-by: kranurag7 <[email protected]> fix rust cves as well Signed-off-by: kranurag7 <[email protected]>

kranurag7 · 2024-12-16T10:18:12Z

idna was bumped to 1.0.3 which here linkerd/linkerd2#13385 (bump url ends up bumping idna here)

linkerd2/24.11.8-r0: fix GHSA-h97m-ww89-6jmq/GHSA-v778-237x-gjrc/ Advisory data: https://github.com/wolfi-dev/advisories/blob/main/linkerd2.advisories.yaml --------- Signed-off-by: kranurag7 <[email protected]> Co-authored-by: octo-sts[bot] <[email protected]> Co-authored-by: kranurag7 <[email protected]>

linkerd2/24.11.8-r0: fix GHSA-h97m-ww89-6jmq/GHSA-v778-237x-gjrc/

a3c73c2

octo-sts bot added automated pr GHSA-h97m-ww89-6jmq GHSA-v778-237x-gjrc go/bump linkerd2/24.11.8-r0 request-cve-remediation labels Dec 13, 2024

kranurag7 reviewed Dec 15, 2024

View reviewed changes

linkerd2.yaml Outdated Show resolved Hide resolved

remove idna from go/bump

ea8c7b3

Signed-off-by: kranurag7 <[email protected]>

octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Dec 15, 2024

fix idna cve

53bb70c

Signed-off-by: kranurag7 <[email protected]> fix rust cves as well Signed-off-by: kranurag7 <[email protected]>

philroche approved these changes Dec 16, 2024

View reviewed changes

kranurag7 merged commit 2246286 into main Dec 16, 2024
14 checks passed

kranurag7 deleted the cve-linkerd2-6f28b01479a29ec12ed2823afcccb555 branch December 16, 2024 11:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

linkerd2/24.11.8-r0: cve remediation #36772

linkerd2/24.11.8-r0: cve remediation #36772

octo-sts bot commented Dec 13, 2024

octo-sts bot commented Dec 13, 2024

kranurag7 commented Dec 16, 2024

linkerd2/24.11.8-r0: cve remediation #36772

linkerd2/24.11.8-r0: cve remediation #36772

Conversation

octo-sts bot commented Dec 13, 2024

octo-sts bot commented Dec 13, 2024

kranurag7 commented Dec 16, 2024