Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: up dependencies to fix security vulnerabilities #7681

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

security: up dependencies to fix security vulnerabilities #7681

wants to merge 7 commits into from
+138 −65

Conversation

sicoyle
Copy link
Contributor

@sicoyle sicoyle commented Apr 8, 2024
edited

Description

Dapr has a few vulnerabilities that we should address from a security perspective by upping our dependency versions 👇

Package Affected version Patched version Fixed in this PR? Impact
google.golang.org/grpc < 1.56.3 1.56.3 yes gRPC-Go HTTP/2 Rapid Reset vulnerability allowing attackers to send HTTP/2 requests, cancel them, send subsequent requests, etc
golang.org/x/net < 0.17.0 0.17.0 yes HTTP/2 rapid reset can cause excessive work in net/http
github.com/docker/distribution < 2.8.2-beta.1 2.8.2-beta.1 yes distribution catalog API endpoint can lead to OOM via malicious user input
github.com/jackc/pgx/v5 >= 5.0.0.0, < 5.5.4 5.5.4 yes pgx SQL injection via protocol message size overflow
google.golang.org/protobuf < 1.33.0 1.33.0 yes golang protojson.Unmarshal func infinite loop when marshalling certain forms of invalid JSON
github.com/docker/docker >= 1.12.0, < 20.10.24 20.10.24 yes Docker swarm encrypted overlay network may be unauthenticated
github.com/cloudevents/sdk-go/v2 <= 2.15.1 2.15.2 yes Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials

Also update test go modules as those should be kept current with regular code depenencies.

Issue reference

Please reference the issue this PR will close: #[issue number]

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

@sicoyle sicoyle requested review from a team as code owners April 8, 2024 18:20
@sicoyle
Copy link
Contributor Author

sicoyle commented Apr 8, 2024

transient failure:

ERROR: failed to create cluster: command "docker run --name kind-control-plane --hostname kind-control-plane --label io.x-k8s.kind.role=control-plane --privileged --security-opt seccomp=unconfined --security-opt apparmor=unconfined --tmpfs /tmp --tmpfs /run --volume /var --volume /lib/modules:/lib/modules:ro -e KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER --detach --tty --label io.x-k8s.kind.cluster=kind --net kind --restart=on-failure:1 --init=false --publish=127.0.0.1:43883:6443/TCP -e KUBECONFIG=/etc/kubernetes/admin.conf kindest/node:v1.24.7@sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1fe65c0807eb315" failed with error: exit status 125

artursouza
artursouza reviewed Apr 8, 2024
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@sicoyle
Copy link
Contributor Author

sicoyle commented Apr 9, 2024

Going to let this sit until closer to code freeze ~May 28th, as this should be part of the release process.

@mikeee mikeee mentioned this pull request May 28, 2024
Open
38 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@artursouza artursouza artursouza left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sicoyle @artursouza