Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #16739

Merged
merged 2 commits into from
Oct 11, 2023
Merged

bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #16739

merged 2 commits into from
Oct 11, 2023

Conversation

dusk125
Copy link
Contributor

@dusk125 dusk125 commented Oct 11, 2023

@serathius
Copy link
Member

Do we need to upgrade v1.21.3 too? I assume not, but want someone to double check.

@dusk125
Copy link
Contributor Author

dusk125 commented Oct 11, 2023

Do we need to upgrade v1.21.3 too? I assume not, but want someone to double check.

From the Go release notes, it mentions fixing a security fix for net/http.
I can go ahead and do this here as well if you want to handle it in one, or I can create another PR for the Go bump.

@dusk125
Copy link
Contributor Author

dusk125 commented Oct 11, 2023

Looks like we should: golang/go#63427

@ahrtr
Copy link
Member

ahrtr commented Oct 11, 2023

We should bump golang to 1.21.3 for main, and 1.20.10 for 3.4/3.5, and also grpc to 1.58.3 for main, and 1.56.3 or 1.57.1 or 1.58.3 for 3.4/3.5.

@ahrtr
Copy link
Member

ahrtr commented Oct 11, 2023

Part of #16740

@dusk125
Copy link
Contributor Author

dusk125 commented Oct 11, 2023

Besides the .go-version file, does anything else need to be updated to bump to 1.21.3?

@ahrtr
Copy link
Member

ahrtr commented Oct 11, 2023

@dusk125 I suggest to bump different dependencies in separate PRs or commits

@ahrtr
Copy link
Member

ahrtr commented Oct 11, 2023

Besides the .go-version file, does anything else need to be updated to bump to 1.21.3?

Only the .go-version file for the main branch, please raise a separate PR for that. thx

@dusk125
bump golang.org/x/net to v0.17.0
3a61187 
Address CVE-2023-39325 and CVE-2023-44487

Signed-off-by: Allen Ray <alray@redhat.com>
@dusk125 dusk125 changed the title bump golang.org/x/net to v0.17.0 bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 Oct 11, 2023
@dusk125
bump google.golang.org/grpc to v1.58.3
e4c0eb7 
Signed-off-by: Allen Ray <alray@redhat.com>
ahrtr
ahrtr approved these changes Oct 11, 2023
View reviewed changes
Copy link
Member

@ahrtr ahrtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

thx

@ahrtr ahrtr merged commit bf80055 into etcd-io:main Oct 11, 2023
27 checks passed
@dusk125 dusk125 deleted the http2-update branch October 11, 2023 15:26
@ahrtr ahrtr mentioned this pull request Oct 11, 2023
Closed
24 tasks
@tjungblu tjungblu mentioned this pull request Oct 17, 2023
Closed
@chaochn47 chaochn47 mentioned this pull request Oct 17, 2023
Merged
chaochn47 added a commit to chaochn47/etcd that referenced this pull request Oct 17, 2023
@chaochn47
3.5: upgrade gRPC-go to 1.58.3
1aa4aa8 
The last step with gRPC update behavior changes auditing to resolve CVE etcd-io#16740 in 3.5

This PR backports etcd-io#14922, etcd-io#16338, etcd-io#16587, etcd-io#16630, etcd-io#16636 and etcd-io#16739 to release-3.5.

Signed-off-by: Chao Chen <chaochn@amazon.com>
dusk125 pushed a commit to dusk125/etcd that referenced this pull request Oct 18, 2023
@chaochn47 @dusk125
3.5: upgrade gRPC-go to 1.58.3
9957a01 
The last step with gRPC update behavior changes auditing to resolve CVE etcd-io#16740 in 3.5

This PR backports etcd-io#14922, etcd-io#16338, etcd-io#16587, etcd-io#16630, etcd-io#16636 and etcd-io#16739 to release-3.5.

Signed-off-by: Chao Chen <chaochn@amazon.com>
dusk125 pushed a commit to dusk125/etcd that referenced this pull request Oct 18, 2023
@chaochn47 @dusk125
3.5: upgrade gRPC-go to 1.58.3
0fb8c57 
The last step with gRPC update behavior changes auditing to resolve CVE etcd-io#16740 in 3.5

This PR backports etcd-io#14922, etcd-io#16338, etcd-io#16587, etcd-io#16630, etcd-io#16636 and etcd-io#16739 to release-3.5.

Signed-off-by: Chao Chen <chaochn@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serathius serathius serathius approved these changes

@ahrtr ahrtr ahrtr approved these changes

Assignees
No one assigned
Labels
stage/merge-when-tests-green
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dusk125 @serathius @ahrtr