Skip to content

OCPBUGS-50567: Fix for CVE-2024-45338 in golang.org/x/net/html in release-4.16 #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-4.16
Choose a base branch
from
Open

OCPBUGS-50567: Fix for CVE-2024-45338 in golang.org/x/net/html in release-4.16 #102

wants to merge 1 commit into from

Conversation

aman4433
Copy link
Contributor

@aman4433 aman4433 commented Feb 13, 2025
edited
Loading

A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.

To address this issue, we have upgraded the library to version v0.33.0, which includes a fix for the vulnerability.

Affected Library: golang.org/x/net/html
Current Version: v0.18.0
Fixed Version: v0.33.0

@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Feb 13, 2025
@openshift-ci-robot
Copy link

@aman4433: This pull request references Jira Issue OCPBUGS-50567, which is invalid:

  • expected Jira Issue OCPBUGS-50567 to depend on a bug targeting a version in 4.17.0, 4.17.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.

To address this issue, we have upgraded the library to version v0.33.0, which includes a fix for the vulnerability.

Affected Library: golang.org/x/net/html
Current Version: v0.31.0
Fixed Version: v0.33.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Feb 13, 2025
@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Feb 13, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 13, 2025

Hi @aman4433. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot requested review from damdo and RadekManak February 13, 2025 12:33
damdo
damdo suggested changes Feb 13, 2025
View reviewed changes
@aman4433 aman4433 force-pushed the upgrade-golang-x-net-release-4.16 branch from 8a3dbf2 to 7ed4950 Compare February 18, 2025 10:26
@Karthik-K-N
Copy link
Member

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 18, 2025
@aman4433 aman4433 force-pushed the upgrade-golang-x-net-release-4.16 branch from 7ed4950 to ea8e606 Compare February 18, 2025 21:06
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 18, 2025

@aman4433: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

damdo
damdo reviewed Feb 19, 2025
View reviewed changes
Copy link
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Feb 19, 2025
@damdo
Copy link
Member

damdo commented Feb 19, 2025

/label backport-risk-assessed

I am unable to test this PR, but I trust QE will be able to. Thanks.

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Feb 19, 2025
@sunzhaohua2
Copy link

/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Feb 19, 2025
@openshift-ci-robot
Copy link

@aman4433: This pull request references Jira Issue OCPBUGS-50567, which is invalid:

  • expected dependent Jira Issue OCPBUGS-50566 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is New instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.

To address this issue, we have upgraded the library to version v0.33.0, which includes a fix for the vulnerability.

Affected Library: golang.org/x/net/html
Current Version: v0.18.0
Fixed Version: v0.33.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@sunzhaohua2
Copy link

/label cherry-pick-approve

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 19, 2025

@sunzhaohua2: The label(s) /label cherry-pick-approve cannot be applied. These labels are supported: acknowledge-critical-fixes-only, platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, no-qe, downstream-change-needed, rebase/manual, cluster-config-api-changed, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/label cherry-pick-approve

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sunzhaohua2
Copy link

/label cherry-pick-approved

@openshift-ci openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Feb 19, 2025
@Karthik-K-N
Copy link
Member

/jira refresh

@openshift-ci-robot
Copy link

@Karthik-K-N: This pull request references Jira Issue OCPBUGS-50567, which is invalid:

  • expected dependent Jira Issue OCPBUGS-50566 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is Closed (Obsolete) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

damdo
damdo reviewed Mar 18, 2025
View reviewed changes
Copy link
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 18, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@damdo damdo damdo requested changes

@RadekManak RadekManak Awaiting requested review from RadekManak

Assignees

@damdo damdo

@sunzhaohua2 sunzhaohua2

@miyadav miyadav

@huali9 huali9

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@aman4433 @openshift-ci-robot @Karthik-K-N @damdo @sunzhaohua2 @miyadav @huali9