Skip to content

OCPBUGS-37369: UPSTREAM: <carry>: Fix go-retryablehttp CVE - 4.17 #86

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 24, 2024
Merged

OCPBUGS-37369: UPSTREAM: <carry>: Fix go-retryablehttp CVE - 4.17 #86

merged 1 commit into from
Oct 24, 2024

Conversation

Karthik-K-N
Copy link
Member

No description provided.

@openshift-ci-robot
Copy link

@Karthik-K-N: An error was encountered searching for bug OCPBUGS-37369 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message. You do not have the permission to see the specified issue.: request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from mkumatag and RadekManak October 18, 2024 07:16
@Karthik-K-N Karthik-K-N changed the title OCPBUGS-37369: UPSTREAM: <carry>: Fix go-retryablehttp CVE OCPBUGS-37369: UPSTREAM: <carry>: Fix go-retryablehttp CVE - 4.17 Oct 18, 2024
mkumatag
mkumatag approved these changes Oct 18, 2024
View reviewed changes
Copy link
Member

@mkumatag mkumatag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 18, 2024
@mkumatag
Copy link
Member

/approve

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 18, 2024

@Karthik-K-N: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 18, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mkumatag

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 18, 2024
@Karthik-K-N
Copy link
Member Author

/jira refresh

@openshift-ci-robot
Copy link

@Karthik-K-N: An error was encountered searching for bug OCPBUGS-37369 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message. You do not have the permission to see the specified issue.: request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@Karthik-K-N
Copy link
Member Author

@JoelSpeed could you please help with required labels.

@JoelSpeed
Copy link
Contributor

/jira refresh

@openshift-ci-robot
Copy link

@JoelSpeed: An error was encountered searching for bug OCPBUGS-37369 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message. You do not have the permission to see the specified issue.: request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@JoelSpeed
Copy link
Contributor

@Karthik-K-N Are you sure you have the correct bug number, I cannot seem to view it

@Karthik-K-N
Copy link
Member Author

Yeah, Its correct, Even I had issues earlier viewing them but now I got access, Also I see IBM Confidential Group in contributing groups in Jira, may be thats the reason?

@JoelSpeed
Copy link
Contributor

Without seeing the bug chain, I can't verify what is expected here. Where is the 4.18 bug? Is the 4.18 bug in the verified state? Which QE has verified the 4.18 version of this bug?

@Karthik-K-N
Copy link
Member Author

Without seeing the bug chain, I can't verify what is expected here. Where is the 4.18 bug? Is the 4.18 bug in the verified state? Which QE has verified the 4.18 version of this bug?

Let me try to get more info about it.

@prb112 could you please help.

@prb112
Copy link
Contributor

prb112 commented Oct 21, 2024

I've fixed the access for Joel

@JoelSpeed
Copy link
Contributor

@Karthik-K-N I can't see a link between the 4.17 bug and a 4.18 version of the bug, we need to make sure this is resolved in 4.18 before we can backport to 4.17, do you have a 4.18 fix?

@Karthik-K-N
Copy link
Member Author

@Karthik-K-N I can't see a link between the 4.17 bug and a 4.18 version of the bug, we need to make sure this is resolved in 4.18 before we can backport to 4.17, do you have a 4.18 fix?

Could of things need opinion on

  1. I am not able to find Jira tickets for 4.16 and 4.18, So planning to clone the existing tickets
  2. For 4.18 the module is updated in upstream and there is downstream rebase expected sometime last week or this week. So should I wait for this rebase or submit a PR with fix?

@JoelSpeed
Copy link
Contributor

I am not able to find Jira tickets for 4.16 and 4.18, So planning to clone the existing tickets

Cloning is fine as long as you link them all together in the right chain ordering

For 4.18 the module is updated in upstream and there is downstream rebase expected sometime last week or this week. So should I wait for this rebase or submit a PR with fix?

It was updated in kubernetes-sigs/cluster-api-provider-ibmcloud@392efd0, so, if you want to bring this in earlier to avoid blocking the backports, you can, you just need to prefix the commit with UPSTREAM: 1857:

@Karthik-K-N
Copy link
Member Author

I am not able to find Jira tickets for 4.16 and 4.18, So planning to clone the existing tickets

Cloning is fine as long as you link them all together in the right chain ordering

For 4.18 the module is updated in upstream and there is downstream rebase expected sometime last week or this week. So should I wait for this rebase or submit a PR with fix?

It was updated in kubernetes-sigs/cluster-api-provider-ibmcloud@392efd0, so, if you want to bring this in earlier to avoid blocking the backports, you can, you just need to prefix the commit with UPSTREAM: 1857:

sure will do that.

@Karthik-K-N
Copy link
Member Author

Submitted a PR for main #91

@Karthik-K-N
Copy link
Member Author

main branch PR has been merged: #91

@JoelSpeed
Copy link
Contributor

The 4.18 fix must be verified by QE before we can move this one along

@Karthik-K-N
Copy link
Member Author

@juliemathew not sure how its verified, Could you please help us here.

@JoelSpeed
Copy link
Contributor

/label backport-risk-assessed

The 4.18 bug has been moved to verified, 4.17 bug is filed correctly, will manually add valid jira labels

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Oct 24, 2024
@JoelSpeed JoelSpeed added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Oct 24, 2024
@sunzhaohua2
Copy link

/label cherry-pick-approved

@openshift-ci openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Oct 24, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit a2beaa3 into openshift:release-4.17 Oct 24, 2024
5 checks passed
@openshift-ci-robot
Copy link

@Karthik-K-N: An error was encountered searching for bug OCPBUGS-37369 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message. You do not have the permission to see the specified issue.: request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-bot
Copy link

[ART PR BUILD NOTIFIER]

Distgit: ose-ibmcloud-cluster-api-controllers
This PR has been included in build ose-ibmcloud-cluster-api-controllers-container-v4.17.0-202410241236.p0.ga2beaa3.assembly.stream.el9.
All builds following this will include this PR.

@Karthik-K-N Karthik-K-N mentioned this pull request Oct 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkumatag mkumatag mkumatag approved these changes

@RadekManak RadekManak Awaiting requested review from RadekManak

Assignees

@jhou1 jhou1

@mkumatag mkumatag

@sunzhaohua2 sunzhaohua2

@miyadav miyadav

@huali9 huali9

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@Karthik-K-N @openshift-ci-robot @mkumatag @JoelSpeed @prb112 @sunzhaohua2 @openshift-bot @jhou1 @miyadav @huali9