[release/1.6] Update grpc to v1.58.3 #2

austinvazquez · 2023-11-21T16:19:31Z

No description provided.

The package has multiple improvements and bug fixes. Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com> (cherry picked from commit d063597) Signed-off-by: Austin Vazquez <macedonv@amazon.com>

Upgrade google.golang.org/grpc to v1.58.3 in preparation for upgrading OTel, which has a dependency on the latest version. See also: containerd#9281. Signed-off-by: Milas Bowman <milas.bowman@docker.com> (cherry picked from commit 856d105) Signed-off-by: Austin Vazquez <macedonv@amazon.com>

Update the dependency and the indirect golang.org/x/net version to align with containerd 1.7 itself, and to prevent a vulnerability being detected. This should not generally be an issue, as the API module is used by containerd 1.7 and up, which already depend on a more current version of these dependencies. full diff: containerd/ttrpc@v1.2.3...v1.2.5 Before this: govulncheck ./... Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities... === Symbol Results === Vulnerability #1: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.21.0 Fixed in: golang.org/x/net@v0.23.0 Example traces found: #1: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ConnectionError.Error #2: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ErrCode.String #3: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameHeader.String #4: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameType.String #5: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.Setting.String #6: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.SettingID.String #7: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.StreamError.Error #8: services/version/v1/version_grpc.pb.go:13:2: version.init calls status.init, which eventually calls http2.chunkWriter.Write #9: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.connError.Error #10: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error #11: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error #12: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error #13: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error #14: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.writeData.String Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. After this: govulncheck ./... Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities... === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Update the dependency and the indirect golang.org/x/net version to align with containerd itself, and to prevent a vulnerability being detected. We should keep the versions <= versions used by containerd 1.7 to prevent forcing users of containerd 1.7 in combination with the latest version of the API module from having to update all their dependencies, but this update should likely be fine (and aligns with 1.7). Before this: Scanning your code and 254 packages across 15 dependent modules for known vulnerabilities... === Symbol Results === Vulnerability #1: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.21.0 Fixed in: golang.org/x/net@v0.23.0 Example traces found: #1: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ConnectionError.Error #2: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.ErrCode.String #3: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameHeader.String #4: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.FrameType.String #5: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.Setting.String #6: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.SettingID.String #7: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.StreamError.Error #8: services/content/v1/content_ttrpc.pb.go:272:35: content.ttrpccontentClient.Write calls ttrpc.Client.NewStream, which eventually calls http2.chunkWriter.Write #9: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.connError.Error #10: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.duplicatePseudoHeaderError.Error #11: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldNameError.Error #12: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.headerFieldValueError.Error #13: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.pseudoHeaderError.Error #14: events/task_fieldpath.pb.go:85:20: events.TaskIO.Field calls fmt.Sprint, which eventually calls http2.writeData.String Your code is affected by 1 vulnerability from 1 module. This scan also found 0 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. After this: govulncheck ./... Scanning your code and 251 packages across 13 dependent modules for known vulnerabilities... === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Upgrade github.com/klauspost/compress from v1.11.13 to v1.15.9

4fa05b3

The package has multiple improvements and bug fixes. Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com> (cherry picked from commit d063597) Signed-off-by: Austin Vazquez <macedonv@amazon.com>

austinvazquez force-pushed the update-grpc branch 2 times, most recently from 441417c to 71beb7f Compare November 21, 2023 16:30

austinvazquez force-pushed the update-grpc branch from 71beb7f to a5fc210 Compare November 21, 2023 16:31

austinvazquez closed this Nov 22, 2023

austinvazquez deleted the update-grpc branch December 2, 2023 03:11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[release/1.6] Update grpc to v1.58.3 #2

[release/1.6] Update grpc to v1.58.3 #2

austinvazquez commented Nov 21, 2023

[release/1.6] Update grpc to v1.58.3 #2

[release/1.6] Update grpc to v1.58.3 #2

Conversation

austinvazquez commented Nov 21, 2023