vulnerabilities fixes

chore: This commit fixes the following CVEs: - [CVE-2023-37788](https://www.cve.org/CVERecord?id=CVE-2023-37788): github.com/elazarl/goproxy Denial of Service (DoS) - [CVE-2022-21698](https://www.cve.org/CVERecord?id=CVE-2022-21698) / [CVE-2023-45142](https://www.cve.org/CVERecord?id=CVE-2023-45142): Allocation of Resources Without Limits or Throttling Signed-off-by: Spolti <fspolti@redhat.com>
kserve · Nov 23, 2023 · 568e2c0 · 568e2c0
1 parent 440194e
commit 568e2c0
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 23 deletions.
diff --git a/go.mod b/go.mod
@@ -126,5 +126,15 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
 
-// Update Go Networking to avoid CVE-2023-44487 and CVE-2023-39325
-replace golang.org/x/net => golang.org/x/net v0.17.0
+replace (
+	// Fixes CVE-2022-21698 and CVE-2023-45142
+	// this dependency comes from k8s.io/component-base@v0.26.4 and k8s.io/apiextensions-apiserver@v0.26.4
+	// before removing it make sure that the next version of the related k8s dependencies contains the fix
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
+	// Update Go Networking to avoid CVE-2023-44487 and CVE-2023-39325
+	golang.org/x/net => golang.org/x/net v0.17.0
+	// remove when upgrade to controller-runtime 0.15.x or apimachinery to 0.27.x
+	// Fixes github.com/elazarl/goproxy Denial of Service (DoS)
+	// This dependency was removed from apimachinery 0.27.0
+	k8s.io/apimachinery => k8s.io/apimachinery v0.27.0
+)