Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security update for Go crypto pkg #6969

Conversation

nginx-bot
Copy link
Contributor

Proposed changes

This PR contains upgrade for the crypto pkg issued by Go team: CVE

govulncheck -show verbose ./...
Scanning your code and 1103 packages across 98 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

Vulnerability #1: GO-2024-3321
    Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2024-3321
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.28.0
    Fixed in: golang.org/x/crypto@v0.31.0

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.

after the upgrade:

➜  kubernetes-ingress git:(chore/sec-patch) govulncheck -show verbose ./...
Scanning your code and 1103 packages across 98 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

No vulnerabilities found.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@nginx-bot nginx-bot requested a review from a team as a code owner December 12, 2024 11:22
@nginx-bot nginx-bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code needs cherry pick Cherry pick this PR into a release branch labels Dec 12, 2024
@pdabelf5 pdabelf5 removed the needs cherry pick Cherry pick this PR into a release branch label Dec 12, 2024
Copy link

codecov bot commented Dec 12, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Please upload report for BASE (release-4.0@f188d46). Learn more about missing BASE report.

Additional details and impacted files
@@              Coverage Diff               @@
##             release-4.0    #6969   +/-   ##
==============================================
  Coverage               ?   52.54%           
==============================================
  Files                  ?       88           
  Lines                  ?    20803           
  Branches               ?        0           
==============================================
  Hits                   ?    10931           
  Misses                 ?     9417           
  Partials               ?      455           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@AlexFenlon AlexFenlon merged commit b1b1a11 into release-4.0 Dec 12, 2024
23 checks passed
@AlexFenlon AlexFenlon deleted the cherry-pick-release-4.0-3c18788bac51023755c12ec58bda5444aebe41fd branch December 12, 2024 12:10
@pdabelf5 pdabelf5 changed the title [cherry-pick] Security update for Go crypto pkg Security update for Go crypto pkg Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants