Skip to content

chore(module): fix CVEs #1039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 16, 2025
Merged

chore(module): fix CVEs #1039

merged 2 commits into from
May 16, 2025

Conversation

diafour
Copy link
Member

@diafour diafour commented May 12, 2025
edited by Isteb4k
Loading

Description

Why do we need it, and what problem does it solve?

What is the expected result?

  • No CVEs with critical or high severity.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: module
type: chore
summary: Update module dependencies to address existing vulnerabilities CVE-2024-45337,CVE-2025-22869, CVE-2025-22870, CVE-2025-22872, CVE-2025-27144, CVE-2024-45336, CVE-2024-45341, CVE-2025-22866, CVE-2025-22871.

@diafour diafour requested a review from fl64 as a code owner May 13, 2025 08:33
@diafour diafour marked this pull request as draft May 13, 2025 08:51
@diafour diafour requested review from danilrwx and removed request for fl64, nevermarine and yaroslavborbat May 13, 2025 18:26
@diafour diafour marked this pull request as ready for review May 13, 2025 18:27
@diafour diafour force-pushed the chore/module/fix-cve-2025-05 branch from fefdbcd to 0415f0e Compare May 14, 2025 08:47
@deckhouse-BOaTswain
Copy link
Contributor

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: cancelled.

@deckhouse-BOaTswain
Copy link
Contributor

deckhouse-BOaTswain commented May 14, 2025
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain
Copy link
Contributor

deckhouse-BOaTswain commented May 14, 2025
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: cancelled.

@universal-itengineer universal-itengineer added this to the v0.19.0 milestone May 15, 2025
@diafour diafour force-pushed the chore/module/fix-cve-2025-05 branch 4 times, most recently from 5203567 to c9f1bab Compare May 16, 2025 15:14
@diafour
chore(module): fix CVEs
ec25b27 
- Update golang.org/x/crypto to v0.38.0, mitigate CVE-2024-45337,CVE-2025-22869
- Update golang.org/x/net to v0.40.0, mitigate CVE-2025-22870, CVE-2025-22872
- Update github.com/go-jose/go-jose/[email protected], mitigate CVE-2025-27144
- Update Go 1.23, mitigate CVE-2024-45336, CVE-2024-45341, CVE-2025-22866, CVE-2025-22871
- Use Go 1.23 for virtualization-artifact, dvcr-importer, dvcr-updater, kube-api-rewriter, pre-delete-hook, CDI images, for helper C programs and dvcr.
- Cleanup virtualization_images.yaml, only ALT_P11 remains.

---------

Signed-off-by: Ivan Mikheykin <[email protected]>
@diafour diafour force-pushed the chore/module/fix-cve-2025-05 branch from c9f1bab to ec25b27 Compare May 16, 2025 15:37
universal-itengineer
universal-itengineer requested changes May 16, 2025
View reviewed changes
@universal-itengineer universal-itengineer self-requested a review May 16, 2025 17:22
@diafour diafour merged commit 1262756 into main May 16, 2025
27 of 29 checks passed
@diafour diafour deleted the chore/module/fix-cve-2025-05 branch May 16, 2025 17:33
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request May 16, 2025
Merged
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request May 29, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@universal-itengineer universal-itengineer universal-itengineer approved these changes

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@danilrwx danilrwx Awaiting requested review from danilrwx

Assignees

@diafour diafour

Labels
e2e/user/danilrwx
Projects
None yet
Milestone
v0.19.0
Development

Successfully merging this pull request may close these issues.
3 participants
@diafour @deckhouse-BOaTswain @universal-itengineer