Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-v0.14] Backport CVE-2025-22869 changes to v0.14 from v0.15; Update go to 1.23.0 from 1.22.0 to support x/crypto 0.35 #1829

Closed
wants to merge 2 commits into from
Closed

[release-v0.14] Backport CVE-2025-22869 changes to v0.14 from v0.15; Update go to 1.23.0 from 1.22.0 to support x/crypto 0.35 #1829

wants to merge 2 commits into from

Conversation

psrvere
Copy link

@psrvere psrvere commented Mar 6, 2025

Changes

Backport #1755 to release-0.14. This PR

  • updates golang.org/x/crypto to 0.35 to address CVE-2025-22869
  • updates go to 1.23.0 from 1.22.0 to support golang.org/x/crypto 0.35 version

/kind dependency-change

Submitter Checklist

  • Includes tests if functionality changed/was added
  • Includes docs if changes are user-facing
  • Set a kind label on this PR
  • Release notes block has been filled in, or marked NONE

Release Notes

Update golang.org/x/crypto to v0.35.0 to address CVE-2025-22869. Update go to 1.23.0 from 1.22.0 to support x/crypto 0.35.

@openshift-ci openshift-ci bot added release-note Label for when a PR has specified a release note do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/dependency-change Categorizes issue or PR as related to changing dependencies labels Mar 6, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 6, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign qu1queee for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pull-request-size pull-request-size bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Mar 6, 2025
SaschaSchwarze0 and others added 2 commits March 6, 2025 15:09
@SaschaSchwarze0 @psrvere
cherry picked 7c5c4a2 from release-v0.15 to address GO-2025-3487
4741bfe 
Signed-off-by: psrvere <prateek.singh.rathore@gmail.com>
@psrvere
go mod tidy and go mod vendor changes
9990d8a 
Signed-off-by: psrvere <prateek.singh.rathore@gmail.com>
@psrvere psrvere force-pushed the source/release-v0.14 branch from 68a00dd to 9990d8a Compare March 6, 2025 09:41
@psrvere psrvere marked this pull request as ready for review March 6, 2025 09:56
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 6, 2025
@psrvere
Copy link
Author

psrvere commented Mar 6, 2025

@SaschaSchwarze0 - Commits signed. Haven't changed the go version in Github workflows yet. Wanted to see the failure messages first. Please approve workflows.

@SaschaSchwarze0
Copy link
Member

@SaschaSchwarze0 - Commits signed. Haven't changed the go version in Github workflows yet. Wanted to see the failure messages first. Please approve workflows.

Interesting. I had assumed that recent Go versions would complain about compiling Go modules that have a newer version.

@adambkaplan
Copy link
Member

/hold

Per discussion in the community call today - as a community, we are "supporting" our latest release with our automated vulnerability detection and bugfix release process. We think the right course of action is to allow PRs to older release branches, however we are not going to issue new z-stream releases for those versions.

For this particular PR, I am wary of accepting it because it requires us to upgrade the golang runtime version to 1.23. I assume CI is passing because golang 1.21 introduced "forward compatibility" mechanisms that download SDK toolchains on the fly. One can argue that the go.mod file defines which version of go is used in the build - nonetheless there is some level of config skew in this PR as is.

With that "cost" in mind, one has to ask "what is the benefit?" CVE-2025-22869 is interesting in that it has a high CVSS score, but only for SSH servers using the x/crypto/ssh package. In Shipwright, we are using ssh packages for client-side SSH operations (most notably to clone source from git). From my understanding of the vulnerability report, client-side operations are not affected. Unfortunately, today's scanning tool ecosystem does not have great mechanisms for code to declare itself "not affected" by a vulnerability. I don't see "make the scanners happy" a strong enough benefit.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 10, 2025
@psrvere psrvere closed this Mar 11, 2025
@psrvere
Copy link
Author

psrvere commented Mar 11, 2025

Thanks Adam for the note. Closing the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HeavyWombat HeavyWombat Awaiting requested review from HeavyWombat

@SaschaSchwarze0 SaschaSchwarze0 Awaiting requested review from SaschaSchwarze0

Assignees
No one assigned
Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/dependency-change Categorizes issue or PR as related to changing dependencies release-note Label for when a PR has specified a release note size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
Shipwright Overview
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@psrvere @SaschaSchwarze0 @adambkaplan