Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.14] Bump ocicrypt and go-jose CVE-2024-28180 #2290

Merged
merged 1 commit into from
Apr 11, 2024
Merged

[release-1.14] Bump ocicrypt and go-jose CVE-2024-28180 #2290

merged 1 commit into from
Apr 11, 2024

Conversation

TomSweeneyRedHat
Copy link
Member

Bump github.com/go-jose/go-jose to v3.0.0 and
github.com/containers/ocicrypt to v1.1.10

Addresses: CVE-2024-28180
https://issues.redhat.com/browse/RHEL-28736
https://issues.redhat.com/browse/RHEL-28728
https://issues.redhat.com/browse/OCPBUGS-30723

@TomSweeneyRedHat
[release-1.14] Bump ocicrypt and go-jose CVE-2024-28180
528de2b 
Bump github.com/go-jose/go-jose to v3.0.0 and
github.com/containers/ocicrypt to v1.1.10

Addresses: CVE-2024-28180
https://issues.redhat.com/browse/RHEL-28736
https://issues.redhat.com/browse/RHEL-28728
https://issues.redhat.com/browse/OCPBUGS-30723

Signed-off-by: tomsweeneyredhat <[email protected]>
mtrmac
mtrmac approved these changes Apr 11, 2024
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@mtrmac mtrmac merged commit 0040357 into containers:release-1.14 Apr 11, 2024
8 checks passed
mtrmac
mtrmac reviewed Apr 11, 2024
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TomSweeneyRedHat I didn’t notice earlier, but shouldn’t this also include an update of gopkg.in/go-jose/go-jose.v2 ?

@TomSweeneyRedHat
Copy link
Member Author

@mtrmac I didn't see that too. IDK if that also needs to be updated. I'll check with ProdSec on Monday.

@mtrmac
Copy link
Contributor

mtrmac commented Apr 15, 2024

@TomSweeneyRedHat your notes say “go-jose v4.0.1, v3.0.3, and/or v2.6.3”; FWIW github.com/go-jose/go-jose/v3 and gopkg.in/go-jose/go-jose.v2 are same package (the import name has changed), compare GHSA-c5q2-7r4c-mv6g .

The two major versions are both included independently; updating to 3.0.3 does not remove the 2.6.3 implementation.

@TomSweeneyRedHat TomSweeneyRedHat deleted the dev/tsweeney/cve-jose-1.14 branch April 15, 2024 21:36
@mtrmac
Copy link
Contributor

mtrmac commented Apr 16, 2024

For the record, the v2 version was updated in #2301.

@TomSweeneyRedHat
Copy link
Member Author

Also addresses CVE-2024-28176
https://issues.redhat.com/browse/RHEL-28718
https://issues.redhat.com/browse/RHEL-28710
https://issues.redhat.com/browse/OCPBUGS-30691

@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Aug 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mtrmac mtrmac mtrmac approved these changes

Assignees
No one assigned
Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TomSweeneyRedHat @mtrmac