Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: CVE-2024-24786: bump google.golang.org/protobuf to v1.33.0 #1467

Merged
merged 1 commit into from
Mar 12, 2024
Merged

security: CVE-2024-24786: bump google.golang.org/protobuf to v1.33.0 #1467

merged 1 commit into from
Mar 12, 2024

Conversation

dobsonj
Copy link
Member

@dobsonj dobsonj commented Mar 12, 2024
edited
Loading

What this PR does / why we need it:

Bump google.golang.org/[email protected] and github.com/golang/[email protected] to address CVE-2024-24786.

https://pkg.go.dev/vuln/GO-2024-2611
GHSA-8r3f-844c-mc37

Which issue(s) this PR fixes:

/kind bug

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Update google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Mar 12, 2024
@k8s-ci-robot k8s-ci-robot requested review from nilekhc and ritazh March 12, 2024 18:46
@dobsonj dobsonj marked this pull request as ready for review March 12, 2024 19:04
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 12, 2024
@k8s-ci-robot k8s-ci-robot requested a review from tam7t March 12, 2024 19:04
@dobsonj dobsonj force-pushed the CVE-2024-24786-origin-main branch from 38af96c to d308d13 Compare March 12, 2024 21:14
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Mar 12, 2024
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.51%. Comparing base (f2aea5b) to head (d308d13).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1467      +/-   ##
==========================================
+ Coverage   36.47%   36.51%   +0.04%     
==========================================
  Files          63       63              
  Lines        4532     4532              
==========================================
+ Hits         1653     1655       +2     
+ Misses       2734     2732       -2     
  Partials      145      145

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@aramase
Copy link
Member

aramase commented Mar 12, 2024

/retitle security: CVE-2024-24786: bump google.golang.org/protobuf to v1.33.0

@k8s-ci-robot k8s-ci-robot changed the title CVE-2024-24786: bump google.golang.org/protobuf to v1.33.0 security: CVE-2024-24786: bump google.golang.org/protobuf to v1.33.0 Mar 12, 2024
aramase
aramase reviewed Mar 12, 2024
View reviewed changes
Copy link
Member

@aramase aramase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 12, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aramase, dobsonj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 12, 2024
@k8s-ci-robot k8s-ci-robot merged commit 050f986 into kubernetes-sigs:main Mar 12, 2024
25 checks passed
@aramase aramase mentioned this pull request Mar 18, 2024
Merged
k8s-ci-robot added a commit that referenced this pull request Mar 18, 2024
@k8s-ci-robot
Merge pull request #1474 from aramase/automated-cherry-pick-of-#1467-…
98559e0 
…upstream-release-1.4

Automated cherry pick of #1467: CVE-2024-24786: bump google.golang.org/protobuf to v1.33.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aramase aramase aramase left review comments

@nilekhc nilekhc Awaiting requested review from nilekhc

@ritazh ritazh Awaiting requested review from ritazh

@tam7t tam7t Awaiting requested review from tam7t

Assignees

@aramase aramase

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dobsonj @k8s-ci-robot @codecov-commenter @aramase