From 6e664f3cabf82b837ad2bbca91346647c7b5082f Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Thu, 12 Dec 2024 14:21:25 +0000
Subject: [PATCH 1/3] calico-3.29/3.29.1-r0: fix GHSA-v778-237x-gjrc

---
 calico-3.29.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/calico-3.29.yaml b/calico-3.29.yaml
index 27dfee6d1e8..9e7dc2a39d6 100644
--- a/calico-3.29.yaml
+++ b/calico-3.29.yaml
@@ -1,7 +1,7 @@
 package:
   name: calico-3.29
   version: 3.29.1
-  epoch: 0
+  epoch: 1
   description: "Cloud native networking and network security"
   copyright:
     - license: Apache-2.0
@@ -66,6 +66,9 @@ pipeline:
       repository: https://github.com/projectcalico/calico
       tag: v${{package.version}}
       expected-commit: ddfc3b1ea724e2580c68d34950f0ccd318ae3ebf
+  - uses: go/bump
+    with:
+      deps: golang.org/x/crypto@v0.31.0
   - working-directory: felix
     pipeline:
       # Equivalent to target: "build-bpf"

From 5265d44c734ba1496a6af27ce91596da2b17cc49 Mon Sep 17 00:00:00 2001
From: Hunter Harris <hunter.harris@chainguard.dev>
Date: Fri, 13 Dec 2024 18:14:42 -0500
Subject: [PATCH 2/3] Updated previous gobump to patch this new CVE

---
 calico-3.29.yaml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/calico-3.29.yaml b/calico-3.29.yaml
index 9e7dc2a39d6..f3a26225492 100644
--- a/calico-3.29.yaml
+++ b/calico-3.29.yaml
@@ -66,9 +66,6 @@ pipeline:
       repository: https://github.com/projectcalico/calico
       tag: v${{package.version}}
       expected-commit: ddfc3b1ea724e2580c68d34950f0ccd318ae3ebf
-  - uses: go/bump
-    with:
-      deps: golang.org/x/crypto@v0.31.0
   - working-directory: felix
     pipeline:
       # Equivalent to target: "build-bpf"
@@ -178,8 +175,8 @@ subpackages:
               LDFLAGS="$LDFLAGS -X node/buildinfo.BuildDate=$(date -u +'%FT%T%z')"
               LDFLAGS="$LDFLAGS -X node/buildinfo.GitRevision=$(git rev-parse HEAD || echo '<unknown>')"
 
-              # Mitigate CVE-2023-48795
-              go mod edit -replace=golang.org/x/crypto=golang.org/x/crypto@v0.17.0
+              # Mitigate GHSA-v778-237x-gjrc
+              go mod edit -replace=golang.org/x/crypto=golang.org/x/crypto@v0.31.0
 
               go mod tidy
 

From 5e8797225b23af0832e259260472d8b073de5661 Mon Sep 17 00:00:00 2001
From: Debasish Biswas <debasishbsws.dev@gmail.com>
Date: Sat, 14 Dec 2024 11:01:56 +0530
Subject: [PATCH 3/3] using go/bump instead of go mod -edit

pervious pipeline can result in that at some point we downgrade the version because of this command present in the pipeline and we didn't notice.

Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
---
 calico-3.29.yaml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/calico-3.29.yaml b/calico-3.29.yaml
index f3a26225492..22397fb9912 100644
--- a/calico-3.29.yaml
+++ b/calico-3.29.yaml
@@ -66,6 +66,10 @@ pipeline:
       repository: https://github.com/projectcalico/calico
       tag: v${{package.version}}
       expected-commit: ddfc3b1ea724e2580c68d34950f0ccd318ae3ebf
+  - uses: go/bump
+    with:
+      deps: golang.org/x/crypto@v0.31.0
+      replaces: golang.org/x/crypto=golang.org/x/crypto@v0.31.0
   - working-directory: felix
     pipeline:
       # Equivalent to target: "build-bpf"
@@ -175,11 +179,6 @@ subpackages:
               LDFLAGS="$LDFLAGS -X node/buildinfo.BuildDate=$(date -u +'%FT%T%z')"
               LDFLAGS="$LDFLAGS -X node/buildinfo.GitRevision=$(git rev-parse HEAD || echo '<unknown>')"
 
-              # Mitigate GHSA-v778-237x-gjrc
-              go mod edit -replace=golang.org/x/crypto=golang.org/x/crypto@v0.31.0
-
-              go mod tidy
-
               CGO_ENABLED=1 \
                 CGO_LDFLAGS="$CGO_LDFLAGS" \
                 CGO_CFLAGS="$CGO_CFLAGS" \