Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Go version to fix vulnerability in std lib #5540

Merged
merged 1 commit into from
May 14, 2024
Merged

Bump Go version to fix vulnerability in std lib #5540

merged 1 commit into from
May 14, 2024

Conversation

jjngx
Copy link
Contributor

@jjngx jjngx commented May 14, 2024

Proposed changes

This PR fixes the following vulnerabilities in the Go std lib:

➜  kubernetes-ingress git:(main) ✗ govulncheck ./...
Scanning your code and 1060 packages across 100 dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2824
    Malformed DNS message can cause infinite loop in net
  More info: https://pkg.go.dev/vuln/GO-2024-2824
  Standard library
    Found in: [email protected]
    Fixed in: [email protected]
    Example traces found:
      #1: internal/nginx/verify.go:29:21: nginx.newVerifyClient calls net.Dial
      #2: internal/nginx/verify.go:48:26: nginx.verifyClient.GetConfigVersion calls http.Client.Do, which eventually calls net.Dialer.DialContext
      #3: internal/metrics/listener.go:113:36: metrics.Server.ListenAndServe calls http.Server.ListenAndServeTLS, which calls net.Listen
      #4: internal/k8s/controller.go:265:57: k8s.NewLoadBalancerController calls spiffe.NewX509CertFetcher, which eventually calls net.Resolver.LookupHost
      #5: internal/k8s/controller.go:265:57: k8s.NewLoadBalancerController calls spiffe.NewX509CertFetcher, which eventually calls net.Resolver.LookupSRV
      #6: internal/k8s/controller.go:265:57: k8s.NewLoadBalancerController calls spiffe.NewX509CertFetcher, which eventually calls net.Resolver.LookupTXT

Your code is affected by 1 vulnerability from the Go standard library.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.

After updating to Go 1.22.3:

➜  kubernetes-ingress git:(chore/go-version) ✗ govulncheck ./...
Scanning your code and 1060 packages across 100 dependent modules for known vulnerabilities...

No vulnerabilities found.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@jjngx jjngx requested a review from a team as a code owner May 14, 2024 12:45
@github-actions github-actions bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 14, 2024
@jjngx jjngx merged commit a5fc682 into main May 14, 2024
66 of 69 checks passed
@jjngx jjngx deleted the chore/go-version branch May 14, 2024 13:35
ssrahul96 pushed a commit to ssrahul96/kubernetes-ingress that referenced this pull request Jun 20, 2024
@jjngx @ssrahul96
Bump Go version to fix vulnerability in std lib (nginxinc#5540)
a792b2d
This was referenced Jul 1, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oseoin oseoin oseoin approved these changes

@vepatel vepatel vepatel approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
NGINX Ingress Controller
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jjngx @oseoin @vepatel