Skip to content

Bump libraries to incorporate CVE fixes #913

Merged
fgiudici merged 4 commits intorancher:mainfrom
fgiudici:main_v17x_CVEfixes
Jun 16, 2025
Merged

Bump libraries to incorporate CVE fixes #913
fgiudici merged 4 commits intorancher:mainfrom
fgiudici:main_v17x_CVEfixes

Conversation

@fgiudici
Copy link
Copy Markdown
Contributor

@fgiudici fgiudici commented Jun 13, 2025
edited
Loading

Porting of #904 and #912
Added coverage of CVE-2025-22872

@fgiudici fgiudici requested a review from a team as a code owner June 13, 2025 07:55
@github-actions github-actions Bot added area/build build related changes area/tests test related changes labels Jun 13, 2025
@fgiudici fgiudici force-pushed the main_v17x_CVEfixes branch 2 times, most recently from 3622a19 to 53c3e27 Compare June 13, 2025 15:01
@github-actions github-actions Bot removed the area/tests test related changes label Jun 13, 2025
davidcassany and others added 4 commits June 13, 2025 17:07
@davidcassany @fgiudici
Bump libraries to incorporate CVE fixes
0dbc6cf 
Bump golang.org/x/net to cover CVE-2025-22870 and fix bsc#1238700.
Bump golang.org/x/crypto to cover CVE-2025-22869 and fix bsc#1239335.

In addition and as a requirement of the new x/crypto library go is bumped to 1.23

Signed-off-by: David Cassany <dcassany@suse.com>
@fgiudici
Dockerfile: bump golang container to 1.24 (rancher#912)
e00c6e0 
Required since vendored x/crypto lib requires go ver >= 1.23

Related to #dd41431b0b2792f0fca005adf3abc3cf471877c4

Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
@fgiudici
CVE-2025-22872
8a6b44a 
Bump golang.org/x/net
GHSA-vvgc-356p-c3xw

Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
@fgiudici
go mod vendor
78baa87 
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
@fgiudici fgiudici force-pushed the main_v17x_CVEfixes branch from 53c3e27 to 78baa87 Compare June 13, 2025 15:07
@fgiudici fgiudici enabled auto-merge (squash) June 13, 2025 15:07
frelon
frelon approved these changes Jun 16, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@frelon frelon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fgiudici fgiudici merged commit 43f3b00 into rancher:main Jun 16, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frelon frelon frelon approved these changes

Assignees

No one assigned

Labels

area/build build related changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fgiudici @frelon @davidcassany