Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Fix gRPC and HTTP2 high vulnerabilities #11986

Merged
merged 1 commit into from
Oct 12, 2023
Merged

fix: Fix gRPC and HTTP2 high vulnerabilities #11986

merged 1 commit into from
Oct 12, 2023

Conversation

terrytangyuan
Copy link
Member

@terrytangyuan terrytangyuan commented Oct 12, 2023
edited
Loading

This fixes the following issues detected by Snyk (breaks main branch):


✗ High severity vulnerability found in google.golang.org/grpc
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328
  Introduced through: google.golang.org/[email protected], cloud.google.com/go/[email protected], github.com/grpc-ecosystem/[email protected], google.golang.org/api/[email protected], github.com/grpc-ecosystem/[email protected], github.com/grpc-ecosystem/go-grpc-middleware/logging/[email protected]
  From: google.golang.org/[email protected]
  From: cloud.google.com/go/[email protected] > google.golang.org/[email protected]
  From: github.com/grpc-ecosystem/[email protected] > google.golang.org/[email protected]
  and 30 more...
  Fixed in: 1.56.3, 1.57.1, 1.58.3

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327
  Introduced through: k8s.io/client-go/[email protected], github.com/soheilhy/[email protected], cloud.google.com/go/[email protected], github.com/argoproj/argo-events/pkg/client/eventsource/clientset/[email protected], github.com/argoproj/argo-events/pkg/client/sensor/clientset/[email protected], github.com/google/go-containerregistry/pkg/authn/k8schain@#31786c6cbb82, k8s.io/client-go/[email protected], k8s.io/client-go/[email protected], k8s.io/client-go/tools/leaderelection/[email protected], k8s.io/client-go/[email protected], k8s.io/client-go/tools/[email protected], k8s.io/client-go/tools/[email protected], google.golang.org/[email protected], k8s.io/apimachinery/pkg/[email protected], k8s.io/client-go/[email protected], k8s.io/client-go/tools/[email protected], k8s.io/client-go/discovery/[email protected], k8s.io/client-go/informers/[email protected], k8s.io/client-go/informers/core/[email protected], k8s.io/client-go/dynamic/[email protected], k8s.io/client-go/listers/core/[email protected], k8s.io/client-go/tools/[email protected], k8s.io/client-go/plugin/pkg/client/[email protected], k8s.io/client-go/tools/[email protected], k8s.io/client-go/tools/[email protected], github.com/grpc-ecosystem/[email protected], github.com/grpc-ecosystem/go-grpc-middleware/logging/[email protected], google.golang.org/api/[email protected], github.com/grpc-ecosystem/[email protected], k8s.io/apimachinery/pkg/apis/meta/[email protected], github.com/argoproj/pkg/kube/cli@#235a5432ec98, k8s.io/cli-runtime/pkg/[email protected], github.com/argoproj/argo-events/pkg/apis/eventsource/[email protected], github.com/argoproj/argo-events/pkg/apis/sensor/[email protected], k8s.io/api/authorization/[email protected], k8s.io/client-go/pkg/apis/[email protected], k8s.io/apimachinery/pkg/api/[email protected], k8s.io/apimachinery/pkg/api/[email protected], k8s.io/api/core/[email protected], k8s.io/api/policy/[email protected], k8s.io/apimachinery/pkg/apis/meta/v1/[email protected], k8s.io/client-go/kubernetes/typed/core/[email protected], k8s.io/kubectl/pkg/[email protected], github.com/argoproj/pkg/kube/errors@#235a5432ec98, k8s.io/client-go/util/[email protected], k8s.io/apimachinery/pkg/util/[email protected], k8s.io/client-go/plugin/pkg/client/auth/[email protected], k8s.io/apimachinery/pkg/runtime/[email protected], k8s.io/client-go/kubernetes/[email protected], k8s.io/client-go/[email protected], k8s.io/client-go/[email protected]
  From: k8s.io/client-go/[email protected] > golang.org/x/net/[email protected]
  From: github.com/soheilhy/[email protected] > golang.org/x/net/[email protected]
  From: cloud.google.com/go/[email protected] > google.golang.org/api/transport/[email protected] > golang.org/x/net/[email protected]
  and 75 more...
  Fixed in: 0.17.0

@terrytangyuan terrytangyuan mentioned this pull request Oct 12, 2023
Open
@terrytangyuan terrytangyuan merged commit 375a860 into argoproj:master Oct 12, 2023
25 checks passed
@terrytangyuan terrytangyuan deleted the fix-snk branch October 12, 2023 02:58
@agilgur5 agilgur5 added type/dependencies PRs and issues specific to updating dependencies go Pull requests that update Go dependencies type/security Security related labels Oct 12, 2023
terrytangyuan added a commit that referenced this pull request Oct 19, 2023
@terrytangyuan
fix: Fix gRPC and HTTP2 high vulnerabilities (#11986)
b23647a 
Signed-off-by: Yuan Tang <[email protected]>
dpadhiar pushed a commit to dpadhiar/argo-workflows that referenced this pull request May 9, 2024
@terrytangyuan @dpadhiar
fix: Fix gRPC and HTTP2 high vulnerabilities (argoproj#11986)
83e7d5f 
Signed-off-by: Yuan Tang <[email protected]>
Signed-off-by: Dillen Padhiar <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wanghong230 wanghong230 wanghong230 approved these changes

Assignees
No one assigned
Labels
go Pull requests that update Go dependencies type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@terrytangyuan @wanghong230 @agilgur5