Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1.16.x #18189

Merged
merged 1 commit into from
Jul 19, 2023
Merged

Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1.16.x #18189

merged 1 commit into from
Jul 19, 2023

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #18186 to be assessed for backporting due to the inclusion of the label backport/1.16.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@zalimeni
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

While not necessary to directly address CVE-2023-29406 (which should be handled by using a patched version of Go when building), an accompanying change to HTTP/2 error handling does impact agent code.

See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2 change.

Bump this dependency across our submodules as well for the sake of potential indirect consumers of x/net/http.

Description

Resolves CVE-2023-29406 regarding net/http in consul and submodules.

Testing & Reproduction steps

Tests should continue to pass.

Links

https://nvd.nist.gov/vuln/detail/CVE-2023-29406
https://go-review.googlesource.com/c/go/+/506996
https://go-review.googlesource.com/c/net/+/506995

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern - addresses CVE
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/net-4865-bump-net_http-cve/carefully-keen-lemming branch from 453052c to 6e029aa Compare July 19, 2023 15:38
@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/net-4865-bump-net_http-cve/carefully-keen-lemming branch from 6e029aa to 453052c Compare July 19, 2023 15:38
@hashicorp-cla
Copy link

hashicorp-cla commented Jul 19, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

github-team-consul-core-pr-approver
github-team-consul-core-pr-approver approved these changes Jul 19, 2023
View reviewed changes
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@zalimeni
Bump golang.org/x/net to 0.12.0
648eff9 
While not necessary to directly address CVE-2023-29406 (which should be
handled by using a patched version of Go when building), an
accompanying change to HTTP/2 error handling does impact agent code.

See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2
change.

Bump this dependency across our submodules as well for the sake of
potential indirect consumers of `x/net/http`.
@zalimeni zalimeni force-pushed the backport/zalimeni/net-4865-bump-net_http-cve/carefully-keen-lemming branch from 0701482 to 648eff9 Compare July 19, 2023 16:07
@zalimeni zalimeni marked this pull request as ready for review July 19, 2023 16:21
@zalimeni zalimeni merged commit f9482b6 into release/1.16.x Jul 19, 2023
106 checks passed
@zalimeni zalimeni deleted the backport/zalimeni/net-4865-bump-net_http-cve/carefully-keen-lemming branch July 19, 2023 16:22
zalimeni pushed a commit that referenced this pull request Jul 19, 2023
@zalimeni
Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1…
c02b743 
….16.x (#18189)

Bump golang.org/x/net to 0.12.0

While not necessary to directly address CVE-2023-29406 (which should be
handled by using a patched version of Go when building), an
accompanying change to HTTP/2 error handling does impact agent code.

See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2
change.

Bump this dependency across our submodules as well for the sake of
potential indirect consumers of `x/net/http`.

Manual backport of 84cbf09.
zalimeni added a commit that referenced this pull request Jul 19, 2023
@zalimeni
Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1…
50a3594 
….16.x (#18189)

Bump golang.org/x/net to 0.12.0

While not necessary to directly address CVE-2023-29406 (which should be
handled by using a patched version of Go when building), an
accompanying change to HTTP/2 error handling does impact agent code.

See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2
change.

Bump this dependency across our submodules as well for the sake of
potential indirect consumers of `x/net/http`.

Manual backport of 84cbf09.
zalimeni added a commit that referenced this pull request Jul 19, 2023
@zalimeni
Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1…
b7c4171 
….16.x (#18189)

Bump golang.org/x/net to 0.12.0

While not necessary to directly address CVE-2023-29406 (which should be
handled by using a patched version of Go when building), an
accompanying change to HTTP/2 error handling does impact agent code.

See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2
change.

Bump this dependency across our submodules as well for the sake of
potential indirect consumers of `x/net/http`.

Manual backport of 84cbf09.
zalimeni pushed a commit that referenced this pull request Jul 19, 2023
@hc-github-team-consul-core
Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1…
a799176 
….15.x (#18188)

Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1.16.x (#18189)

Bump golang.org/x/net to 0.12.0

While not necessary to directly address CVE-2023-29406 (which should be
handled by using a patched version of Go when building), an
accompanying change to HTTP/2 error handling does impact agent code.

See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2
change.

Bump this dependency across our submodules as well for the sake of
potential indirect consumers of `x/net/http`.

Manual backport of 84cbf09.
zalimeni pushed a commit that referenced this pull request Jul 19, 2023
@hc-github-team-consul-core
Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1…
3f8cb58 
….14.x (#18187)

Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1.16.x (#18189)

Bump golang.org/x/net to 0.12.0

While not necessary to directly address CVE-2023-29406 (which should be
handled by using a patched version of Go when building), an
accompanying change to HTTP/2 error handling does impact agent code.

See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2
change.

Bump this dependency across our submodules as well for the sake of
potential indirect consumers of `x/net/http`.

Manual backport of 84cbf09.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver approved these changes

@zalimeni zalimeni Awaiting requested review from zalimeni

Assignees

@zalimeni zalimeni

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hc-github-team-consul-core @hashicorp-cla @github-team-consul-core-pr-approver @zalimeni