Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2022-33987][2.x]Re-upgrade geckodriver to 3.0.2 #2709

Merged
merged 2 commits into from
Nov 1, 2022

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Nov 1, 2022

Description

geckodriver - only used in running functional tests. It got bumped to 11.8.5 on 2022-06-02.

geckodriver has been bumped to 3.0.2 before and backported to 2.x PR: #2397

However, due to this PR:
#2409 geckodriver is set back to 3.0.1. Therefore, we will reset it to 3.0.2.

Issues Resolved

#1764

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ananzh ananzh requested a review from a team as a code owner November 1, 2022 04:44
@ananzh ananzh changed the title [CVE][2.x]Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987 [CVE-2022-33987][2.x]Re-upgrade geckodriver to 3.0.2 Nov 1, 2022
geckodriver - only used in running functional tests. It got bumped
to 11.8.5 on 2022-06-02.

geckodriver has been bumped to 3.0.2 before and backported to 2.x
PR: opensearch-project#2397

However, due to this PR:
opensearch-project#2409
geckodriver is set back to 3.0.1. Therefore, we will reset it to 3.0.2.

Issue Resolved:
opensearch-project#1764

Signed-off-by: Anan Zhuang <[email protected]>
@ananzh ananzh self-assigned this Nov 1, 2022
@ananzh ananzh added cve Security vulnerabilities detected by Dependabot or Mend backport v2.4.0 'Issues and PRs related to version v2.4.0' labels Nov 1, 2022
@joshuarrrr
Copy link
Member

joshuarrrr commented Nov 1, 2022

@ananzh It looks like we also need this change in main. Why not PR it there first and then backport?

It is already in main. It is fixed before. Then this backport PR reverted the change.

@ananzh ananzh merged commit 107a400 into opensearch-project:2.x Nov 1, 2022
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.4 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.4 2.4
# Navigate to the new working tree
cd .worktrees/backport-2.4
# Create a new branch
git switch --create backport/backport-2709-to-2.4
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 107a400d2df846a3b73e336c4072afb6de53813b
# Push it to GitHub
git push --set-upstream origin backport/backport-2709-to-2.4
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.4

Then, create a pull request where the base branch is 2.4 and the compare/head branch is backport/backport-2709-to-2.4.

@ananzh
Copy link
Member Author

ananzh commented Nov 3, 2022

To make package consistency, this PR is superseded by this later one: #2772

@ananzh ananzh removed the v2.4.0 'Issues and PRs related to version v2.4.0' label Nov 4, 2022
@joshuarrrr joshuarrrr added the v2.4.0 'Issues and PRs related to version v2.4.0' label Mar 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Security vulnerabilities detected by Dependabot or Mend v2.4.0 'Issues and PRs related to version v2.4.0'
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants