New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump go-yaml version to cover fixed ddos heuristic #2821
Conversation
/cc @rmohr |
628dd5a
to
2e7e7bc
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rmohr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold |
@petrkotas @slintes I wonder if we should also bump |
Hi @rmohr we can do this separately, since it will require working on the dependencies. The yaml.v2 is used indirectly via dependencies and these have to be updated. Or we can try to go with WDYT? |
I'd vote for replace in client-go. kubevirt itself is fine without it.
|
Hi @slintes I have provided the replace. However it seems it still keeps some older dependencies in the |
AFAIK go.sum is supposed to keep old entries. But this looks good I'd say:
Thanks! /lgtm |
This PR bumbs go-yaml to v2.2.4, which has the ddos vulnerability fixed. Issue: go-yaml preceding 2.2.4 had vulnerability to ddos attack via billion laughs bomb. Such attack lead to program to be unresponsive. Issue has been described in https://raesene.github.io/blog/2019/10/15/From-stackoverflow-to-CVE/ Signed-off-by: Petr Kotas <petr.kotas@gmail.com>
@slintes Thanks for the review, I have rebased the code. |
/lgtm and we forgot: /hold cancel |
/retest |
1 similar comment
/retest |
/test pull-kubevirt-e2e-os-3.11.0-crio |
/retest |
7 similar comments
/retest |
/retest |
/retest |
/retest |
/retest |
/retest |
/retest |
/test pull-kubevirt-e2e-os-3.11.0-crio |
/retest |
1 similar comment
/retest |
What this PR does / why we need it:
This PR bumbs go-yaml to v2.2.4, which has the ddos vulnerability fixed.
Issue:
go-yaml preceding 2.2.4 had vulnerability to ddos attack via billion laughs bomb.
Such attack lead to program to be unresponsive.
Issue has been described in
https://raesene.github.io/blog/2019/10/15/From-stackoverflow-to-CVE/
Moreover dependencies in our vendor have update in progress:
Signed-off-by: Petr Kotas petr.kotas@gmail.com
Release note: