Prepare v0.47.2 release

and also integrate 0.46.3 Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
open-policy-agent · Dec 9, 2022 · 165bfe5 · 165bfe5
1 parent 20a68f7
commit 165bfe5
Show file tree

Hide file tree

Showing 5 changed files with 9,163 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,21 @@
 All notable changes to this project will be documented in this file. This
 project adheres to [Semantic Versioning](http://semver.org/).
 
+## 0.47.2 and 0.46.3
+
+This is a second security fix to address CVE-2022-41717/GO-2022-1144.
+
+We previously believed that upgrading the Golang version and its stdlib would be sufficient
+to address the problem. It turns out we also need to bump the x/net dependency to v0.4.0.,
+a version that hadn't existed when v0.46.2 was released.
+
+This release bumps the golang.org/x/net dependency to v0.4.0, and contains no other
+changes over v0.46.2.
+
+Note that the affected code is OPA's HTTP server. So if you're using OPA as a Golang library,
+or if your confident that your OPA's HTTP interface is protected by other means (as it should
+be -- not exposed to the public internet), you're OK.
+
 ## 0.47.1 and 0.46.2
 
 This is a bug fix release addressing two issues: one security issue, and one bug