Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

minimal cve fixes x/net and k8s.io/kubernetes for 3.28 #9991

Open
wants to merge 1 commit into
base: release-v3.28
Choose a base branch
from
Open

minimal cve fixes x/net and k8s.io/kubernetes for 3.28 #9991

wants to merge 1 commit into from

Conversation

paulgmiller
Copy link
Contributor

Description

Currently 3 cves in calico 3.28.3 according to trivy

trivy  i --ignore-unfixed  mcr.microsoft.com/oss/calico/node:v3.28.3     

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├───────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net  │ CVE-2025-22870 │ MEDIUM   │ fixed  │ v0.35.0           │ 0.36.0                           │ golang.org/x/net/http/httpproxy: golang.org/x/net/proxy:  │
│                   │                │          │        │                   │                                  │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│                   │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-22870                │
├───────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes │ CVE-2024-9042  │          │        │ v1.28.15          │ 1.29.13, 1.30.9, 1.31.5, 1.32.1  │ kubelet: Command Injection affecting Windows nodes via    │
│                   │                │          │        │                   │                                  │ nodes/*/logs/query API                                    │
│                   │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-9042                 │
│                   ├────────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                   │ CVE-2025-0426  │          │        │                   │ 1.32.2, 1.31.6, 1.30.10, 1.29.14 │ k8s.io/kubernetes: kubelet: node denial of service via    │
│                   │                │          │        │                   │                                  │ kubelet checkpoint API                                    │
│                   │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-0426                 │
└───────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘
``

## Related issues/PRs

#9981 


## Todos

- [ ] Tests
- [ ] Documentation
- [ ] Release note

## Release Note

Move x/net to 0.36 and k8s.io/kubernetes from 1.28.15->1.29.14


## Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one `docs-*` label.

- `docs-pr-required`: This change requires a change to the documentation that has not been completed yet.
- `docs-completed`: This change has all necessary documentation completed.
- `docs-not-required`: This change has no user-facing impact and requires no docs.

Every PR needs one `release-note-*` label.

- `release-note-required`: This PR has user-facing changes. Most PRs should have this label.
- `release-note-not-required`: This PR has no user-facing changes.

Other optional labels:

- `cherry-pick-candidate`: This PR should be cherry-picked to an earlier release. For bug fixes only.
- `needs-operator-pr`: This PR is related to install and requires a corresponding change to the operator.

@paulgmiller paulgmiller requested a review from a team as a code owner March 17, 2025 16:59
@marvin-tigera marvin-tigera added this to the Calico v3.28.4 milestone Mar 17, 2025
@marvin-tigera marvin-tigera added release-note-required Change has user-facing impact (no matter how small) docs-pr-required Change is not yet documented labels Mar 17, 2025
@paulgmiller paulgmiller mentioned this pull request Mar 17, 2025
Merged
@matthewdupre matthewdupre added docs-not-required Docs not required for this change release-note-not-required Change has no user-facing impact labels Mar 19, 2025
@marvin-tigera marvin-tigera removed release-note-required Change has user-facing impact (no matter how small) docs-pr-required Change is not yet documented labels Mar 19, 2025
@matthewdupre
Copy link
Member

/sem-approve

hjiawei
hjiawei reviewed Mar 19, 2025
View reviewed changes
go.mod
Comment on lines +3 to +5
go 1.23.0

toolchain go1.23.4
Copy link
Contributor

@hjiawei hjiawei Mar 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Error: go [list -e -json -compiled=true -test=false -export=false -deps=true -find=false -tags ignore_autogenerated -- ./lib/apis/...]: exit status 1: go: ../go.mod requires go >= 1.23.0 (running go 1.22.12; GOTOOLCHAIN=local)

v3.28 branch is currently built by golang 1.22 (included in calico/go-build v0.91). x/crypto v0.35+ requires golang 1.23 to build. We need to update this branch to golang 1.23 before incorporating the CVE fixes.

hjiawei
hjiawei reviewed Mar 20, 2025
View reviewed changes
go.mod
@@ -96,7 +98,7 @@ require (
k8s.io/klog/v2 v2.120.1
k8s.io/kube-aggregator v0.28.15
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9
k8s.io/kubernetes v1.28.15
k8s.io/kubernetes v1.29.14
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be best to keep this dependency in the Kubernetes v1.28 release to avoid any potential compatibility issues with older v0.28.15 k8s libraries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hjiawei hjiawei hjiawei left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs-not-required Docs not required for this change release-note-not-required Change has no user-facing impact
Projects
None yet
Milestone
Calico v3.28.4
Development

Successfully merging this pull request may close these issues.
4 participants
@paulgmiller @matthewdupre @hjiawei @marvin-tigera