Skip to content

chore(module): fix CVEs#1039

Merged
diafour merged 2 commits into
mainfrom
chore/module/fix-cve-2025-05
May 16, 2025
Merged

chore(module): fix CVEs#1039
diafour merged 2 commits into
mainfrom
chore/module/fix-cve-2025-05

Conversation

@diafour
Copy link
Copy Markdown
Member

@diafour diafour commented May 12, 2025
edited by Isteb4k
Loading

Description

Why do we need it, and what problem does it solve?

What is the expected result?

  • No CVEs with critical or high severity.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: module
type: chore
summary: Update module dependencies to address existing vulnerabilities CVE-2024-45337,CVE-2025-22869, CVE-2025-22870, CVE-2025-22872, CVE-2025-27144, CVE-2024-45336, CVE-2024-45341, CVE-2025-22866, CVE-2025-22871.

@diafour diafour requested a review from fl64 as a code owner May 13, 2025 08:33
@diafour diafour marked this pull request as draft May 13, 2025 08:51
@diafour diafour requested review from danilrwx and removed request for fl64, nevermarine and yaroslavborbat May 13, 2025 18:26
@diafour diafour marked this pull request as ready for review May 13, 2025 18:27
@diafour diafour force-pushed the chore/module/fix-cve-2025-05 branch from fefdbcd to 0415f0e Compare May 14, 2025 08:47
@diafour diafour added e2e/user/danilrwx e2e/run Run e2e test on cluster of PR author labels May 14, 2025
@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label May 14, 2025
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented May 14, 2025

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: cancelled.

@diafour diafour added the e2e/run Run e2e test on cluster of PR author label May 14, 2025
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented May 14, 2025
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label May 14, 2025
@diafour diafour added the e2e/run Run e2e test on cluster of PR author label May 14, 2025
@deckhouse-BOaTswain
Copy link
Copy Markdown
Contributor

deckhouse-BOaTswain commented May 14, 2025
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: cancelled.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label May 14, 2025
@universal-itengineer universal-itengineer added this to the v0.19.0 milestone May 15, 2025
@diafour diafour force-pushed the chore/module/fix-cve-2025-05 branch 4 times, most recently from 5203567 to c9f1bab Compare May 16, 2025 15:14
@diafour
chore(module): fix CVEs
ec25b27 
- Update golang.org/x/crypto to v0.38.0, mitigate CVE-2024-45337,CVE-2025-22869
- Update golang.org/x/net to v0.40.0, mitigate CVE-2025-22870, CVE-2025-22872
- Update github.com/go-jose/go-jose/v3@v3.0.4, mitigate CVE-2025-27144
- Update Go 1.23, mitigate CVE-2024-45336, CVE-2024-45341, CVE-2025-22866, CVE-2025-22871
- Use Go 1.23 for virtualization-artifact, dvcr-importer, dvcr-updater, kube-api-rewriter, pre-delete-hook, CDI images, for helper C programs and dvcr.
- Cleanup virtualization_images.yaml, only ALT_P11 remains.

---------

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour diafour force-pushed the chore/module/fix-cve-2025-05 branch from c9f1bab to ec25b27 Compare May 16, 2025 15:37
@diafour
++ restore lost SOURCE_REPO from secret after resolving conflicts
de90f6c 
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
universal-itengineer
universal-itengineer requested changes May 16, 2025
View reviewed changes
Comment thread images/cdi-artifact/werf.inc.yaml Outdated
@universal-itengineer universal-itengineer self-requested a review May 16, 2025 17:22
@diafour diafour merged commit 1262756 into main May 16, 2025
27 of 29 checks passed
@diafour diafour deleted the chore/module/fix-cve-2025-05 branch May 16, 2025 17:33
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request May 16, 2025
Merged
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request May 29, 2025
Merged
yachmenevas pushed a commit that referenced this pull request Oct 15, 2025
@diafour
chore(module): fix CVEs (#1039)
ef465d2 
* chore(module): fix CVEs

- Update golang.org/x/crypto to v0.38.0, mitigate CVE-2024-45337,CVE-2025-22869
- Update golang.org/x/net to v0.40.0, mitigate CVE-2025-22870, CVE-2025-22872
- Update github.com/go-jose/go-jose/v3@v3.0.4, mitigate CVE-2025-27144
- Update Go 1.23, mitigate CVE-2024-45336, CVE-2024-45341, CVE-2025-22866, CVE-2025-22871
- Use Go 1.23 for virtualization-artifact, dvcr-importer, dvcr-updater, kube-api-rewriter, pre-delete-hook, CDI images, for helper C programs and dvcr.
- Cleanup virtualization_images.yaml, only ALT_P11 remains.

---------

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@universal-itengineer universal-itengineer universal-itengineer approved these changes

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@danilrwx danilrwx Awaiting requested review from danilrwx

Assignees

@diafour diafour

Labels

e2e/user/danilrwx

Projects

None yet

Milestone

v0.19.0

Development

Successfully merging this pull request may close these issues.

3 participants

@diafour @deckhouse-BOaTswain @universal-itengineer