Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade golang/x/net for CVE-2023-39325 and CVE-2023-44487 #12125

Open
wants to merge 8 commits into
base: fasttrack/3.0
Choose a base branch
from
+63 −221
Open

Upgrade golang/x/net for CVE-2023-39325 and CVE-2023-44487 #12125

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5c5323c
Upgrade golang/x/net for CVE-2023-39325 and CVE-2023-44487
gjswalling Jan 29, 2025
5b622f0
remove empty patch, scanner will detect updated gotlang/x/net
gjswalling Jan 29, 2025
e87be71
add release to vendor tarball
gjswalling Jan 29, 2025
e7c3033
follow docker-compose example for generate_source_tarball.sh
gjswalling Jan 30, 2025
5918f96
use vendor tarball v1, uploaded to blob store
gjswalling Jan 30, 2025
95abadb
support mod updates in script
gjswalling Jan 30, 2025
c2499bc
fixed go mod update
gjswalling Jan 30, 2025
fe6c45c
update signature for new go vendor tarball
gjswalling Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 0 additions & 124 deletions SPECS/application-gateway-kubernetes-ingress/CVE-2022-41273.patch
View file
Open in desktop

This file was deleted.

64 changes: 0 additions & 64 deletions SPECS/application-gateway-kubernetes-ingress/CVE-2024-45338.patch
View file
Open in desktop

This file was deleted.

12 changes: 6 additions & 6 deletions SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Summary: Application Gateway Ingress Controller
Name: application-gateway-kubernetes-ingress
Version: 1.7.2
Release: 3%{?dist}
Release: 4%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -20,12 +20,10 @@ Source0: https://github.com/Azure/application-gateway-kubernetes-ingress/
# --mtime="2021-04-26 00:00Z" \
# --owner=0 --group=0 --numeric-owner \
# --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
# -cf %%{name}-%%{version}-vendor.tar.gz vendor
# -cf %%{name}-%%{version}-%%{release}-vendor.tar.gz vendor
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the script, this set of steps isn't necessary anymore. If you do wish to keep it, though, -cf should be -czf.

#
Source1: %{name}-%{version}-vendor.tar.gz
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Source1: %{name}-%{version}-vendor.tar.gz
Source1: %{name}-%{version}-govendor-v1.tar.gz

This should be changed to match the new format of %{name}-%{version}-govendor-v1.tar.gz (or v2, v3, etc). Although this is an updated tarball for the same version, I'm inclined to go with v1 since we don't have a v1 right now, and it'll help keep things consistent for any future work.

Patch0: CVE-2022-21698.patch
Patch1: CVE-2022-41273.patch
Patch2: CVE-2024-45338.patch

BuildRequires: golang >= 1.13

Expand All @@ -39,8 +37,6 @@ to act as the ingress for an AKS cluster.
rm -rf vendor
tar -xf %{SOURCE1} --no-same-owner
%patch 0 -p1 -d vendor/github.com/prometheus/client_golang
%patch 1 -p1 -d vendor/golang.org/x/net
%patch 2 -p1

%build
export VERSION=%{version}
Expand All @@ -59,6 +55,10 @@ cp appgw-ingress %{buildroot}%{_bindir}/
%{_bindir}/appgw-ingress

%changelog
* Tue Jan 28 2025 Gary Swalling <gaswal@@microsoft.com> - 1.7.2-4
- Update golang.org/x/net to 0.34.0 for CVE-2023-39325, CVE-2023-44487
- Removed golang.org/x/net patches which are no longer needed

* Tue Dec 31 2024 Rohit Rawat <[email protected]> - 1.7.2-3
- Add patch for CVE-2024-45338

Expand Down
41 changes: 29 additions & 12 deletions SPECS/application-gateway-kubernetes-ingress/generate_source_tarball.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,17 @@ set -e

PKG_VERSION=""
SRC_TARBALL=""
VENDOR_VERSION="2"
OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

# parameters:
#
# --srcTarball : src tarball file
# this file contains the 'initial' source code of the component
# and should be replaced with the new/modified src code
# --outFolder : folder where to copy the new tarball(s)
# --pkgVersion : package version
# --srcTarball : src tarball file
# this file contains the 'initial' source code of the component
# and should be replaced with the new/modified src code
# --outFolder : folder where to copy the new tarball(s)
# --pkgVersion : package version
# --vendorVersion : vendor version
#
PARAMS=""
while (( "$#" )); do
Expand Down Expand Up @@ -47,6 +49,15 @@ while (( "$#" )); do
exit 1
fi
;;
--vendorVersion)
if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
VENDOR_VERSION=$2
shift 2
else
echo "Error: Argument for $1 is missing" >&2
exit 1
fi
;;
-*|--*=) # unsupported flags
echo "Error: Unsupported flag $1" >&2
exit 1
Expand All @@ -58,9 +69,10 @@ while (( "$#" )); do
esac
done

echo "--srcTarball -> $SRC_TARBALL"
echo "--outFolder -> $OUT_FOLDER"
echo "--pkgVersion -> $PKG_VERSION"
echo "--srcTarball -> $SRC_TARBALL"
echo "--outFolder -> $OUT_FOLDER"
echo "--pkgVersion -> $PKG_VERSION"
echo "--vendorVersion -> $VENDOR_VERSION"

if [ -z "$PKG_VERSION" ]; then
echo "--pkgVersion parameter cannot be empty"
Expand All @@ -75,10 +87,15 @@ function cleanup {
}
trap cleanup EXIT

TARBALL_FOLDER="$tmpdir/tarballFolder"
mkdir -p $TARBALL_FOLDER
cp $SRC_TARBALL $tmpdir

pushd $tmpdir > /dev/null

NAME_VER="application-gateway-kubernetes-ingress-$PKG_VERSION"
VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-vendor.tar.gz"
PKG_NAME="application-gateway-kubernetes-ingress"
NAME_VER="$PKG_NAME-$PKG_VERSION"
VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-govendor-v$VENDOR_VERSION.tar.gz"

echo "Unpacking source tarball..."
tar -xf $SRC_TARBALL
Expand All @@ -92,7 +109,7 @@ tar --sort=name \
--mtime="2021-04-26 00:00Z" \
--owner=0 --group=0 --numeric-owner \
--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
-cf "$VENDOR_TARBALL" vendor
-czf "$VENDOR_TARBALL" vendor

popd > /dev/null
echo "application-gateway-kubernetes-ingress vendored modules are available at $VENDOR_TARBALL"
echo "$PKG_NAME vendored modules are available at $VENDOR_TARBALL"
Loading