Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Update dependencies #3623

Merged
merged 3 commits into from
Jul 25, 2022
Merged

Update dependencies #3623

merged 3 commits into from
Jul 25, 2022

Conversation

pjbgf
Copy link
Member

@pjbgf pjbgf commented Jul 25, 2022

Updates dependencies and binaries to mitigate a total of 35 CVEs.

fluxcd/flux:1.25.2 (alpine 3.15.4)

Total: 25 (UNKNOWN: 0, LOW: 0, MEDIUM: 13, HIGH: 8, CRITICAL: 4)

┌───────────────────────┬────────────────┬──────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Installed Version │  Fixed Version   │                            Title                            │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ git                   │ CVE-2022-29187 │ HIGH     │ 2.34.2-r0         │ 2.34.4-r0        │ git: Bypass of safe.directory protections                   │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-29187                  │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ gnupg                 │ CVE-2022-34903 │ MEDIUM   │ 2.2.31-r1         │ 2.2.31-r2        │ gpg: Signature spoofing via status line injection           │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-34903                  │
├───────────────────────┤                │          │                   │                  │                                                             │
│ gnupg-dirmngr         │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┤                │          │                   │                  │                                                             │
│ gnupg-gpgconf         │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┤                │          │                   │                  │                                                             │
│ gnupg-utils           │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┤                │          │                   │                  │                                                             │
│ gnupg-wks-client      │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┤                │          │                   │                  │                                                             │
│ gpg                   │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┤                │          │                   │                  │                                                             │
│ gpg-agent             │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┤                │          │                   │                  │                                                             │
│ gpg-wks-server        │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┤                │          │                   │                  │                                                             │
│ gpgsm                 │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┤                │          │                   │                  │                                                             │
│ gpgv                  │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1          │ CVE-2022-2097  │ HIGH     │ 1.1.1n-r0         │ 1.1.1q-r0        │ openssl: AES OCB fails to encrypt some bytes                │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libcurl               │ CVE-2022-32207 │ CRITICAL │ 7.80.0-r1         │ 7.80.0-r2        │ curl: Unpreserved file permissions                          │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32207                  │
│                       ├────────────────┼──────────┤                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-27780 │ HIGH     │                   │                  │ curl: percent-encoded path separator in URL host            │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-27780                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-27781 │          │                   │                  │ curl: CERTINFO never-ending busy-loop                       │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-27781                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-27782 │          │                   │                  │ curl: TLS and SSH connection too eager reuse                │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-27782                  │
│                       ├────────────────┼──────────┤                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32205 │ MEDIUM   │                   │                  │ curl: Set-Cookie denial of service                          │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32205                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32206 │          │                   │                  │ curl: HTTP compression denial of service                    │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32206                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32208 │          │                   │                  │ curl: FTP-KRB bad message verification                      │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32208                  │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libldap               │ CVE-2022-29155 │ CRITICAL │ 2.6.0-r0          │ 2.6.2-r0         │ openldap: OpenLDAP SQL injection                            │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-29155                  │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libssl1.1             │ CVE-2022-2097  │ HIGH     │ 1.1.1n-r0         │ 1.1.1q-r0        │ openssl: AES OCB fails to encrypt some bytes                │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
├───────────────────────┼────────────────┤          ├───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ ncurses-libs          │ CVE-2022-29458 │          │ 6.3_p20211120-r0  │ 6.3_p20211120-r1 │ ncurses: segfaulting OOB read                               │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-29458                  │
├───────────────────────┤                │          │                   │                  │                                                             │
│ ncurses-terminfo-base │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ pcre2                 │ CVE-2022-1586  │ CRITICAL │ 10.39-r0          │ 10.40-r0         │ pcre2: Out-of-bounds read in compile_xclass_matchingpath in │
│                       │                │          │                   │                  │ pcre2_jit_compile.c                                         │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-1586                   │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-1587  │          │                   │                  │ pcre2: Out-of-bounds read in get_recurse_data_length in     │
│                       │                │          │                   │                  │ pcre2_jit_compile.c                                         │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-1587                   │
└───────────────────────┴────────────────┴──────────┴───────────────────┴──────────────────┴─────────────────────────────────────────────────────────────┘

usr/local/bin/fluxd (gobinary)

Total: 3 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────┬─────────────────────┬──────────┬──────────────────────────────────────┬───────────────────────────────────┬───────────────────────────────────────────────────┐
│               Library                │    Vulnerability    │ Severity │          Installed Version           │           Fixed Version           │                       Title                       │
├──────────────────────────────────────┼─────────────────────┼──────────┼──────────────────────────────────────┼───────────────────────────────────┼───────────────────────────────────────────────────┤
│ github.com/opencontainers/image-spec │ GHSA-77vh-xpmg-72qh │ UNKNOWN  │ v1.0.2-0.20211117181255-693428a734f5 │ 1.0.2                             │ Clarify `mediaType` handling                      │
│                                      │                     │          │                                      │                                   │ https://github.com/advisories/GHSA-77vh-xpmg-72qh │
├──────────────────────────────────────┼─────────────────────┼──────────┼──────────────────────────────────────┼───────────────────────────────────┼───────────────────────────────────────────────────┤
│ github.com/prometheus/client_golang  │ CVE-2022-21698      │ HIGH     │ v1.11.0                              │ 1.11.1                            │ prometheus/client_golang: Denial of service using │
│                                      │                     │          │                                      │                                   │ InstrumentHandlerCounter                          │
│                                      │                     │          │                                      │                                   │ https://avd.aquasec.com/nvd/cve-2022-21698        │
├──────────────────────────────────────┼─────────────────────┼──────────┼──────────────────────────────────────┼───────────────────────────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/sys                     │ CVE-2022-29526      │ MEDIUM   │ v0.0.0-20220328115105-d36c6a25d886   │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group     │
│                                      │                     │          │                                      │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526        │
└──────────────────────────────────────┴─────────────────────┴──────────┴──────────────────────────────────────┴───────────────────────────────────┴───────────────────────────────────────────────────┘

usr/local/bin/sops (gobinary)

Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 5, CRITICAL: 0)

┌─────────────────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│           Library           │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                            Title                             │
├─────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/dgrijalva/jwt-go │ CVE-2020-26160 │ HIGH     │ v3.2.0+incompatible                │                                   │ jwt-go: access restriction bypass vulnerability              │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2020-26160                   │
├─────────────────────────────┼────────────────┤          ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto         │ CVE-2022-27191 │          │ v0.0.0-20210220033148-5ea612d1eb83 │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server            │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191                   │
├─────────────────────────────┼────────────────┤          ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net            │ CVE-2021-33194 │          │ v0.0.0-20201110031124-69a78807bb2b │ 0.0.0-20210520170846-37e1c6afe023 │ golang: x/net/html: infinite loop in ParseFragment           │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-33194                   │
├─────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net            │ CVE-2021-44716 │ HIGH     │ v0.0.0-20201110031124-69a78807bb2b │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization    │
│                             │                │          │                                    │                                   │ cache                                                        │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-44716                   │
│                             ├────────────────┼──────────┤                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                             │ CVE-2021-31525 │ MEDIUM   │                                    │ 0.0.0-20210428140749-89ef3d95e781 │ golang: net/http: panic in ReadRequest and ReadResponse when │
│                             │                │          │                                    │                                   │ reading a very large...                                      │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-31525                   │
├─────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys            │ CVE-2022-29526 │ MEDIUM   │ v0.0.0-20210220050731-9a76102bfb43 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group                │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526                   │
├─────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text           │ CVE-2021-38561 │ HIGH     │ v0.3.3                             │ 0.3.7                             │ golang: out-of-bounds read in golang.org/x/text/language     │
│                             │                │          │                                    │                                   │ leads to DoS                                                 │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-38561                   │
└─────────────────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘

The outstanding CVEs are related to kustomize, which unfortunately cannot be upgraded beyond 3.8.7 without breaking Flux.

Update binaries
e142f6d 
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
@pjbgf pjbgf added the dependencies Pull requests that update a dependency file label Jul 25, 2022
Paulo Gomes added 2 commits July 25, 2022 16:50
Update dependencies
5f7983c 
- github.com/aws/aws-sdk-go to version 1.44.61.
- github.com/cheggaaa/pb/v3 to version 3.1.0.
- github.com/evanphx/json-patch to version v5.6.0+incompatible.
- github.com/imdario/mergo to version 0.3.13.
- github.com/stretchr/testify to version 1.8.0.
- go.mozilla.org/sops/v3 to version 3.7.3.
- golang.org/x/oauth2 to version 0.0.0-20220722155238-128564f6959c.
- golang.org/x/sys to version 0.0.0-20220722155257-8c9f86f7a55f.
- golang.org/x/time to version 0.0.0-20220722155302-e5dcc9cfc0b9.
- github.com/docker/distribution to version v2.8.1+incompatible.
- k8s.io/api to version v0.21.14.
- k8s.io/apiextensions-apiserver to version v0.21.14.
- k8s.io/apimachinery to version v0.21.14.
- k8s.io/client-go to version v0.21.14.
- k8s.io/code-generator to version v0.21.14.
- github.com/google/go-containerregistry to version 0.11.0.
- github.com/spf13/cobra to version v1.4.0.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Update to Go 1.17 to fix build issue
a1d33d8 
Fixes the error: //go:build comment without // +build comment.

Relates to hashicorp/vault#14980.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
@kingdonb
Copy link
Member

Well done, this appears to be honoring all the necessary pins to keep Flux v1 in unbroken shape 👍

@kingdonb kingdonb self-requested a review July 25, 2022 15:55
kingdonb
kingdonb approved these changes Jul 25, 2022
View reviewed changes
Copy link
Member

@kingdonb kingdonb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@pjbgf
Copy link
Member Author

pjbgf commented Jul 25, 2022

Well done, this appears to be honoring all the necessary pins to keep Flux v1 in unbroken shape +1

@kingdonb thank you, it was a long road of trial and failures to get to this. 😅

I added some comments around the problematic dependencies, so going forwards it should be easier to keep the project up to date without stepping in the minefield of unsupported upgrade paths. 🤞

@pjbgf pjbgf merged commit 2bfd3f9 into fluxcd:master Jul 25, 2022
@kingdonb kingdonb added this to the 1.25.3 milestone Aug 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kingdonb kingdonb kingdonb approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
1.25.3
Development

Successfully merging this pull request may close these issues.
2 participants
@pjbgf @kingdonb