Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update golang.org/x/net, addressing CVE-2023-45288 #35165

Merged
merged 2 commits into from
May 22, 2024
Merged

update golang.org/x/net, addressing CVE-2023-45288 #35165

merged 2 commits into from
May 22, 2024

Conversation

finnigja
Copy link
Contributor

@finnigja finnigja commented May 15, 2024
edited

This adopts the 0.23.0 version of the golang.org/x/net library (moving from current 0.22.0), which includes a fix for CVE-2023-45288.

While, per govulncheck, the Terraform codebase does interact with affected components of this library, Terraform is unlikely to be exposed due to the vulnerability being in the context of an HTTP/2 endpoint that consumes header data.

The changes between the two releases appear to be largely HTTP/2 related, per golang/net@v0.22.0...v0.23.0.

Target Release

1.8.x

Draft CHANGELOG entry

BUG FIXES

Updated to new golang.org/x/net release, which addressed CVE-2023-45288.

@finnigja finnigja added the 1.8-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged label May 15, 2024
@finnigja finnigja requested review from a team as code owners May 15, 2024 23:17
@finnigja finnigja requested a review from a team May 15, 2024 23:18
@jbardin
Copy link
Member

jbardin commented May 16, 2024

FYI this may not backport correctly and will probably need to be recreated for the v1.8 branch (both because there's currently a problem with backport-assistant, and because go.mod/go.sum always have conflicts ;))

@jbardin jbardin merged commit b955c9d into main May 22, 2024
9 of 10 checks passed
@github-actions GitHub Actions
Copy link

Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch.

@jbardin jbardin deleted the bump_golang_x_net branch May 22, 2024 15:34
@jbardin jbardin mentioned this pull request May 22, 2024
Merged
jbardin added a commit that referenced this pull request May 22, 2024
@jbardin
Merge pull request #35229 from hashicorp/backport-35165
306736b 
Backport #35165: update golang.org/x/net, addressing CVE-2023-45288
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbardin jbardin jbardin approved these changes

@jackofallops jackofallops jackofallops approved these changes

@jar-b jar-b jar-b approved these changes

@SarahFrench SarahFrench SarahFrench approved these changes

Assignees
No one assigned
Labels
1.8-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@finnigja @jbardin @jackofallops @jar-b @SarahFrench