Backport of [NET-6138] security: Bump google.golang.org/grpc to 1.56.3 (CVE-2023-44487) to release/1.15.x #19421
Conversation
github-actions
bot
added
pr/dependencies
zalimeni
force-pushed
the
net-6138/release/1.15.x
branch
from
a00b5ff
to
8cccdd1
Compare
| @@ -3,16 +3,32 @@ | |||
| package xds | |||
There was a problem hiding this comment.
@cthain do the changes here and in other non-mod files (troubleshoot/proxy/z_xds_packages.go and build-support/scripts/envoy-library-references.sh) still look correct to you, based on your compatibility fixes?
| google.golang.org/grpc v1.37.1 | ||
| google.golang.org/protobuf v1.27.1 | ||
| google.golang.org/grpc v1.56.3 | ||
| google.golang.org/protobuf v1.30.0 |
There was a problem hiding this comment.
Note that this version was significantly out of date compared w/ the root go.mod.
|
Looks like we may have some incompatibilities for this one: https://github.com/hashicorp/consul/actions/runs/6672184414/job/18135656338?pr=19421#step:6:24 |
zalimeni
force-pushed
the
net-6138/release/1.15.x
branch
2 times, most recently
from
9fccedf
to
fc6be1d
Compare
zalimeni
force-pushed
the
net-6138/release/1.15.x
branch
from
fc6be1d
to
beabf9b
Compare
| serverType, datacenter, err := parseEndpoint(target.Endpoint) | ||
| serverType, datacenter, err := parseEndpoint(target.Endpoint()) |
There was a problem hiding this comment.
This and below one-line changes fix binary incompatibilities introduced by the upgrade; these match later release branches and main
| @@ -28,7 +28,7 @@ if [[ ! -f GNUmakefile ]] || [[ ! -f go.mod ]]; then | |||
| exit 1 | |||
There was a problem hiding this comment.
This similarly now matches main and needed to change to support deps upgrades
| // protoc-gen-go v1.28.1 | ||
| // protoc-gen-go v1.31.0 |
There was a problem hiding this comment.
Here and below: all comment changes generated by make proto that came with upgrade, necessary to satisfy linter (and needed bc we changed the proto-gen-go version)
zalimeni
force-pushed
the
net-6138/release/1.15.x
branch
from
beabf9b
to
343688d
Compare
zalimeni
force-pushed
the
net-6138/release/1.15.x
branch
from
343688d
to
abc60f5
Compare
This resolves [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487). Also includes various fixes from later release versions required for tests and linters to pass. See 77f44fa for the majority of these changes.
zalimeni
force-pushed
the
net-6138/release/1.15.x
branch
from
abc60f5
to
85e6f68
Compare
| Endpoint: endpoint, | ||
| URL: url.URL{Opaque: endpoint}, |
| @@ -140,7 +140,7 @@ func makeLoggerCallbacks(log hclog.Logger) *xds.CallbackFuncs { | |||
| log.Trace("gRPC stream opened", "id", id, "addr", addr) | |||
Backport
This PR is manually generated from #19414 to be assessed for backporting.
This backport also includes various fixes from later release versions required for
tests and linters to pass. See 77f44fa for the majority of these changes.
The below text is copied from the body of the original PR.
Description
Upgrade
google.golang.org/grpcto 1.56.3 (where 1.57.x is already in use, upgrade to 1.57.2) to mitigate CVE-2023-44487.1.56.3 was chosen as the earliest minor release line to receive a patch for this vulnerability in order to minimize change prior to the 1.17 release of Consul; a later upgrade should consider moving to the latest minor version of gRPC. A review of the release notes and changelog between 1.55.0 and 1.56.3 was conducted to check for unreported breaking changes.
Testing & Reproduction steps
CI tests should continue to pass.
Links
PR Checklist