Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 2310134: CVE-2024-6104 cephcsi-container: go-retryablehttp: url might write sensitive information to log file #370

Merged
merged 6 commits into from
Sep 11, 2024
Merged

Bug 2310134: CVE-2024-6104 cephcsi-container: go-retryablehttp: url might write sensitive information to log file #370

merged 6 commits into from
Sep 11, 2024

Conversation

iPraveenParihar
Copy link
Member

Bumps github.com/hashicorp/go-retryablehttp from 0.7.1 to 0.7.7.

updated-dependencies:

  • dependency-name: github.com/hashicorp/go-retryablehttp dependency-type: indirect ...

Signed-off-by: dependabot[bot] support@github.com
(cherry picked from commit 2131a84)

Describe what this PR does

Provide some context for the reviewer

Is there anything that requires special attention

Do you have any questions?

Is the change backward compatible?

Are there concerns around backward compatibility?

Provide any external context for the change, if any.

For example:

  • Kubernetes links that explain why the change is required
  • CSI spec related changes/catch-up that necessitates this patch
  • golang related practices that necessitates this change

Related issues

Mention any github issues relevant to this PR. Adding below line
will help to auto close the issue once the PR is merged.

Fixes: #issue_number

Future concerns

List items that are not part of the PR and do not impact it's
functionality, but are work items that can be taken up subsequently.

Checklist:

  • Commit Message Formatting: Commit titles and messages follow
    guidelines in the developer
    guide    .
  • Reviewed the developer guide on Submitting a Pull
    Request
  • Pending release
    notes
    updated with breaking and/or notable changes for the next major release.
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.
Show available bot commands

These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:

  • /retest ci/centos/<job-name>: retest the <job-name> after unrelated
    failure (please report the failure too!)

@dependabot @iPraveenParihar
rebase: bump github.com/hashicorp/go-retryablehttp from 0.7.1 to 0.7.7
bf11a65 
Bumps [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp) from 0.7.1 to 0.7.7.
- [Changelog](https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md)
- [Commits](hashicorp/go-retryablehttp@v0.7.1...v0.7.7)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-retryablehttp
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 2131a84)
@iPraveenParihar iPraveenParihar self-assigned this Sep 5, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 5, 2024

@iPraveenParihar: This pull request references Bugzilla bug 2310134, which is invalid:

  • expected the bug to target the "ODF 4.13.11" release, but it targets "ODF 4.16.2" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2310134: CVE-2024-6104 cephcsi-container: go-retryablehttp: url might write sensitive information to log file

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@iPraveenParihar iPraveenParihar marked this pull request as ready for review September 5, 2024 06:40
iPraveenParihar and others added 5 commits September 5, 2024 12:25
@iPraveenParihar
ci: update centos stream 8 baseurl
2d1608b 
Since CentOS Stream 8 is EOL, this commit updates the
config to use vault.centos.org for CentOS Stream 8.
This should be removed once the base image (ceph) is
updated to a version with a newer CentOS.

Signed-off-by: Praveen M <m.praveen@ibm.com>
(cherry picked from commit 5809628)
@Madhu-1 @iPraveenParihar
doc: fix codespell problem
f6b2244 
fixed codespell problems found
in the CI run

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit bdd4c07)
@Madhu-1 @iPraveenParihar
cleanup: fix spellcheck errors
e533e83 
fixed spellcheck errors caught in
CI.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 304462c)
@riya-singhal31 @iPraveenParihar
ci: fix codespell failure
4fc9d99 
Signed-off-by: riya-singhal31 <rsinghal@redhat.com>
(cherry picked from commit f12cd9c)
@riya-singhal31 @iPraveenParihar
ci: fix shell check failures
eb8cc30 
Signed-off-by: riya-singhal31 <rsinghal@redhat.com>
(cherry picked from commit 44612fe)
@iPraveenParihar
Copy link
Member Author

/cc @Madhu-1 @Rakshith-R

@Madhu-1
Copy link
Member

Madhu-1 commented Sep 11, 2024

@iPraveenParihar it looks like you are using wrong bugzilla id, can you please check

@iPraveenParihar
Copy link
Member Author

https://bugzilla.redhat.com/show_bug.cgi?id=2310134 this is the one cloned for 4.13

@iPraveenParihar
Copy link
Member Author

/bugzilla refresh

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 11, 2024

@iPraveenParihar: This pull request references Bugzilla bug 2310134, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (ODF 4.13.12) matches configured target release for branch (ODF 4.13.12)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @keesturam

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 11, 2024

@openshift-ci[bot]: GitHub didn't allow me to request PR reviews from the following users: keesturam.

Note that only red-hat-storage members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

@iPraveenParihar: This pull request references Bugzilla bug 2310134, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (ODF 4.13.12) matches configured target release for branch (ODF 4.13.12)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @keesturam

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Madhu-1
Copy link
Member

Madhu-1 commented Sep 11, 2024

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Code looks good label Sep 11, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 11, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iPraveenParihar, Madhu-1

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Its a good idea label Sep 11, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit e5ce2ae into red-hat-storage:release-4.13 Sep 11, 2024
10 checks passed
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 11, 2024

@iPraveenParihar: All pull requests linked via external trackers have merged:

Bugzilla bug 2310134 has been moved to the MODIFIED state.

In response to this:

Bug 2310134: CVE-2024-6104 cephcsi-container: go-retryablehttp: url might write sensitive information to log file

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Madhu-1 Madhu-1 Awaiting requested review from Madhu-1

@Rakshith-R Rakshith-R Awaiting requested review from Rakshith-R

Assignees

@Madhu-1 Madhu-1

@iPraveenParihar iPraveenParihar

Labels
approved Its a good idea bugzilla/severity-medium bugzilla/valid-bug lgtm Code looks good
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@iPraveenParihar @Madhu-1 @riya-singhal31