Skip to content

[release-1.12] Fix CVE-2025-22871, CVE-2025-22872, CVE-2025-30204 #7709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Apr 23, 2025
Merged

[release-1.12] Fix CVE-2025-22871, CVE-2025-22872, CVE-2025-30204 #7709

merged 11 commits into from
Apr 23, 2025

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Apr 23, 2025
edited
Loading

Fixing most of the trivy test failures in the release-1.12 branch, except those related to the cmctl tool, which I'll address in another PR.

I ran out of patience to create separate PRs for each CVE, so I've rolled the fixes into one branch, but used separate commits for each update. The same changes have already been applied to the release-1.17 and release-1.16 branches in the following PRs:

Bump Go to `v1.23.8` to fix `CVE-2025-22871`
Bump `golang.org/x/net` to `v0.38.0` fix `CVE-2025-22872`
Bump `github.com/golang-jwt/jwt/v4` to `v4.5.2` to fix `CVE-2025-30204`

Testing

All the main components now pass the trivy scan.

$ make trivy-scan-acmesolver trivy-scan-cainjector trivy-scan-controller trivy-scan-webhook
...
$ echo $?
0

After this is merged, I can update the ctl go.mod file with the version of cert-manager from release-1.12 and that should fix the ctl trivy failures.

wallrj added 11 commits April 23, 2025 09:14
@wallrj
Bump Go to v1.23.8
9edb4fa 
> go1.23.8 (released 2025-04-01) includes security fixes to the net/http
package, as well as bug fixes to the runtime and the go command. See the Go
1.23.8 milestone on our issue tracker for details.
-- https://go.dev/doc/devel/release#go1.23.0

Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
_bin/tools/go get go@1.23.8
053c869 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make tidy
5fce206 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
_bin/tools/go get golang.org/x/net@v0.38.0
7aace8c 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make tidy
7fa3486 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make generate-licenses
a6debb9 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
_bin/tools/go get github.com/golang-jwt/jwt/v4@v4.5.2
f83be56 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make tidy
1c4a314 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make generate-licenses
7a14b9e 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
Ignore a tzdata issue DLA-4105-1
2c91f94 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
Bump Go to v1.23.8 for ctl
bd5373a 
> go1.23.8 (released 2025-04-01) includes security fixes to the net/http
package, as well as bug fixes to the runtime and the go command. See the Go
1.23.8 milestone on our issue tracker for details.
-- https://go.dev/doc/devel/release#go1.23.0

Signed-off-by: Richard Wall <richard.wall@venafi.com>
@cert-manager-prow cert-manager-prow bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/acme Indicates a PR directly modifies the ACME Issuer code area/testing Issues relating to testing needs-kind Indicates a PR lacks a `kind/foo` label and requires one. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 23, 2025
@wallrj
Copy link
Member Author

wallrj commented Apr 23, 2025

/kind bug
/approve

@cert-manager-prow cert-manager-prow bot added kind/bug Categorizes issue or PR as related to a bug. approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Apr 23, 2025
wallrj
wallrj commented Apr 23, 2025
View reviewed changes
.trivyignore
@@ -37,3 +37,4 @@ CVE-2020-8559
# https://lists.debian.org/debian-lts-announce/2024/11/msg00030.html
DLA-3972-1
DLA-4085-1
DLA-4105-1
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've been ignoring these timezone related trivy failures. See the comment above for the explanation.

go.mod
go 1.23.0

toolchain go1.23.7
go 1.23.8
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The toolchain line was replaced with a go line because I ran:

 _bin/tools/go get go@1.23.8

instead of

 _bin/tools/go get toolchain@1.23.8

make/tools.mk
@@ -56,7 +56,7 @@ KUBEBUILDER_ASSETS_VERSION=1.27.1
TOOLS += etcd=$(KUBEBUILDER_ASSETS_VERSION)
TOOLS += kube-apiserver=$(KUBEBUILDER_ASSETS_VERSION)

VENDORED_GO_VERSION := 1.23.7
VENDORED_GO_VERSION := 1.23.8
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are no Go checksums in the release-1.12, unlike release-1.16 and release-1.17. E.g.

I guess the checksums were introduced when we adopted the makefile-modules

@wallrj
Copy link
Member Author

wallrj commented Apr 23, 2025
edited
Loading

/retest

Due to test flake

{Failed  === RUN   TestAcmeOrdersController
    apiserver.go:120: Found CRD with name "certificaterequests.cert-manager.io"
    apiserver.go:120: Found CRD with name "certificates.cert-manager.io"
    apiserver.go:120: Found CRD with name "challenges.acme.cert-manager.io"
    apiserver.go:120: Found CRD with name "clusterissuers.cert-manager.io"
    apiserver.go:120: Found CRD with name "issuers.cert-manager.io"
    apiserver.go:120: Found CRD with name "orders.acme.cert-manager.io"
    event.go:364: Event(v1.ObjectReference{Kind:"Order", Namespace:"acmetest", Name:"acmetest", UID:"7f1f9eee-6787-4ecd-a8ab-715ca9d36787", APIVersion:"acme.cert-manager.io/v1", ResourceVersion:"220", FieldPath:""}): type: 'Normal' reason: 'Created' Created Challenge resource "acmetest-3885887535" for domain "acmetest"
    orders_controller_test.go:278: Get "https://127.0.0.1:36769/apis/acme.cert-manager.io/v1/namespaces/acmetest/orders/acmetest": context deadline exceeded
--- FAIL: TestAcmeOrdersController (14.21s)
}

-- https://prow.infra.cert-manager.io/view/gs/cert-manager-prow-artifacts/pr-logs/pull/cert-manager_cert-manager/7709/pull-cert-manager-release-1.12-make-test/1914966975231037440

@wallrj wallrj requested review from ali-hamza-noor and erikgb April 23, 2025 09:10
erikgb
erikgb reviewed Apr 23, 2025
View reviewed changes
Copy link
Member

@erikgb erikgb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@cert-manager-prow
Copy link
Contributor

@erikgb: adding LGTM is restricted to approvers and reviewers in OWNERS files.

In response to this:

/lgtm
/approve

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ali-hamza-noor, erikgb, wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wallrj
Copy link
Member Author

wallrj commented Apr 23, 2025

Needs an lgtm from someone in the release-1.12 OWNERS file.

@inteon PTAL

@wallrj wallrj requested a review from inteon April 23, 2025 10:15
@inteon
Copy link
Member

inteon commented Apr 23, 2025

/lgtm

@cert-manager-prow cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label Apr 23, 2025
@cert-manager-prow cert-manager-prow bot merged commit 3b9187a into cert-manager:release-1.12 Apr 23, 2025
7 checks passed
@wallrj wallrj deleted the release-1.12-trivy branch April 23, 2025 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erikgb erikgb erikgb left review comments

@ali-hamza-noor ali-hamza-noor ali-hamza-noor approved these changes

@inteon inteon Awaiting requested review from inteon

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme Indicates a PR directly modifies the ACME Issuer code area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wallrj @inteon @erikgb @ali-hamza-noor