Skip to content

Backport of CVE Fix into release/1.21.x #22269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 17, 2025
Merged

Backport of CVE Fix into release/1.21.x #22269

merged 2 commits into from
Apr 17, 2025

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #22268 to be assessed for backporting due to the inclusion of the label backport/1.21.

The below text is copied from the body of the original PR.

Fixed following CVEs:
GHSA-vvgc-356p-c3xw in golang.org/x/net@v0.37.0
GO-2025-3595 in golang.org/x/net@v0.37.0
GO-2025-3553 in github.com/golang-jwt/jwt/v4@v4.5.1 GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/v4@v4.5.1 stdlib in Go GO-2025-3563@1.23.7

Description

Testing & Reproduction steps

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core requested a review from a team as a code owner April 17, 2025 09:16
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver previously approved these changes Apr 17, 2025
View reviewed changes
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@nitin-sachdev-29
CVE Fix (#22268)
960fc46 
* Fixed following CVEs:
GHSA-vvgc-356p-c3xw in golang.org/x/net@v0.37.0
GO-2025-3595 in golang.org/x/net@v0.37.0
GO-2025-3553 in github.com/golang-jwt/jwt/v4@v4.5.1
GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/v4@v4.5.1
stdlib in Go GO-2025-3563@1.23.7

* added changelog

(cherry picked from commit 519fb0a)
@nitin-sachdev-29 nitin-sachdev-29 enabled auto-merge (squash) April 17, 2025 09:37
nitin-sachdev-29
nitin-sachdev-29 approved these changes Apr 17, 2025
View reviewed changes
Copy link
Contributor

@nitin-sachdev-29 nitin-sachdev-29 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

sreeram77
sreeram77 approved these changes Apr 17, 2025
View reviewed changes
Copy link
Member

@sreeram77 sreeram77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@nitin-sachdev-29 nitin-sachdev-29 merged commit 8c5a6d6 into release/1.21.x Apr 17, 2025
128 of 176 checks passed
@nitin-sachdev-29 nitin-sachdev-29 deleted the backport/nitin/cve-fix/evidently-organic-ostrich branch April 17, 2025 09:40
nitin-sachdev-29 added a commit that referenced this pull request Apr 17, 2025
@nitin-sachdev-29 @hc-github-team-consul-core
Backport of Upgraded go to 1.23.8 into release/1.21.0-rc2 (#22276)
0baa69c 
* Backport of CVE Fix into release/1.21.x (#22269)

* backport of commit 73c592c

* CVE Fix (#22268)

* Fixed following CVEs:
GHSA-vvgc-356p-c3xw in golang.org/x/net@v0.37.0
GO-2025-3595 in golang.org/x/net@v0.37.0
GO-2025-3553 in github.com/golang-jwt/jwt/v4@v4.5.1
GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/v4@v4.5.1
stdlib in Go GO-2025-3563@1.23.7

* added changelog

(cherry picked from commit 519fb0a)

---------

Co-authored-by: nitin.sachdev <nitin.sachdev@hashicorp.com>

* backport of commit cedded6

* backport of commit dd4f628

---------

Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
nitin-sachdev-29 added a commit that referenced this pull request Apr 18, 2025
@nitin-sachdev-29 @hc-github-team-consul-core
Backport of suppressing alpine CVEs as there is no fix yet into relea…
aad6d48 
…se/1.21.x (#22281)

* Backport of CVE Fix into release/1.21.x (#22269)

* backport of commit 73c592c

* CVE Fix (#22268)

* Fixed following CVEs:
GHSA-vvgc-356p-c3xw in golang.org/x/net@v0.37.0
GO-2025-3595 in golang.org/x/net@v0.37.0
GO-2025-3553 in github.com/golang-jwt/jwt/v4@v4.5.1
GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/v4@v4.5.1
stdlib in Go GO-2025-3563@1.23.7

* added changelog

(cherry picked from commit 519fb0a)

---------

Co-authored-by: nitin.sachdev <nitin.sachdev@hashicorp.com>

* Backport of Upgraded go to 1.23.8 into release/1.21.x (#22274)

* backport of commit cedded6

* backport of commit dd4f628

---------

Co-authored-by: nitin.sachdev <nitin.sachdev@hashicorp.com>

* backport of commit 5d7f3ee

---------

Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
nitin-sachdev-29 added a commit that referenced this pull request May 5, 2025
@nitin-sachdev-29 @hc-github-team-consul-core
Post release 1.21.0 rc2 (#22317)
a395865 
* prepping for 1.21.0-rc2 release (#22267)

* Backport of CVE Fix into release/1.21.0-rc2 (#22271)

* backport of commit 73c592c

* CVE Fix (#22268)

* Fixed following CVEs:
GHSA-vvgc-356p-c3xw in golang.org/x/net@v0.37.0
GO-2025-3595 in golang.org/x/net@v0.37.0
GO-2025-3553 in github.com/golang-jwt/jwt/v4@v4.5.1
GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/v4@v4.5.1
stdlib in Go GO-2025-3563@1.23.7

* added changelog

(cherry picked from commit 519fb0a)

* Prep release 1.21.0 rc2 (#22272)

* prepping for 1.21.0-rc2 release

* fixed VERSION

* Backport of Upgraded go to 1.23.8 into release/1.21.0-rc2 (#22276)

* Backport of CVE Fix into release/1.21.x (#22269)

* backport of commit 73c592c

* CVE Fix (#22268)

* Fixed following CVEs:
GHSA-vvgc-356p-c3xw in golang.org/x/net@v0.37.0
GO-2025-3595 in golang.org/x/net@v0.37.0
GO-2025-3553 in github.com/golang-jwt/jwt/v4@v4.5.1
GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/v4@v4.5.1
stdlib in Go GO-2025-3563@1.23.7

* added changelog

(cherry picked from commit 519fb0a)

---------

Co-authored-by: nitin.sachdev <nitin.sachdev@hashicorp.com>

* backport of commit cedded6

* backport of commit dd4f628

---------

Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>

* Backport of suppressing alpine CVEs as there is no fix yet into release/1.21.x (#22281)

* Backport of CVE Fix into release/1.21.x (#22269)

* backport of commit 73c592c

* CVE Fix (#22268)

* Fixed following CVEs:
GHSA-vvgc-356p-c3xw in golang.org/x/net@v0.37.0
GO-2025-3595 in golang.org/x/net@v0.37.0
GO-2025-3553 in github.com/golang-jwt/jwt/v4@v4.5.1
GHSA-mh63-6h87-95cp in github.com/golang-jwt/jwt/v4@v4.5.1
stdlib in Go GO-2025-3563@1.23.7

* added changelog

(cherry picked from commit 519fb0a)

---------

Co-authored-by: nitin.sachdev <nitin.sachdev@hashicorp.com>

* Backport of Upgraded go to 1.23.8 into release/1.21.x (#22274)

* backport of commit cedded6

* backport of commit dd4f628

---------

Co-authored-by: nitin.sachdev <nitin.sachdev@hashicorp.com>

* backport of commit 5d7f3ee

---------

Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>

* post release 1.21.0-rc2

* executed go mod tidy

* Remove s390x build configuration from CI workflows

---------

Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sreeram77 sreeram77 sreeram77 approved these changes

@nitin-sachdev-29 nitin-sachdev-29 nitin-sachdev-29 approved these changes

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver left review comments

Assignees

@nitin-sachdev-29 nitin-sachdev-29

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hc-github-team-consul-core @sreeram77 @github-team-consul-core-pr-approver @nitin-sachdev-29