Skip to content

Rust vulns 9th may 2025 #11251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 14, 2025
Merged

Rust vulns 9th may 2025 #11251

merged 3 commits into from
May 14, 2025

Conversation

stevenhorsman
Copy link
Member

@stevenhorsman stevenhorsman commented May 9, 2025
edited
Loading

A few crate updates to help with some vulnerabilities that internal security scans found:

  • Bump the crates to update them and pull in a newer version of borsh to remediate RUSTSEC-2023-0033
  • Bump hyper version to update and remediate GHSA-f8vr-r385-rh5r
  • Bump bumpalo version to remediate RUSTSEC-2022-0078

@katacontainersbot katacontainersbot added the size/huge Largest and most complex task (probably needs breaking into small pieces) label May 9, 2025
@stevenhorsman stevenhorsman mentioned this pull request May 9, 2025
Merged
@stevenhorsman stevenhorsman force-pushed the rust-vulns-9th-may-2025 branch 4 times, most recently from 098a36b to 1e9b992 Compare May 9, 2025 14:07
@katacontainersbot katacontainersbot added size/large Task of significant size and removed size/huge Largest and most complex task (probably needs breaking into small pieces) labels May 9, 2025
@stevenhorsman stevenhorsman marked this pull request as draft May 9, 2025 14:46
@stevenhorsman
versions: Bump byte-unit and rust_decimal
7807e6c 
Bump the crates to update them and pull in a
newer version of borsh to remediate RUSTSEC-2023-0033

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman
versions: Bump hyper version
fcc60b5 
Bump hyper version to update and remediate CVE-2023-26964

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman
versions: Bump bumpalo version
35ed3a2 
Bump bumpalo version to remediate RUSTSEC-2022-0078

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman stevenhorsman force-pushed the rust-vulns-9th-may-2025 branch from 1e9b992 to 35ed3a2 Compare May 9, 2025 15:09
@katacontainersbot katacontainersbot added size/huge Largest and most complex task (probably needs breaking into small pieces) and removed size/large Task of significant size labels May 9, 2025
@stevenhorsman stevenhorsman marked this pull request as ready for review May 9, 2025 15:57
@stevenhorsman stevenhorsman mentioned this pull request May 13, 2025
Merged
burgerdev
burgerdev reviewed May 13, 2025
View reviewed changes
Copy link
Contributor

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please list what specific vulnerabilities are fixed by this and how you did the crate updates? To my untrained eye, the change in src/agent/Cargo.lock for example does not look like a security fix.

@stevenhorsman
Copy link
Member Author

stevenhorsman commented May 13, 2025
edited
Loading

Could you please list what specific vulnerabilities are fixed by this and how you did the crate updates? To my untrained eye, the change in src/agent/Cargo.lock for example does not look like a security fix.

The specific vulnerabilities and the crates updated (with cargo update -p <crate>) are listed in the commit messages. I can copy them across to the PR description though if that's what you are asking?

burgerdev
burgerdev approved these changes May 13, 2025
View reviewed changes
Copy link
Contributor

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I missed the references in the commit messages. Thanks for updating the PR description, too!

LGTM!

I wonder whether we should use a common version throughout the repo (looks like each Cargo.lock has a different one now: https://github.com/search?q=repo%3Akata-containers%2Fkata-containers%20bumpalo&type=code). But that may be a broader question that we don't need to address here.

RuoqingHe
RuoqingHe reviewed May 13, 2025
View reviewed changes
@stevenhorsman
Copy link
Member Author

I wonder whether we should use a common version throughout the repo (looks like each Cargo.lock has a different one now: https://github.com/search?q=repo%3Akata-containers%2Fkata-containers%20bumpalo&type=code). But that may be a broader question that we don't need to address here.

Yeah I would love to find a nice way to santise all our dependencies, but didn't want to risk trying to use this PR to get them all at the same point. My dependabot config PR (#11016) might help keep them in track better later, though a single source would be nice!

RuoqingHe
RuoqingHe approved these changes May 14, 2025
View reviewed changes
Copy link
Member

@RuoqingHe RuoqingHe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks @stevenhorsman for taking care of the CVEs ❤️

@stevenhorsman stevenhorsman merged commit 711fcd8 into kata-containers:main May 14, 2025
563 of 666 checks passed
@stevenhorsman stevenhorsman deleted the rust-vulns-9th-may-2025 branch June 11, 2025 09:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@burgerdev burgerdev burgerdev approved these changes

@RuoqingHe RuoqingHe RuoqingHe approved these changes

Assignees
No one assigned
Labels
ok-to-test size/huge Largest and most complex task (probably needs breaking into small pieces)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@stevenhorsman @burgerdev @RuoqingHe @katacontainersbot