Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[1.20] Bump c/storage to latest release-1.24 #5201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-ci merged 1 commit into from
Aug 16, 2021
Merged

[1.20] Bump c/storage to latest release-1.24 #5201

openshift-ci merged 1 commit into from
Aug 16, 2021

Conversation

@saschagrunert
Copy link
Member

@saschagrunert saschagrunert commented Aug 16, 2021

What type of PR is this?

/kind bug

What this PR does / why we need it:

To pull in the changes introduced in containers/storage#993

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

Improve memory usage during container image layer extraction.

@saschagrunert
Bump c/storage to latest release-1.24
1958f7f 
To pull in the changes from containers/storage#993

Signed-off-by: Sascha Grunert <[email protected]>
@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Aug 16, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 16, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot requested review from fidencio and sboeuf August 16, 2021 07:03
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 16, 2021
@saschagrunert
Copy link
Member Author

saschagrunert commented Aug 16, 2021

@mrunalp @haircommander PTAL

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 16, 2021
View reviewed changes
go.mod
github.com/containers/libpod/v2 v2.0.6
github.com/containers/ocicrypt v1.0.3
github.com/containers/storage v1.24.9-0.20210726165804-a308a1189f51
github.com/containers/storage v1.24.9-0.20210812201127-9206c19a100d
Copy link

@sonatype-lift sonatype-lift bot Aug 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:  

pkg:golang/github.com/gogo/[email protected]

1 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/containers/[email protected]

CRITICAL Vulnerabilities (1)

    [CVE-2021-3121] An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarsha...

    An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

    CVSS Score: 9.8

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 16, 2021
View reviewed changes
go.mod
github.com/containers/libpod/v2 v2.0.6
github.com/containers/ocicrypt v1.0.3
github.com/containers/storage v1.24.9-0.20210726165804-a308a1189f51
github.com/containers/storage v1.24.9-0.20210812201127-9206c19a100d
Copy link

@sonatype-lift sonatype-lift bot Aug 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:  

pkg:golang/github.com/opencontainers/[email protected]

2 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/containers/[email protected]

CRITICAL Vulnerabilities (2)
    CVE-2019-5736

    [CVE-2019-5736] Containment Errors (Container Errors)

    runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

    CVSS Score: 8.6

    CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

    CVE-2016-3697

    [CVE-2016-3697] Permissions, Privileges, and Access Controls

    libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.

    CVSS Score: 7.8

    CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 16, 2021
View reviewed changes
go.mod
github.com/containers/libpod/v2 v2.0.6
github.com/containers/ocicrypt v1.0.3
github.com/containers/storage v1.24.9-0.20210726165804-a308a1189f51
github.com/containers/storage v1.24.9-0.20210812201127-9206c19a100d
Copy link

@sonatype-lift sonatype-lift bot Aug 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:  

pkg:golang/golang.org/x/[email protected]

5 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/containers/[email protected]

CRITICAL Vulnerabilities (5)
    CVE-2018-17143

    [CVE-2018-17143] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17848

    [CVE-2018-17848] Data Handling

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17847

    [CVE-2018-17847] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17142

    [CVE-2018-17142] Improper Input Validation

    The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    CVE-2018-17846

    [CVE-2018-17846] Resource Management Errors

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite loop during an html.Parse call because inSelectIM and inSelectInTableIM do not comply with a specification.

    CVSS Score: 7.5

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Aug 16, 2021
View reviewed changes
go.mod
github.com/containers/libpod/v2 v2.0.6
github.com/containers/ocicrypt v1.0.3
github.com/containers/storage v1.24.9-0.20210726165804-a308a1189f51
github.com/containers/storage v1.24.9-0.20210812201127-9206c19a100d
Copy link

@sonatype-lift sonatype-lift bot Aug 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:golang/golang.org/x/[email protected]

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:golang/github.com/containers/[email protected]

SEVERE Vulnerabilities (1)

    [CVE-2019-11840] Use of Insufficiently Random Values

    An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

    CVSS Score: 5.9

    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

(at-me in a reply with help or ignore)

@saschagrunert saschagrunert changed the title Bump c/storage to latest release-1.24 [1.20] Bump c/storage to latest release-1.24 Aug 16, 2021
@haircommander
Copy link
Member

haircommander commented Aug 16, 2021 

# github.com/kubernetes-sigs/cri-tools/cmd/critest
vendor/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics.go:21:2: cannot find package "." in:
	/home/runner/work/cri-o/cri-o/cri-tools/vendor/io/fs
FAIL	github.com/kubernetes-sigs/cri-tools/cmd/critest [setup failed]

looks like we're not pinning critest. cherry-pick of #5205 will fix

@haircommander
Copy link
Member

haircommander commented Aug 16, 2021

/test e2e-aws
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 16, 2021
@openshift-bot
Copy link

openshift-bot commented Aug 16, 2021

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-ci openshift-ci bot merged commit 15ec74e into cri-o:release-1.20 Aug 16, 2021
@saschagrunert saschagrunert deleted the release-1.20-storage-applydiff branch August 17, 2021 07:21
@openshift-ci openshift-ci bot mentioned this pull request Aug 30, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@runcom runcom Awaiting requested review from runcom runcom is a code owner

@fidencio fidencio Awaiting requested review from fidencio

@sboeuf sboeuf Awaiting requested review from sboeuf

1 more reviewer

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@haircommander haircommander

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@saschagrunert @haircommander @openshift-bot