Tobiasb/CVE 2023 28155 reaper#5560
Closed
tobiasb-ms wants to merge 25 commits into
Closed
Conversation
microsoft#5529) * Upgrade cloud-hypervisor to 31.1, kernel-mshv to 5-15-110, and kernel-uvm to 5-15-110 as part of LSG release v2305.11.1 * update manifest * install bzImage
Add rootfs partition name in gen2 market place image
* Update moby-containerd-cc to 1.7.1 to fix unit test TestSnapshotterFromPodSandboxConfig
* Add ldap support to sudo ALlow ldap to be used to configure sudo * Updated 1.8.15-4 of commit in change log rpmlint was failing as date and day did not match up, correcting day to pass rpmlint * Address PR commnts - Removing ldap path and defauting to default config path - Changing openldap to openldap-devel
* updating to v1.11.2 * Fixing bogus date warning * Removing patch for CVE-2023-25165 as it is patched in the upgrade * Removing patch for CVE-2023-25165 as it is patched in the upgrade * Updating prep section to work withouth patch * Fixing linting error
* Upgrade lua to 5.4.4 to fix CVE-2021-44964 * Update signature file manually * Update toolchain build scripts for lua * Remove patches that were already merged to lua-5.4.4 * Fix typo in changelog
Provide k8s-cni in cni-plugins --------- Co-authored-by: Betty Lakes <[email protected]>
* Fix CVE-2023-29194 by upgrading vitess to version 16.0.2 * Updage cgmanifest.json with correct version
* Update CVE-2022-37601.patch to fix multiple occurances loader-utils module is used by multiple other modules which reaper is depending upon. Instead of reusing already downloaded code, npm redownloades the same module at different subtree level of node_modules. So the same CVE has to be fixed in other two places as well. * Addressed review comments
c28f407 to
35d2f6a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DRAFT--IGNORE
Merge Checklist
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./SPECS/LICENSES-AND-NOTICES/data/licenses.json,./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md,./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
Patch reaper to fix CVE-2023-28155, which is a vulnerability in the
requestnpm module, upon whichreaperdepends. This is somewhat complicated by the fact thatrequesthas been deprecated and is no longer taking updates. The patch is actually adapted from a pull request that was never and will never be merged.Change Log
Patch CVE-2023-28155
Does this affect the toolchain?
NO
Links to CVEs
Test Methodology
compilestage ofrpmbuild.