k3s/1.31.2.1-r4: cve remediation #35686
Conversation
![octo-sts[bot]](https://avatars.githubusercontent.com/in/801323?s=60&v=4){kind=small}
octo-sts
bot
added
P1
|
Gen AI suggestions to solve the build error: • Detected Error: undefined: http3.StreamCreator and related QUIC version errors • Error Category: Dependency/Version • Failure Point: Go build step failing due to incompatible versions between quic-go packages • Root Cause Analysis: There appears to be a version mismatch between quic-go and its dependent packages. The error indicates that the HTTP/3 and QUIC implementations are not compatible with each other. • Suggested Fix:
- uses: go/bump
with:
deps: |
github.com/quic-go/[email protected]
github.com/quic-go/[email protected]
github.com/libp2p/[email protected]• Explanation: • Additional Notes:
• References: |
…r quic-go package, which we've in-turn bumped to remediate GHSA-px8v-pp82-rcvr' Signed-off-by: Mark McCormick <[email protected]>
mamccorm
force-pushed
the
cve-k3s-75cf6a6492b533da61c59ef9a6604f00
branch
from
03bea50 to
3edbaa1
Compare
… needed. Signed-off-by: Mark McCormick <[email protected]>
octo-sts
bot
added
the
bincapz/pass
Signed-off-by: Mark McCormick <[email protected]>
Remediating this CVE required bumping quic-go, as well as go-libp2p. Similar bumps were made for another go package: #35698.
Additionally, we needed to set grpc to v1.68.0, as there are multiple instances of grpc in this project. It'd fail to bump them when left at v1.67.0 and complain some are already at v1.68.0.
Note k3s image tests may be failing in CI already (unrelated and pre-existing to this update). See here.
k3s/1.31.2.1-r4: fix GHSA-px8v-pp82-rcvr
Advisory data: https://github.com/wolfi-dev/advisories/blob/main/k3s.advisories.yaml