Skip to content

update golang.org/x/net, addressing CVE-2023-45288#35165

Merged
jbardin merged 2 commits intomainfrom
bump_golang_x_net
May 22, 2024
Merged

update golang.org/x/net, addressing CVE-2023-45288#35165
jbardin merged 2 commits intomainfrom
bump_golang_x_net

Conversation

@finnigja
Copy link
Copy Markdown

@finnigja finnigja commented May 15, 2024
edited
Loading

This adopts the 0.23.0 version of the golang.org/x/net library (moving from current 0.22.0), which includes a fix for CVE-2023-45288.

While, per govulncheck, the Terraform codebase does interact with affected components of this library, Terraform is unlikely to be exposed due to the vulnerability being in the context of an HTTP/2 endpoint that consumes header data.

The changes between the two releases appear to be largely HTTP/2 related, per golang/net@v0.22.0...v0.23.0.

Target Release

1.8.x

Draft CHANGELOG entry

BUG FIXES

Updated to new golang.org/x/net release, which addressed CVE-2023-45288.

@finnigja finnigja added the 1.8-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged label May 15, 2024
@finnigja finnigja requested review from a team as code owners May 15, 2024 23:17
@finnigja finnigja requested a review from a team May 15, 2024 23:18
@jbardin
Copy link
Copy Markdown
Member

jbardin commented May 16, 2024

FYI this may not backport correctly and will probably need to be recreated for the v1.8 branch (both because there's currently a problem with backport-assistant, and because go.mod/go.sum always have conflicts ;))

@jbardin jbardin merged commit b955c9d into main May 22, 2024
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 22, 2024

Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch.

@jbardin jbardin deleted the bump_golang_x_net branch May 22, 2024 15:34
@jbardin jbardin mentioned this pull request May 22, 2024
Merged
jbardin added a commit that referenced this pull request May 22, 2024
@jbardin
Merge pull request #35229 from hashicorp/backport-35165
306736b 
Backport #35165: update golang.org/x/net, addressing CVE-2023-45288
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jun 22, 2024

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jbardin jbardin jbardin approved these changes

@jackofallops jackofallops jackofallops approved these changes

@jar-b jar-b jar-b approved these changes

@SarahFrench SarahFrench SarahFrench approved these changes

Assignees

No one assigned

Labels

1.8-backport If you add this label to a PR before merging, backport-assistant will open a new PR once merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@finnigja @jbardin @jackofallops @jar-b @SarahFrench