Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump golang.org/x/net to address security concerns [CVE-2024-45338], [CVE-2024-45337] #6021

Open
RainbowMango opened this issue Jan 7, 2025 · 14 comments
Assignees
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines.

Comments

@RainbowMango
Copy link
Member

Task description:
Bump golang.org/x/net in go.mod to v0.34.0.
(Note: golang.org/x/[email protected] requires golang.org/x/[email protected])

Which will address two CVEs:

Solution:

Update the golang.org/x/net in go.mod to v0.34.0, like:

diff --git a/go.mod b/go.mod
index f7128c17c..c5787300c 100644
--- a/go.mod
+++ b/go.mod
@@ -27,7 +27,7 @@ require (
        github.com/yuin/gopher-lua v0.0.0-20220504180219-658193537a64
        go.uber.org/mock v0.4.0
-       golang.org/x/net v0.28.0
+       golang.org/x/net v0.34.0
        golang.org/x/term v0.23.0
        golang.org/x/text v0.17.0
        golang.org/x/time v0.5.0

And then, run the command make update, commit all generated files.

Who can join or take the task:

The good first issue is intended for first-time contributors to get started on his/her contributor journey.

After a contributor has successfully completed 1-2 good first issue's,
they should be ready to move on to help wanted items, saving the remaining good first issue for other new contributors.

How to join or take the task:

Just reply on the issue with the message /assign in a separate line.

Then, the issue will be assigned to you.

How to ask for help:

If you need help or have questions, please feel free to ask on this issue.
The issue author or other members of the community will guide you through the contribution process.

@RainbowMango RainbowMango added the good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. label Jan 7, 2025
@yaten2302
Copy link

/assign

@RainbowMango
Copy link
Member Author

Thanks @yaten2302, Any update? Please let me know if you need any help.

@yaten2302
Copy link

yaten2302 commented Jan 9, 2025

Hey @RainbowMango , when I've run the command make update after changing to v0.34.0, but the file changes are as follows: (and in the end it's also showing 2 errors on running go mod vender)
image

@RainbowMango
Copy link
Member Author

I've no clue about the Device or resource busy, but it seems the generated file was put in a nested directory.
I guess you can clone the karmada repo under your $GOPATH, that is $GOPATH/src/github.com/karmada-io/karmada, and try again.

@RainbowMango
Copy link
Member Author

find your GOPATH by command: go env GOPATH, by the way.

@yaten2302
Copy link

image

This is my GOPATH

@yaten2302
Copy link

So, should I do - git clone $GOPATH/src/github.com/karmada-io/karmada?

@RainbowMango
Copy link
Member Author

You can give it a try, remember to replace $GOPATH with the output of go env GOPATH

@RainbowMango
Copy link
Member Author

Hi @yaten2302 any update?

@yaten2302
Copy link

Hey, sorry for the delay, I tried this, but it's showing that no such repo exists:

image

@RainbowMango
Copy link
Member Author

It shows that you give the wrong URL to the clone. Try with the following steps:

  1. Change your working directory to C:/Users/dhing/go/src/github.com/karmada-io
  2. Clone the forked repo: git clone https://github.com/yaten2302/karmada.git

@yaten2302
Copy link

It's showing that no such dir exists, should I create one and then try?

Image

@RainbowMango
Copy link
Member Author

Yes, of course! You should create it if it does not exist.

@RainbowMango
Copy link
Member Author

By the way, do you have a Linux machine? I'm not sure if you can run the make update command on Windows, as it runs a bunch of shell scripts under the hood.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines.
Projects
None yet
Development

No branches or pull requests

2 participants