[v4.4.1-rhel] CVE-2025-47913 x/crypto to v0.43.0#28092
Conversation
Bump Fedora to v42 to get the necessary version of Go for this change. Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
Bump golang.org/x/crypto to v0.43.0 to fix CVE-2025-47913. Note: This change has bumped Go requirement to v1.24 and I have removed the old replacement to the private crypto repository. Fixes: https://issues.redhat.com/browse/OCPBUGS-67036, https://issues.redhat.com/browse/OCPBUGS-67053, https://issues.redhat.com/browse/OCPBUGS-67070, https://issues.redhat.com/browse/OCPBUGS-67090, https://issues.redhat.com/browse/RHEL-134783, https://issues.redhat.com/browse/RHEL-134787 Signed-off-by: Tom Sweeney <tomsweney@redhat.com>
6809e0a to
0d8a107
Compare
|
I'm assuming all the other version bumps were side-effects of the crypto & golang bump. If so, LGTM. Want me to try running this through the system tests? |
|
@cevich if you could run it through the system tests, it would be much appreciated! |
|
Ugg, I did a scratch build yesterday hoping that would also catch the system tests. But no, this package also requires the updated crun to function. I have a workaround for that but it takes 4-hours to run 😯 Starting it now. |
|
The remote tests are still running, here are the local results: 0d8a107_local-rootless.txt
|
|
Can we defer such huge version bumps by patching the affected file during rpm build time? The actual fix for this CVE is very small. security scanners might complain about this branch being vulnerable, in which case maybe we should move such branches to an RH-internal git host? Current CI setup on these branches isn't doing much anyway. |
|
Putting a hold on this now as there's much discussion going on with the OCP Builder team about this patch and alternatives. |
|
@lsm5 @cevich I've decided to take the hold off this now, and if necessary, based on continuing OCP deliberations, I may revert this later. Given the prior comments, can we merge this and get the Jira cards moving along? @lsm5 I hear the bloat concern, but this is much smaller bloat than the Frankenstein runc one. |
|
I guess we still need to run some kind of tests on this one before merging. @cevich are you / SE taking this up? EDIT: never mind, I read the history, and Chris already ran tests. Do we want to do another run? Also, maybe e2e, apiv2 tests etc? |
|
As a heavily biased, former QE-person, I'm always in favor of more testing and deeper 😉 |
|
@cevich have you been able to test more, and/or do we push this one along? |
|
Happy to run our tests against this, it'll take a few hours since the manual runs can't easily operate in parallel. |
| go.opentelemetry.io/otel/metric v1.19.0 // indirect | ||
| go.opentelemetry.io/otel/trace v1.19.0 // indirect | ||
| golang.org/x/crypto v0.31.0 // indirect | ||
| golang.org/x/crypto v0.43.0 // indirect |
There was a problem hiding this comment.
I am not a golang expert by any stretch, but I'll ask anyway: Would it make sense to have this be an explicit requirement? I'm 🤔 on the off-chance a future version breaks compatibility or introduces an unwanted bug/problem? Or would doing so risk breaking the project every time go is updated?
There was a problem hiding this comment.
@cevich, maybe, but in cases like this, it's stretching my own Goland noodle, and I tend to stick with whatever the "go mod *" process cooks up.
There was a problem hiding this comment.
It's probably fine, just my new paranoia working with AI where I have to question every damn thing even if it appears[1] to make sense 😞
[1]: AI's rationalize, they do not reason. Though they sure will try to convince you.
|
Update: The "runc" flavor of the system tests are done and all the expected ones passed. As before (and as is on #27933) the remote "default connection" test has a minor failure and all the pasta tests fail (because the test system has multiple IPv6 routes and pasta can't pick one).
I'm running the "crun" flavor now, but I am not expecting anything drastically different. |
|
Crun testing is done, results are exactly the same by my 👁️
So from a system testing perspective on RHEL 9.2, this seems 👍 |
lsm5
left a comment
There was a problem hiding this comment.
LGTM from the system test results. If we need to run integration and others, would take a while.
|
Tested on RHEL 9.2.0-Nightly (kernel 5.14.0-284.160.1.el9_2.x86_64) via Testing Farm. Build: podman 4.4.1 @ 0d8a107, Go 1.24.1, build tags exclude_graphdriver_btrfs seccomp systemd System Tests
Integration Tests
API & Compose Tests
Failure Analysis All failures are environment-specific, none related to the PR changes:
No regressions from the x/crypto bump to v0.43.0. |
|
Ugh that's a lot of failures but as Lokesh said, many may be environmental. When I ran the system tests many more passed. So LGTM FWIW, but I don't have "merge button" authority. |
|
LGTM. On my runs through the tests I didn't see any new failures to worry about, just the usual problems with the 1mt environment or test flakiness. |
Starting with runc 1.3.0 it errors when we pass unknown mount options to the runtime, the volume-opt options are specifc to the volume we create and should not be passed to the mount in the oci spec. Fixes: podman-container-tools#26938 (originally) Follow up PR to: podman-container-tools#28092 Just before merging it was realized that the commit in this PR were also needed to completely address CVE-2025-52881 Fixes: https://issues.redhat.com/browse/OCPBUGS-67036, https://issues.redhat.com/browse/OCPBUGS-67053, https://issues.redhat.com/browse/OCPBUGS-67070, https://issues.redhat.com/browse/OCPBUGS-67090, https://issues.redhat.com/browse/RHEL-134783, https://issues.redhat.com/browse/RHEL-134787 Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 4e2a04d) Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
Bump golang.org/x/crypto to v0.43.0 to fix CVE-2025-47913. Note: This change has bumped Go requirement to v1.24 and I have removed the old replacement to the private crypto repository.
Fixes: https://issues.redhat.com/browse/OCPBUGS-67036, https://issues.redhat.com/browse/OCPBUGS-67053,
https://issues.redhat.com/browse/OCPBUGS-67070,
https://issues.redhat.com/browse/OCPBUGS-67090,
https://issues.redhat.com/browse/RHEL-134783,
https://issues.redhat.com/browse/RHEL-134787
NOTE: Shortly before merging, it was discovered that 3 commits need to be added to handle volume bind mounts appropriately with the latest version of runc. That was done in this PR: #28450, and the associated Jira cards in this PR will not be closed until that PR is merged.
Checklist
Ensure you have completed the following checklist for your pull request to be reviewed:
commits. (
git commit -s). (If needed, usegit commit -s --amend). The author email must matchthe sign-off email address. See CONTRIBUTING.md
for more information.
Fixes: #00000in commit message (if applicable)make validatepr(format/lint checks)Noneif no user-facing changes)Does this PR introduce a user-facing change?