Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependencies: bump LuaJIT to 2.1 branch HEAD @ e9af1ab. #13474

Merged
merged 8 commits into from
Oct 16, 2020
Merged

dependencies: bump LuaJIT to 2.1 branch HEAD @ e9af1ab. #13474

merged 8 commits into from
Oct 16, 2020

Conversation

htuch
Copy link
Member

@htuch htuch commented Oct 9, 2020
edited
Loading

LuaJIT 2.1.0-beta3 has the following CVEs, which don't appear
super critical for correctly functioning Lua code but prudence dictates
we should bump anyway:

  • CVE-2020-15890: LuaJit through 2.1.0-beta3 has an out-of-bounds read
    because __gc handler frame traversal is mishandled.

  • CVE-2020-24372: LuaJIT through 2.1.0-beta3 has an out-of-bounds read
    in lj_err_run in lj_err.c.

There is no release version beyond 2.1.0-beta3, so using HEAD of 2.1
branch.

Risk level: Medium (if using LuaJIT).
Testing: bazel test //test/... Some unit tests required fixups due to
changes in Lua header map table ordering.

Signed-off-by: Harvey Tuch [email protected]
Co-authored-by: Michael Payne [email protected]
Co-authored-by: William A Rowe Jr [email protected]

@htuch
dependencies: bump LuaJIT to 2.1 branch HEAD @ e9af1ab.
c711935 
LuaJIT 2.1.0-beta3 has the following CVEs, which don't appear
super critical for correctly functioning Lua code but prudence dictates
we should bump anyway:

- CVE-2020-15890: LuaJit through 2.1.0-beta3 has an out-of-bounds read
  because __gc handler frame traversal is mishandled.

- CVE-2020-24372: LuaJIT through 2.1.0-beta3 has an out-of-bounds read
  in lj_err_run in lj_err.c.

There is no release version beyond 2.1.0-beta3, so using HEAD of 2.1
branch.

Risk level: Medium (if using LuaJIT).
Testing: bazel test //test/... Some unit tests required fixups due to
  changes in Lua header map table ordering.

Signed-off-by: Harvey Tuch <[email protected]>
@repokitteh-read-only
Copy link

CC @envoyproxy/dependency-watchers: FYI only for changes made to (bazel/repository_locations\.bzl)|(api/bazel/repository_locations\.bzl)|(.*/requirements\.txt).

🐱

Caused by: #13474 was opened by htuch.

see: more, trace.

@htuch htuch requested review from wrowe and moderation October 9, 2020 21:01
@htuch htuch assigned asraa and mattklein123 and unassigned asraa Oct 9, 2020
@mattklein123
Copy link
Member

Check CI and I can take a look?

/wait

@wrowe
Copy link
Contributor

wrowe commented Oct 10, 2020

I'm on it, my boxes were all spent fighting with the last of the clang-cl issues (much simpler if I was on master and not a fork of 13133, which has been lingering too long.) The patch is ready, I'll be at the office Sunday to hand off the patch of our localization plus their improvements to the DASM code logic for x64.

In other events, we discussed the issue of the unmaintained moonjit fork and this patch. It's clear, we must move to either CMake or bazel and push that upstream to luajit, decommission the moonjit support, and find someone (perhaps @iii-i ?) to guide s390 porting patches back to LuaJiT upstream. I will open the ticket for envoy, draft a portable substitute for this horrid patched .bat makefile, and help shepherd whatever we can accomplish with the LuaJIT maintainers.

@htuch
Copy link
Member Author

htuch commented Oct 12, 2020

@wrowe LMK when you have the Windows patch sorted and I'll apply. Seems there is an orthogonal gcc failure on the wrappers_test, so I'll look into that meanwhile.

@wrowe wrowe mentioned this pull request Oct 13, 2020
Closed
@repokitteh-read-only repokitteh-read-only bot added deps Approval required for changes to Envoy's external dependencies and removed waiting labels Oct 13, 2020
@repokitteh-read-only
Copy link

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt).

🐱

Caused by: #13474 was synchronize by htuch.

see: more, trace.

@htuch htuch mentioned this pull request Oct 13, 2020
Merged
@htuch
Copy link
Member Author

htuch commented Oct 13, 2020

@wrowe Windows is failing in CI, was it working at your end?

wrowe
wrowe suggested changes Oct 15, 2020
View reviewed changes
Copy link
Contributor

@wrowe wrowe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still locally encountering various build breakage even after feature define wasm=disabled, merge to master may or may not help, but the patch suggestions appear correct, thanks to @sunjayBhatia for diagnostics

@mattklein123
Copy link
Member

Merge main to fix the checks?

/wait

@repokitteh-read-only repokitteh-read-only bot removed the deps Approval required for changes to Envoy's external dependencies label Oct 15, 2020
wrowe
wrowe approved these changes Oct 15, 2020
View reviewed changes
Copy link
Contributor

@wrowe wrowe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@htuch htuch merged commit ffa2f17 into envoyproxy:master Oct 16, 2020
mpuncel added a commit to mpuncel/envoy that referenced this pull request Oct 17, 2020
@mpuncel
Merge branch 'master' into mpuncel/http2-hc-goaway
b76c46e 
* master: (22 commits)
  delay health checks until transport socket secrets are ready. (envoyproxy#13516)
  test, oauth2: Make sure config test runs field validation (envoyproxy#13496)
  [http] swap codec implementations to default new (envoyproxy#13579)
  wasm: update proxy-wasm-cpp-host (envoyproxy#13606)
  postgres: do not copy and linearize received data when it is not going to be used (envoyproxy#13393)
  configs: Update configs v2 -> v3 (envoyproxy#13562)
  http2: Remove RELEASE_ASSERTs in sendPendingFrames() error handling (envoyproxy#13546)
  dependencies: track untracked implied dependencies, wrapup dashboard. (envoyproxy#13571)
  listener: add match all filter chain (envoyproxy#13449)
  fix mistakes in docstrings (envoyproxy#13603)
  ratelimit: add route entry metadata to ratelimit actions (envoyproxy#13269)
  cluster manager: avoid immediate activation for dynamic inserted cluster when initialize (envoyproxy#12783)
  ext_authz: Avoid calling check multiple times (envoyproxy#13288)
  docs: Unexclude remaining configs from validation (envoyproxy#13534)
  build: update rules_rust to allow Rustc in RBE (envoyproxy#13595)
  docs: Update sphinxext.rediraffe (envoyproxy#13589)
  Deprecate moonjit support on Windows before beta (envoyproxy#13541)
  dependencies: bump LuaJIT to 2.1 branch HEAD @ e9af1ab. (envoyproxy#13474)
  docs: add TLS stats to cluster stats doc (envoyproxy#13561)
  ci: stop building alpine-debug images in favor of ubuntu-based debug image (envoyproxy#13598)
  ...

Signed-off-by: Michael Puncel <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moderation moderation moderation left review comments

@wrowe wrowe wrowe approved these changes

@mattklein123 mattklein123 mattklein123 approved these changes

Assignees

@mattklein123 mattklein123

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@htuch @mattklein123 @wrowe @moderation @asraa