-
Notifications
You must be signed in to change notification settings - Fork 293
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #16429 from wolfi-dev/cve-k3s-c4ff05ac72c4d4931130…
…12337fcfc6e1 k3s/1.29.3-r1: cve remediation
- Loading branch information
Showing
2 changed files
with
664 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| package: | ||
| name: k3s | ||
| version: 1.29.3 | ||
| epoch: 1 | ||
| epoch: 2 | ||
| description: | ||
| copyright: | ||
| - license: Apache-2.0 | ||
|
|
@@ -48,9 +48,13 @@ pipeline: | |
| repository: https://github.com/k3s-io/k3s | ||
| tag: v${{vars.full-package-version}} | ||
| expected-commit: 8aecc26b0f167d5e9e4e9fbcfd5a471488bf5957 | ||
| - uses: patch | ||
| with: | ||
| patches: spegel-org.patch | ||
| - uses: go/bump | ||
| with: | ||
| deps: github.com/jackc/pgx/[email protected] | ||
| deps: github.com/jackc/pgx/[email protected] google.golang.org/[email protected] github.com/nats-io/[email protected] github.com/cyphar/[email protected] | ||
| replaces: github.com/libp2p/go-libp2p=github.com/libp2p/[email protected] github.com/golang/protobuf=github.com/golang/[email protected] github.com/docker/docker=github.com/docker/[email protected]+incompatible github.com/quic-go/quic-go=github.com/quic-go/[email protected] | ||
| # Build things (almost) identical to upstream, with the k3s components | ||
| # embedded in the "outer" multicall binary. | ||
| - runs: | | ||
|
|
@@ -59,11 +63,6 @@ pipeline: | |
| mkdir -p build/static bin/aux etc | ||
| ./scripts/download | ||
| # Patch things that need patching | ||
| go mod edit -dropreplace=github.com/golang/protobuf | ||
| go get github.com/golang/[email protected] | ||
| go get google.golang.org/[email protected] | ||
| # CVE-2023-47108 | ||
| go mod edit -dropreplace=go.opentelemetry.io/otel/exporters/otlp/otlpmetric | ||
| go mod edit -dropreplace=go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc | ||
|
|
@@ -91,21 +90,6 @@ pipeline: | |
| go get go.opentelemetry.io/otel/[email protected] | ||
| go get go.opentelemetry.io/proto/[email protected] | ||
| # GHSA-jq35-85cj-fj4 | ||
| go mod edit -dropreplace=github.com/docker/docker | ||
| go get github.com/docker/[email protected]+incompatible | ||
| # CVE-2023-46129 | ||
| go get github.com/nats-io/[email protected] | ||
| # GHSA-6xv5-86q9-7xr8 | ||
| go get github.com/cyphar/[email protected] | ||
| # CVE-2023-48795 | ||
| go mod edit -dropreplace=golang.org/x/crypto | ||
| go get golang.org/x/[email protected] | ||
| go mod tidy | ||
| # Override the go version check at runtime to always match the go version at build time | ||
|
|
||
Oops, something went wrong.