Commit Graph

7 Commits

Author SHA1 Message Date
Michael Zalimeni d4761c0ccd
security: upgrade google.golang.org/protobuf to 1.33.0 (#20801)
Resolves CVE-2024-24786.
2024-03-06 23:04:42 +00:00
Michael Zalimeni fe10339caa
[NET-7009] security: update x/crypto to 0.17.0 (#20023)
security: update x/crypto to 0.17.0

This addresses CVE-2023-48795 (x/crypto/ssh).
2023-12-21 20:11:19 +00:00
Michael Zalimeni 42647de35d
[NET-6138] security: Bump `google.golang.org/grpc` to 1.56.3 (CVE-2023-44487) (#19414)
Bump google.golang.org/grpc to 1.56.3

This resolves [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).

Co-authored-by: Chris Thain <chris.m.thain@gmail.com>
2023-10-30 08:44:22 -04:00
Michael Zalimeni 8eb074e7c1
[NET-5944] security: Update Go version to 1.20.10 and `x/net` to 0.17.0 (#19225)
* Bump golang.org/x/net to 0.17.0

This resolves [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).

* Update Go version to 1.20.10

This resolves [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
(`net/http`).
2023-10-16 17:49:04 -04:00
Michael Zalimeni 905e371607
[NET-5146] security: Update Go version to 1.20.7 and `x/net` to 0.13.0 (#18358)
* Update Go version to 1.20.7

This resolves [CVE-2023-29409]
(https://nvd.nist.gov/vuln/detail/CVE-2023-29409)(`crypto/tls`).

* Bump golang.org/x/net to 0.13.0

Addresses [CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978)
for security scans (non-impacting).
2023-08-02 13:10:29 -04:00
Matt Keeler 77f44fa878
Various bits of cleanup detected when using Go Workspaces (#17462)
TLDR with many modules the versions included in each diverged quite a bit. Attempting to use Go Workspaces produces a bunch of errors.

This commit:

1. Fixes envoy-library-references.sh to work again
2. Ensures we are pulling in go-control-plane@v0.11.0 everywhere (previously it was at that version in some modules and others were much older)
3. Remove one usage of golang/protobuf that caused us to have a direct dependency on it.
4. Remove deprecated usage of the Endpoint field in the grpc resolver.Target struct. The current version of grpc (v1.55.0) has removed that field and recommended replacement with URL.Opaque and calls to the Endpoint() func when needing to consume the previous field.
4. `go work init <all the paths to go.mod files>` && `go work sync`. This syncrhonized versions of dependencies from the main workspace/root module to all submodules
5. Updated .gitignore to ignore the go.work and go.work.sum files. This seems to be standard practice at the moment.
6. Update doc comments in protoc-gen-consul-rate-limit to be go fmt compatible
7. Upgraded makefile infra to perform linting, testing and go mod tidy on all modules in a flexible manner.
8. Updated linter rules to prevent usage of golang/protobuf
9. Updated a leader peering test to account for an extra colon in a grpc error message.
2023-06-05 16:08:39 -04:00
Paul Banks cd8ad007fe Add basic integration test for Envoy ingress with SDS 2021-09-23 10:08:02 +01:00