Skip to content

NO-JIRA: CVE-2025-22868 bump oauth2 pkg to v0.27.0 #9569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 26, 2025
Merged

NO-JIRA: CVE-2025-22868 bump oauth2 pkg to v0.27.0 #9569

merged 1 commit into from
Mar 26, 2025
+56 −12

Conversation

sunku5494
Copy link
Contributor

we didn't find any traces of using the function Verify of outh2 pkg as mentioned in the https://pkg.go.dev/vuln/GO-2025-3488 in installer. So, installer is not affected by CVE-2025-22868, but we have decided to bump the oauth2 pkg version v0.27.0 to avoid any potential confusion from scanners. we will fix this in main, but won't plan any backports as it is not vulnerable to installer.

below is the utility we have used to verify if the installer is affected with the CVE
callgraph -format=digraph cmd/openshift-install/*.go | digraph nodes | grep jws.Verify

@sunku5494
Copy link
Contributor Author

/retest

@sunku5494
Copy link
Contributor Author

/assign sunku5494

@sunku5494 sunku5494 changed the title NO_JIRA: CVE-2025-22868 bump oauth2 pkg to v0.27.0 NO-JIRA: CVE-2025-22868 bump oauth2 pkg to v0.27.0 Mar 18, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 18, 2025
@openshift-ci-robot
Copy link
Contributor

@sunku5494: This pull request explicitly references no jira issue.

In response to this:

we didn't find any traces of using the function Verify of outh2 pkg as mentioned in the https://pkg.go.dev/vuln/GO-2025-3488 in installer. So, installer is not affected by CVE-2025-22868, but we have decided to bump the oauth2 pkg version v0.27.0 to avoid any potential confusion from scanners. we will fix this in main, but won't plan any backports as it is not vulnerable to installer.

below is the utility we have used to verify if the installer is affected with the CVE
callgraph -format=digraph cmd/openshift-install/*.go | digraph nodes | grep jws.Verify

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@sunku5494
Copy link
Contributor Author

/retest

@sunku5494
Copy link
Contributor Author

sunku5494 commented Mar 20, 2025
edited
Loading

/cc @patrickdillon

@openshift-ci openshift-ci bot requested a review from patrickdillon March 20, 2025 04:40
@patrickdillon
Copy link
Contributor

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 20, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 20, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 20, 2025
@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 8b0c929 and 2 for PR HEAD fc5ff9248903319a85fa0cfe0b0c4c8513cc59ff in total

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD c0c6232 and 1 for PR HEAD fc5ff9248903319a85fa0cfe0b0c4c8513cc59ff in total

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD c0c6232 and 2 for PR HEAD fc5ff9248903319a85fa0cfe0b0c4c8513cc59ff in total

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 23, 2025
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 24, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 24, 2025
tthvo
tthvo reviewed Mar 24, 2025
View reviewed changes
Copy link
Member

@tthvo tthvo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 24, 2025
@sadasu
Copy link
Contributor

sadasu commented Mar 25, 2025

/label acknowledge-critical-fixes-only

@openshift-ci openshift-ci bot added the acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. label Mar 25, 2025
@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 43f705a and 2 for PR HEAD d8e177c in total

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 25, 2025
edited
Loading

@sunku5494: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-azure-ovn-resourcegroup d8e177c link false /test e2e-azure-ovn-resourcegroup
ci/prow/okd-scos-e2e-aws-ovn d8e177c link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-heterogeneous d8e177c link false /test e2e-aws-ovn-heterogeneous

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 43f705a and 2 for PR HEAD d8e177c in total

@openshift-merge-bot openshift-merge-bot bot merged commit fb99a99 into openshift:main Mar 26, 2025
33 of 36 checks passed
@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

Distgit: ose-installer-altinfra
This PR has been included in build ose-installer-altinfra-container-v4.20.0-202503260614.p0.gfb99a99.assembly.stream.el9.
All builds following this will include this PR.

@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

Distgit: ose-installer-terraform-providers
This PR has been included in build ose-installer-terraform-providers-container-v4.20.0-202503260614.p0.gfb99a99.assembly.stream.el9.
All builds following this will include this PR.

@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

Distgit: ose-baremetal-installer
This PR has been included in build ose-baremetal-installer-container-v4.20.0-202503260614.p0.gfb99a99.assembly.stream.el9.
All builds following this will include this PR.

@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

Distgit: ose-installer-artifacts
This PR has been included in build ose-installer-artifacts-container-v4.20.0-202503260614.p0.gfb99a99.assembly.stream.el9.
All builds following this will include this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tthvo tthvo

@patrickdillon patrickdillon

Assignees

@patrickdillon patrickdillon

@tthvo tthvo

@sunku5494 sunku5494

Labels
acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@sunku5494 @openshift-ci-robot @patrickdillon @sadasu @openshift-bot @tthvo @openshift-merge-robot