CVE-2024-45337 #8514
Closed
CVE-2024-45337 #8514
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/kind changelog-not-required |
github-actions
bot
added
the
Dependencies
github-actions
bot
added
the
kind/changelog-not-required
|
Please signoff all your commits https://github.com/vmware-tanzu/velero/pull/8514/checks?check_run_id=34572716368 and force push. |
kaovilai
reviewed
Dec 19, 2024
|
Please also help to bump the version of Please check #8526 for reference. |
kaovilai
requested changes
Dec 20, 2024
|
And reminder to signoff ALL your commits in the PR. https://github.com/vmware-tanzu/velero/pull/8514/checks?check_run_id=34673896265 |
The change will fix CVE-2023-45288 Vulnerability details: https://nvd.nist.gov/vuln/detail/CVE-2024-45337 Fix: golang/go#70779 Signed-off-by: Kamlesh Verma <[email protected]> Signed-off-by: kamlesh VERMA <[email protected]>
Signed-off-by: kamlesh VERMA <[email protected]>
Fix backup post hook issue Fixes vmware-tanzu#8159 Signed-off-by: Wenkai Yin(尹文开) <[email protected]> Signed-off-by: kamlesh VERMA <[email protected]>
The issue is caused by the changes of controller-runtime: WithEventFilter() doesn't apply to WatchesRawSource(), this commit set Predicate for WatchesRawSource() seperatedly Fixes vmware-tanzu#8437 Signed-off-by: Wenkai Yin(尹文开) <[email protected]> Signed-off-by: kamlesh VERMA <[email protected]>
Signed-off-by: Lyndon-Li <[email protected]> Signed-off-by: kamlesh VERMA <[email protected]>
Signed-off-by: kamlesh VERMA <[email protected]>
Signed-off-by: kamlesh VERMA <[email protected]> Signed-off-by: kamlesh VERMA <[email protected]>
kaovilai
reviewed
Dec 20, 2024
kaovilai
added a commit
to kaovilai/velero
that referenced
this pull request
Dec 20, 2024
Replaces vmware-tanzu#8514 Signed-off-by: Tiger Kaovilai <[email protected]>
3 tasks
|
Opened #8541 which covers the CVEs discussed in this PR. |
Sure no problem. Let me close this PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The change will fix CVE-2023-45288
Vulnerability details: https://nvd.nist.gov/vuln/detail/CVE-2024-45337
Fix: golang/go#70779
Thank you for contributing to Velero!
Please add a summary of your change
As per NVD, Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key.
Does your change fix a particular issue?
Yes. It will fix CVE-2023-45288 vulnerability.
Fixes #(issue)
Please indicate you've done the following:
make new-changelog) or comment/kind changelog-not-requiredon this PR.site/content/docs/main.