Skip to content

Update cni plugins and crypto deps to fix security vulnerabilities #700

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ayush-panta merged 1 commit into from
Dec 24, 2025
Merged

Update cni plugins and crypto deps to fix security vulnerabilities #700

ayush-panta merged 1 commit into from
Dec 24, 2025
+76 −60

Conversation

@ayush-panta
Copy link
Contributor

@ayush-panta ayush-panta commented Dec 23, 2025

Description of changes: Upgraded golang.org/x/crypto v0.38.0 → v0.46.0 and containernetworking/plugins v1.7.1 → v1.9.0 to fix vulnerabilities flagged by dependabot. Got latest go versions for these then ran go mod tidy to sync deps. go build works.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@ayush-panta ayush-panta requested a review from a team as a code owner December 23, 2025 20:27
sondavidb
sondavidb reviewed Dec 23, 2025
View reviewed changes
Kern--
Kern-- reviewed Dec 23, 2025
View reviewed changes
coderbirju
coderbirju reviewed Dec 23, 2025
View reviewed changes
sondavidb
sondavidb previously approved these changes Dec 23, 2025
View reviewed changes
@Kern--
Copy link
Contributor

Kern-- commented Dec 24, 2025
edited
Loading

I think the best path forward for this is to skip the failing test when testing against upstream.

The bug is that Firecracker opens the metrics fifo with O_NONBLOCK. They used to open it with read/write, but now they open with write only. Opening a fifo with write only and O_NONBLOCK returns ENXIO. It used to work because of a non-standard linux thing where opening with read/write satisfied the kernel that nonblocking write was fine because there's a reader too.

We can ask firecracker to open with read/write again to fix it. Fixing it on our end looks tough because we create the metrics fifo as part of the API that starts the vm, but we can't start the vm unless something is reading the fifo.

We probably had a potential metrics/log loss here anyway if you don't open the fifo fast enough and the fifo buffer fills.

EDIT: To be clear, fc-go-sdk does not work with upstream firecracker when using metrics fifos instead of metrics files. We need to do something about that, but we should be able to merge dependencies in the meantime.

@ayush-panta ayush-panta merged commit 6fb280e into firecracker-microvm:main Dec 24, 2025
18 checks passed
@ayush-panta ayush-panta deleted the fix-deps branch December 24, 2025 19:10
@coderbirju coderbirju mentioned this pull request Dec 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderbirju coderbirju coderbirju left review comments

@Kern-- Kern-- Kern-- approved these changes

@sondavidb sondavidb sondavidb left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ayush-panta @Kern-- @coderbirju @sondavidb