Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Cherry-Pick] CVE issues #52

Merged
merged 5 commits into from
Jan 16, 2024
+125 −115
Merged

[Cherry-Pick] CVE issues #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ee04314
Fixes vulnerabilities on the otelhttp dependency
spolti Jan 9, 2024
903973c
Update knative-serving
spolti Jan 13, 2024
cf3a3df
Merge pull request #171 from spolti/RHOAIENG-1778
Jooho Jan 15, 2024
38a814c
Merge pull request #170 from spolti/RHOAIENG-1463
Jooho Jan 15, 2024
c05958b
Merge remote-tracking branch 'upstream/release-v0.11.1'
dchourasia Jan 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 45 additions & 33 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module github.com/kserve/kserve
go 1.20

require (
cloud.google.com/go/storage v1.30.1
cloud.google.com/go/storage v1.33.0
github.com/aws/aws-sdk-go v1.44.264
github.com/cloudevents/sdk-go v1.2.0
github.com/fsnotify/fsnotify v1.6.0
Expand All @@ -12,8 +12,8 @@ require (
github.com/gofrs/uuid/v5 v5.0.0
github.com/gogo/protobuf v1.3.2
github.com/golang/protobuf v1.5.3
github.com/google/go-cmp v0.5.9
github.com/google/uuid v1.3.0
github.com/google/go-cmp v0.6.0
github.com/google/uuid v1.3.1
github.com/googleapis/google-cloud-go-testing v0.0.0-20210719221736-1c9a4c676720
github.com/json-iterator/go v1.1.12
github.com/kelseyhightower/envconfig v1.4.0
Expand All @@ -24,30 +24,30 @@ require (
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.8.1
github.com/tidwall/gjson v1.14.4
go.uber.org/zap v1.24.0
gomodules.xyz/jsonpatch/v2 v2.2.0
google.golang.org/api v0.122.0
go.uber.org/zap v1.26.0
gomodules.xyz/jsonpatch/v2 v2.4.0
google.golang.org/api v0.147.0
google.golang.org/protobuf v1.32.0
istio.io/api v0.0.0-20200715212100-dbf5277541ef
istio.io/client-go v0.0.0-20201005161859-d8818315d678
k8s.io/api v0.26.4
k8s.io/apimachinery v0.26.4
k8s.io/client-go v0.26.4
k8s.io/code-generator v0.26.4
k8s.io/api v0.27.6
k8s.io/apimachinery v0.27.6
k8s.io/client-go v0.27.6
k8s.io/code-generator v0.27.6
k8s.io/klog v1.0.0
k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5
knative.dev/networking v0.0.0-20230511122402-33636d99d870
knative.dev/pkg v0.0.0-20230502134655-db8a35330281
knative.dev/serving v0.37.1
knative.dev/networking v0.0.0-20231017124814-2a7676e912b7
knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c
knative.dev/serving v0.39.3
sigs.k8s.io/controller-runtime v0.14.6
sigs.k8s.io/yaml v1.3.0
)

require (
cloud.google.com/go v0.110.2 // indirect
cloud.google.com/go/compute v1.19.3 // indirect
cloud.google.com/go v0.110.8 // indirect
cloud.google.com/go/compute v1.23.0 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/iam v1.0.1 // indirect
cloud.google.com/go/iam v1.1.2 // indirect
contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect
contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect
github.com/beorn7/perks v1.0.1 // indirect
Expand All @@ -57,7 +57,7 @@ require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/emicklei/go-restful/v3 v3.10.2 // indirect
github.com/evanphx/json-patch v5.6.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
github.com/evanphx/json-patch/v5 v5.7.0 // indirect
github.com/go-kit/log v0.2.1 // indirect
github.com/go-logfmt/logfmt v0.6.0 // indirect
github.com/go-logr/zapr v1.2.4 // indirect
Expand All @@ -70,12 +70,12 @@ require (
github.com/google/go-containerregistry v0.15.2 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
github.com/google/s2a-go v0.1.3 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
github.com/googleapis/gax-go/v2 v2.8.0 // indirect
github.com/google/s2a-go v0.1.7 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.1 // indirect
github.com/googleapis/gax-go/v2 v2.12.0 // indirect
github.com/gorilla/websocket v1.5.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 // indirect
github.com/hashicorp/golang-lru v0.5.4 // indirect
github.com/hashicorp/golang-lru v1.0.2 // indirect
github.com/imdario/mergo v0.3.15 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/invopop/yaml v0.2.0 // indirect
Expand All @@ -91,36 +91,38 @@ require (
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/perimeterx/marshmallow v1.1.4 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.15.1 // indirect
github.com/prometheus/client_model v0.4.0 // indirect
github.com/prometheus/common v0.43.0 // indirect
github.com/prometheus/procfs v0.9.0 // indirect
github.com/prometheus/client_golang v1.17.0 // indirect
github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
github.com/prometheus/common v0.44.0 // indirect
github.com/prometheus/procfs v0.11.1 // indirect
github.com/prometheus/statsd_exporter v0.23.1 // indirect
github.com/tidwall/match v1.1.1 // indirect
github.com/tidwall/pretty v1.2.1 // indirect
go.opencensus.io v0.24.0 // indirect
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/mod v0.10.0 // indirect
golang.org/x/mod v0.13.0 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/oauth2 v0.8.0 // indirect
golang.org/x/sync v0.2.0 // indirect
golang.org/x/oauth2 v0.13.0 // indirect
golang.org/x/sync v0.4.0 // indirect
golang.org/x/sys v0.15.0 // indirect
golang.org/x/term v0.15.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.8.0 // indirect
golang.org/x/tools v0.14.0 // indirect
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
google.golang.org/grpc v1.56.3 // indirect
google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c // indirect
google.golang.org/grpc v1.58.3 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a // indirect
k8s.io/apiextensions-apiserver v0.26.4 // indirect
k8s.io/component-base v0.26.4 // indirect
k8s.io/apiextensions-apiserver v0.27.6 // indirect
k8s.io/component-base v0.27.6 // indirect
k8s.io/gengo v0.0.0-20221011193443-fad74ee6edd9 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/utils v0.0.0-20230505201702-9f6742963106 // indirect
Expand All @@ -129,12 +131,22 @@ require (
)

replace (
// Fixes CVE-2022-21698 and CVE-2023-45142
// this dependency comes from k8s.io/[email protected] and k8s.io/[email protected]
// before removing it make sure that the next version of the related k8s dependencies contains the fix
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0

// The crypto is pulled from go/compute which is pulled by go/storage
// this replace can be removed when version 1.36.1 of go/storage is released.
// https://github.com/googleapis/google-cloud-go/tree/main/storage
// Fixes CVE-2023-48795 - golang.org/x/crypto Authentication Bypass by Capture-replay
golang.org/x/crypto => golang.org/x/crypto v0.17.0

// pin to 0.26.4 to avoid https://github.com/kubernetes-sigs/controller-runtime/issues/2302
k8s.io/api => k8s.io/api v0.26.4
k8s.io/client-go => k8s.io/client-go v0.26.4
k8s.io/code-generator => k8s.io/code-generator v0.26.4

// Fixes github.com/elazarl/goproxy Denial of Service (DoS), the dependency was removed in v0.27.0
// Remove below when upgrading to controller-runtime 0.15.x or apimachinery to 0.27.x
k8s.io/apimachinery => k8s.io/apimachinery v0.27.0
Expand Down
Loading
Loading