search

etcd-io / etcd

Distributed reliable key-value store for the most critical data of a distributed system
https://etcd.io
Apache License 2.0
47.85k stars 9.78k forks source link

Resolve: PRISMA-2023-0056 #17268

Closed dhamahes closed 6 months ago

dhamahes commented 10 months ago

Bug report criteria

What happened?

As per the vulnerability scan, our product requires package logrus to be updated from version 1.7.0 to versionn 1.9.3

What did you expect to happen?

We would like to know when is the next release of etcd with updated version of logrus

How can we reproduce it (as minimally and precisely as possible)?

please check the version of logrus package in the current etcd

Anything else we need to know?

No response

Etcd version (please run commands below)

```console $ etcd --version # go version -m etcd | grep etcd etcd: go1.20.12 path go.etcd.io/etcd/server/v3 mod go.etcd.io/etcd/server/v3 (devel) dep go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA= dep go.etcd.io/etcd/api/v3 v3.5.11 dep go.etcd.io/etcd/client/pkg/v3 v3.5.11 dep go.etcd.io/etcd/client/v2 v2.305.11 dep go.etcd.io/etcd/client/v3 v3.5.11 dep go.etcd.io/etcd/pkg/v3 v3.5.11 dep go.etcd.io/etcd/raft/v3 v3.5.11 $ etcdctl version # paste output here go version -m etcdctl | grep etcdctl etcdctl: go1.20.12 path go.etcd.io/etcd/etcdctl/v3 mod go.etcd.io/etcd/etcdctl/v3

Etcd configuration (command line flags or environment variables)

# paste your configuration here

Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)

```console $ etcdctl member list -w table # paste output here $ etcdctl --endpoints= endpoint status -w table # paste output here ```

Relevant log output

go version -m etcd | grep logrus
    dep github.com/sirupsen/logrus  v1.7.0  h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
ahrtr commented 10 months ago

cc @jmhbnz

jmhbnz commented 10 months ago

Here is the current state for logrus for main:

 ~  Documents  etcd   main  grep -Ri "github.com/sirupsen/logrus v" | grep -v sum | grep "mod"
tests/go.mod:   github.com/sirupsen/logrus v1.8.1 // indirect
server/go.mod:  github.com/sirupsen/logrus v1.8.1 // indirect
tools/mod/go.mod:       github.com/sirupsen/logrus v1.9.3 // indirect
go.mod: github.com/sirupsen/logrus v1.8.1 // indirect

It's an indirect dependency, a quick go mod why for server shows:

 ~  Documents  etcd  server   main  go mod why github.com/sirupsen/logrus
# github.com/sirupsen/logrus
go.etcd.io/etcd/server/v3/embed
github.com/tmc/grpc-websocket-proxy/wsproxy
github.com/sirupsen/logrus

So the actual problematic dependency is github.com/tmc/grpc-websocket-proxy which is a direct dependency for server. Taking a look at https://github.com/tmc/grpc-websocket-proxy it looks like it is no longer maintained.

Additionally reviewing the fork tree I can't find anything more recently maintained which depends on logrus above 1.9.0. We may need to create our own fork to resolve this?

ahrtr commented 10 months ago

thx for the investigation. Proposals:

vivekpatani commented 10 months ago

@jmhbnz I can take a look at this.

ahrtr commented 9 months ago

@vivekpatani any update on this? thx

vivekpatani commented 9 months ago

Sorry @ahrtr got sidetracked with other things, I will investigate this and reply before the end of this week.

vivekpatani commented 9 months ago

Does this patch need to be back ported to 3.5 and 3.4? @ahrtr @jmhbnz

jmhbnz commented 9 months ago

Does this patch need to be back ported to 3.5 and 3.4? @ahrtr @jmhbnz

In my opinion yes, we need to get it into a stable release branch to actually address the vulnerability.

ahrtr commented 9 months ago

YES, we need to backport to both 3.5 and 3.4.

vivekpatani commented 8 months ago

@ahrtr @jmhbnz for release-3.5 - https://github.com/etcd-io/etcd/pull/17482

ahrtr commented 8 months ago

@ahrtr @jmhbnz for release-3.5 - #17482

thx, merged.

dhamahes commented 8 months ago

Could you please share the release date of this fix ?

ahrtr commented 8 months ago

Could anyone bump the dependency for 3.4 as well? Thanks

vivekpatani commented 8 months ago

@ahrtr https://github.com/etcd-io/etcd/issues/17268 - for 3.4

ahrtr commented 8 months ago

@ahrtr #17268 - for 3.4

Thanks for https://github.com/etcd-io/etcd/pull/17580

ahrtr commented 8 months ago

Please also update changelog for both 3.4 and 3.5

dhamahes commented 8 months ago

May i know when is the release date and the version in which this issue will be fixed. We have a due date to update the version by March 26, 2024. It would be grateful to know the timeline so that we can take the necessary steps from our end. Thanks

ahrtr commented 8 months ago

The fix will be included in 3.4.31 and 3.5.13.

Based on Patch release criteria, we will try to release them asap.

ivanvc commented 7 months ago

Hi, this dependency update was indeed released on 3.4.31/3.5.13. However, we never got the update to the CHANGELOG. I believe that's the only thing remaining to close this issue.

@vivekpatani, could you help with this? Or should I do the update?

vivekpatani commented 7 months ago

@ivanvc sorry for missing this, I'll add it to the CHANGELOG today.

ahrtr commented 7 months ago

@vivekpatani please raise a PR to fix 3.5.13 (and 3.4.31 ?) changelog. thx

ivanvc commented 6 months ago

Closing as there are no outstanding tasks for this issue.