chore: merge 2.9 into 3.1 #17901
Merged
chore: merge 2.9 into 3.1 #17901
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes a potential exploit where a user can run a bash loop attempting to execute hook tools. If running while another hook is executing, we log an error with the context ID, making it possible for the user then use that ID in a following call successfully.
In order to prove that we've got a bad context ID error, we have to contrive a scenario, so that when the planets align the right way, we get the correct error message. This involves forcing the run action to wait when it's being processed as a remote exection. Then we can call the Jujuc.Main directly using the socket, which then allows us to execute a bad request. A token generator was added to allow us to bypass the token comparison for remote executions. Once all of this is done, we then collapse the server and allow the action to complete. --- I believe this is the first time someone has taken the time to execute this code path outside of integration tests. We should execute this path in unit tests more, either by making the runner more composable, or implementing a better test harness.
juju#17792 Fixes TestSeriesTools to pass when running on noble. ``` tools_test.go:160: result, err := tg.Tools(args) /home/jenkins/go/pkg/mod/go.uber.org/[email protected]/gomock/controller.go:165: h.t.Fatalf(format, args...) ... Error: Unexpected call to *mocks.MockToolsFinder.FindTools([{2.9.50 -1 -1 amd64 noble }]) at /home/jenkins/go/src/github.com/juju/juju/apiserver/common/tools.go:177 because: expected call at /home/jenkins/go/src/github.com/juju/juju/apiserver/common/tools_test.go:145 doesn't match the argument at index 0. Got: {2.9.50 -1 -1 amd64 noble } (params.FindToolsParams) Want: is equal to {2.9.50 -1 -1 amd64 noble } (params.FindToolsParams) ``` ## QA steps Run unit test ## Documentation changes N/A ## Links https://jenkins.juju.canonical.com/job/github-make-check-juju/16331/consoleText
…xt-id juju#17788 Fixes a potential exploit where a user can run a bash loop attempting to execute hook tools. If running while another hook is executing, we log an error with the context ID, making it possible for the user to then use that ID in a following call successfully. This means an unprivileged user can access anything available via a hook tool such as config, relation data and secrets. ## QA steps - Bootstrap and deploy ubuntu. - In one terminal, run `juju ssh 0`, and be ready to run commands here. - In another terminal, run `juju run --unit ubuntu/0 -- sleep 10` to invoke a running hook context. - Back in the SSH terminal, run `JUJU_AGENT_SOCKET_NETWORK=unix JUJU_AGENT_SOCKET_ADDRESS=@/var/lib/juju/agents/unit-ubuntu-0/agent.socket JUJU_CONTEXT_ID=0 /var/lib/juju/tools/unit-ubuntu-0/config-get`. - The returned error should not indicate the running context ID: `ERROR bad request: wrong context ID; got "0"` ## Links **Jira card:** [JUJU-6394](https://warthogs.atlassian.net/browse/JUJU-6394) [JUJU-6394]: https://warthogs.atlassian.net/browse/JUJU-6394?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
juju#17793 Noble runner uses lxd 5.21. Downgrading lxd fails. This removes lxd with purge before installing it. ## QA steps Check lxd upgrade action
juju#17794 Adds govulncheck linting to help with identifying vulnerable imported modules that are used. Updates dependencies to fix: - [GO-2024-2958](https://pkg.go.dev/vuln/GO-2024-2958) - [GO-2024-2918](https://pkg.go.dev/vuln/GO-2024-2918) - [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) ## QA steps Build. Bootstrap. Deploy. ## Documentation changes N/A ## Links https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
juju#17811 chore: increment juju to 2.9.51 The [PR created by the bot](juju#17809) was targeting the wrong branch (2.9-release). This PR simply rebases the commit onto 2.9
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.22.0 to 0.23.0. - [Commits](golang/sys@v0.22.0...v0.23.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.19.0 to 0.20.0. - [Commits](golang/mod@v0.19.0...v0.20.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…ang.org/x/sys-0.23.0 chore(deps): bump golang.org/x/sys from 0.22.0 to 0.23.0
…ang.org/x/mod-0.20.0 chore(deps): bump golang.org/x/mod from 0.19.0 to 0.20.0
Bumps [golang.org/x/time](https://github.com/golang/time) from 0.5.0 to 0.6.0. - [Commits](golang/time@v0.5.0...v0.6.0) --- updated-dependencies: - dependency-name: golang.org/x/time dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.7.0 to 0.8.0. - [Commits](golang/sync@v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…ang.org/x/sync-0.8.0 chore(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0
…ang.org/x/time-0.6.0 chore(deps): bump golang.org/x/time from 0.5.0 to 0.6.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.27.0 to 0.28.0. - [Commits](golang/net@v0.27.0...v0.28.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.23.0 to 0.24.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.23.0...v0.24.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…ang.org/x/net-0.28.0 chore(deps): bump golang.org/x/net from 0.27.0 to 0.28.0
…ang.org/x/tools-0.24.0 chore(deps): bump golang.org/x/tools from 0.23.0 to 0.24.0
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.23.0 to 0.24.0. - [Commits](golang/sys@v0.23.0...v0.24.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…ang.org/x/sys-0.24.0 juju#17896 Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.23.0 to 0.24.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/sys/commit/914deed708990c429d263121ee1ef42388e94ba4"><code>914deed</code></a> unix: add missing ETHTOOL_FLAG_ constants</li> <li><a href="https://github.com/golang/sys/commit/4c7077ec60eeb233fdff4640ef2286500c7689a7"><code>4c7077e</code></a> windows: add enums for IpAdapterUnicastAddress</li> <li><a href="https://github.com/golang/sys/commit/29298aaa6a49af9eb63e0c3e6932893034b93051"><code>29298aa</code></a> windows: delete TestGetKeyboardLayout</li> <li>See full diff in <a href="https://github.com/golang/sys/compare/v0.23.0...v0.24.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Conflicts: - go.mod - go.sum - scripts/win-installer/setup.iss - snap/snapcraft.yaml - version/version.go
Vulnerability #1: GO-2024-2947
hpidcock
force-pushed
the
merge-2.9-3.1-20240809
branch
from
4b67b47 to
9e2673b
Compare
|
/merge |
jujubot
added a commit
that referenced
this pull request
Aug 12, 2024
#17903 Forward ports: - #17792 - #17788 - #17793 - #17794 - #17811 - #17825 - #17867 - #17871 - #17868 - #17870 - #17877 - #17879 - #17896 - #17901 Conflicts: - .github/workflows/static-analysis.yml - go.mod - go.sum - provider/azure/internal/errorutils/errors_test.go - scripts/win-installer/setup.iss - snap/snapcraft.yaml - version/version.go
jujubot
added a commit
that referenced
this pull request
Aug 12, 2024
#17904 Forward ports: - #17756 - #17700 - #17772 - #17747 - #17789 - #17792 - #17788 - #17793 - #17794 - #17811 - #17816 - #17825 - #17826 - #17867 - #17871 - #17868 - #17870 - #17877 - #17879 - #17896 - #17901 - #17903 Conflicts: - cmd/modelcmd/base.go - go.sum - scripts/win-installer/setup.iss - snap/snapcraft.yaml - version/version.go
jujubot
added a commit
that referenced
this pull request
Aug 19, 2024
#17938 Changes: - Drops v6 Client facade in favour of v8 Client facade (also in 3.6) - Drops v7 Client facade in favour of v8 Client facade (also in 3.6) Forward ports: - #17756 - #17700 - #17772 - #17747 - #17789 - #17792 - #17788 - #17793 - #17794 - #17811 - #17816 - #17825 - #17826 - #17867 - #17871 - #17868 - #17870 - #17769 - #17877 - #17879 - #17836 - #17889 - #17845 - #17896 - #17512 - #17900 - #17891 - #17901 - #17684 - #17903 - #17904 - #17929 - #17930 - #17833 - #17897 - #17806 Conflicts: - api/agent/fanconfigurer/facade.go - api/state_test.go - apiserver/common/tools_test.go - apiserver/facades/client/client/backend.go - apiserver/facades/client/client/client.go - apiserver/facades/client/client/client_test.go - apiserver/facades/client/client/export_test.go - apiserver/facades/client/client/register.go - apiserver/facades/client/client/status.go - apiserver/facades/client/client/statushistory_test.go - cmd/juju/backups/download.go - cmd/juju/model/destroy.go - core/lxdprofile/name.go - go.mod - go.sum - internal/provider/azure/doc.go - internal/provider/azure/internal/errorutils/errors_test.go - internal/proxy/config/fanconfigurer_test.go - internal/proxy/config/package_mock_test.go - internal/proxy/config/package_test.go - internal/worker/instancemutater/mutater.go - internal/worker/instancemutater/mutater_test.go - internal/worker/instancemutater/worker_test.go - internal/worker/peergrouper/worker.go - internal/worker/provisioner/provisioner_task.go - internal/worker/uniter/runner/runner.go - internal/worker/uniter/runner/runner_test.go - internal/worker/uniter/util_test.go - snap/snapcraft.yaml - state/cloudcredentials.go - state/cloudcredentials_test.go - state/migration_import.go - state/migration_import_test.go - tests/suites/static_analysis/lint_go.sh - worker/fanconfigurer/fanconfigurer.go - worker/peergrouper/worker_test.go
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Forward ports:
Conflicts: