Fix CVE-2023-29194 by upgrading vitess to 16.0.2 (#5498)

* Fix CVE-2023-29194 by upgrading vitess to version 16.0.2 * Updage cgmanifest.json with correct version
2023-05-24 10:25:10 +05:30 · 2023-05-24 10:25:10 +05:30 · 4554031158
parent 63aa50411b
commit 4554031158
7 changed files with 14 additions and 271 deletions
--- a/SPECS/vitess/0001-Add-context-to-k8s-calls.patch
+++ b/SPECS/vitess/0001-Add-context-to-k8s-calls.patch
@ -1,83 +0,0 @@
-diff -up vitess-8.0.0/go/vt/topo/k8stopo/client/clientset/versioned/typed/topo/v1beta1/vitesstoponode.go.orig vitess-8.0.0/go/vt/topo/k8stopo/client/clientset/versioned/typed/topo/v1beta1/vitesstoponode.go
--- vitess-8.0.0/go/vt/topo/k8stopo/client/clientset/versioned/typed/topo/v1beta1/vitesstoponode.go.orig	2020-10-27 14:56:23.000000000 +0100
-+++ vitess-8.0.0/go/vt/topo/k8stopo/client/clientset/versioned/typed/topo/v1beta1/vitesstoponode.go	2020-12-27 16:10:25.286537516 +0100
-@@ -19,6 +19,7 @@ limitations under the License.
- package v1beta1
- 
- import (
-+	"context"
- 	"time"
- 
- 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-@@ -70,7 +71,7 @@ func (c *vitessTopoNodes) Get(name strin
- 		Resource("vitesstoponodes").
- 		Name(name).
- 		VersionedParams(&options, scheme.ParameterCodec).
-		Do().
-+		Do(context.TODO()).
- 		Into(result)
- 	return
- }
-@@ -87,7 +88,7 @@ func (c *vitessTopoNodes) List(opts v1.L
- 		Resource("vitesstoponodes").
- 		VersionedParams(&opts, scheme.ParameterCodec).
- 		Timeout(timeout).
-		Do().
-+		Do(context.TODO()).
- 		Into(result)
- 	return
- }
-@@ -104,7 +105,7 @@ func (c *vitessTopoNodes) Watch(opts v1.
- 		Resource("vitesstoponodes").
- 		VersionedParams(&opts, scheme.ParameterCodec).
- 		Timeout(timeout).
-		Watch()
-+		Watch(context.TODO())
- }
- 
- // Create takes the representation of a vitessTopoNode and creates it.  Returns the server's representation of the vitessTopoNode, and an error, if there is any.
-@@ -114,7 +115,7 @@ func (c *vitessTopoNodes) Create(vitessT
- 		Namespace(c.ns).
- 		Resource("vitesstoponodes").
- 		Body(vitessTopoNode).
-		Do().
-+		Do(context.TODO()).
- 		Into(result)
- 	return
- }
-@@ -127,7 +128,7 @@ func (c *vitessTopoNodes) Update(vitessT
- 		Resource("vitesstoponodes").
- 		Name(vitessTopoNode.Name).
- 		Body(vitessTopoNode).
-		Do().
-+		Do(context.TODO()).
- 		Into(result)
- 	return
- }
-@@ -139,7 +140,7 @@ func (c *vitessTopoNodes) Delete(name st
- 		Resource("vitesstoponodes").
- 		Name(name).
- 		Body(options).
-		Do().
-+		Do(context.TODO()).
- 		Error()
- }
- 
-@@ -155,7 +156,7 @@ func (c *vitessTopoNodes) DeleteCollecti
- 		VersionedParams(&listOptions, scheme.ParameterCodec).
- 		Timeout(timeout).
- 		Body(options).
-		Do().
-+		Do(context.TODO()).
- 		Error()
- }
- 
-@@ -168,7 +169,7 @@ func (c *vitessTopoNodes) Patch(name str
- 		SubResource(subresources...).
- 		Name(name).
- 		Body(data).
-		Do().
-+		Do(context.TODO()).
- 		Into(result)
- 	return
- }
--- a/SPECS/vitess/0001-Fix-for-newer-azure-storage-blob.patch
+++ b/SPECS/vitess/0001-Fix-for-newer-azure-storage-blob.patch
@ -1,12 +0,0 @@
-diff -up vitess-8.0.0/go/vt/mysqlctl/azblobbackupstorage/azblob.go.orig2 vitess-8.0.0/go/vt/mysqlctl/azblobbackupstorage/azblob.go
--- vitess-8.0.0/go/vt/mysqlctl/azblobbackupstorage/azblob.go.orig2	2020-10-27 14:56:23.000000000 +0100
-+++ vitess-8.0.0/go/vt/mysqlctl/azblobbackupstorage/azblob.go	2020-12-27 16:25:57.530072333 +0100
-@@ -212,7 +212,7 @@ func (bh *AZBlobBackupHandle) ReadFile(c
- 	}
- 	blobURL := containerURL.NewBlobURL(obj)
- 
-	resp, err := blobURL.Download(ctx, 0, azblob.CountToEnd, azblob.BlobAccessConditions{}, false)
-+	resp, err := blobURL.Download(ctx, 0, azblob.CountToEnd, azblob.BlobAccessConditions{}, false, azblob.ClientProvidedKeyOptions{})
- 	if err != nil {
- 		return nil, err
- 	}
--- a/SPECS/vitess/0001-Fix-unit-test-error.patch
+++ b/SPECS/vitess/0001-Fix-unit-test-error.patch
@ -1,31 +0,0 @@
-From 08038850a258d6de250cf9d864d6118616f5562c Mon Sep 17 00:00:00 2001
-From: zouyu <zouy.fnst@cn.fujitsu.com>
-Date: Tue, 27 Oct 2020 12:00:48 +0800
-Subject: [PATCH] Fix unit test error
-
-Signed-off-by: zouyu <zouy.fnst@cn.fujitsu.com>
---
- go/netutil/netutil_test.go | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/go/netutil/netutil_test.go b/go/netutil/netutil_test.go
-index 193237bec5..d5df468299 100644
--- a/go/netutil/netutil_test.go
-+++ b/go/netutil/netutil_test.go
-@@ -17,6 +17,7 @@ limitations under the License.
- package netutil
- 
- import (
-+	"fmt"
- 	"math/rand"
- 	"net"
- 	"reflect"
-@@ -56,7 +57,7 @@ func testUniformity(t *testing.T, size int, margin float64) {
- 	rand.Seed(1)
- 	data := make([]*net.SRV, size)
- 	for i := 0; i < size; i++ {
-		data[i] = &net.SRV{Target: string('a' + i), Weight: 1}
-+		data[i] = &net.SRV{Target: fmt.Sprintf("%c", 'a'+i), Weight: 1}
- 	}
- 	checkDistribution(t, data, margin)
- }
--- a/SPECS/vitess/update-go-module-version.patch
+++ b/SPECS/vitess/update-go-module-version.patch
@ -1,132 +0,0 @@
-diff --git a/go.mod b/go.mod
-index f1b2d818..a70459c2 100644
--- a/go.mod
-+++ b/go.mod
-@@ -3,9 +3,8 @@ module vitess.io/vitess
- go 1.13
- 
- require (
-	cloud.google.com/go v0.45.1
-	github.com/Azure/azure-storage-blob-go v0.8.0
-	github.com/Azure/go-autorest/autorest v0.10.0 // indirect
-+	cloud.google.com/go/storage v1.6.0
-+	github.com/Azure/azure-storage-blob-go v0.13.0
- 	github.com/GeertJohan/go.rice v1.0.0
- 	github.com/PuerkitoBio/goquery v1.5.1
- 	github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6
-@@ -16,25 +15,22 @@ require (
- 	github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd // indirect
- 	github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 // indirect
- 	github.com/coreos/bbolt v1.3.2 // indirect
-	github.com/coreos/etcd v3.3.10+incompatible
- 	github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f // indirect
- 	github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f // indirect
- 	github.com/corpix/uarand v0.1.1 // indirect
- 	github.com/cyberdelia/go-metrics-graphite v0.0.0-20161219230853-39f87cc3b432
-	github.com/evanphx/json-patch v4.5.0+incompatible
-+	github.com/evanphx/json-patch v4.9.0+incompatible
- 	github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab
- 	github.com/go-sql-driver/mysql v1.5.0
- 	github.com/gogo/protobuf v1.3.1 // indirect
- 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
-	github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6 // indirect
-	github.com/golang/mock v1.3.1
-	github.com/golang/protobuf v1.3.2
-+	github.com/golang/mock v1.4.1
-+	github.com/golang/protobuf v1.4.3
- 	github.com/golang/snappy v0.0.1
-	github.com/google/go-cmp v0.4.0
-+	github.com/google/go-cmp v0.5.2
- 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
-	github.com/google/uuid v1.1.1
-	github.com/googleapis/gnostic v0.2.0 // indirect
-	github.com/gorilla/websocket v1.4.0
-+	github.com/google/uuid v1.1.2
-+	github.com/gorilla/websocket v1.4.2
- 	github.com/grpc-ecosystem/go-grpc-middleware v1.1.0
- 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
- 	github.com/hashicorp/consul/api v1.5.0
-@@ -50,7 +46,6 @@ require (
- 	github.com/klauspost/compress v1.4.1 // indirect
- 	github.com/klauspost/cpuid v1.2.0 // indirect
- 	github.com/klauspost/pgzip v1.2.4
-	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
- 	github.com/krishicks/yaml-patch v0.0.10
- 	github.com/magiconair/properties v1.8.1
- 	github.com/martini-contrib/auth v0.0.0-20150219114609-fa62c19b7ae8
-@@ -63,7 +58,6 @@ require (
- 	github.com/mitchellh/mapstructure v1.2.3 // indirect
- 	github.com/montanaflynn/stats v0.6.3
- 	github.com/olekukonko/tablewriter v0.0.5-0.20200416053754-163badb3bac6
-	github.com/onsi/ginkgo v1.10.3 // indirect
- 	github.com/onsi/gomega v1.7.1 // indirect
- 	github.com/opentracing-contrib/go-grpc v0.0.0-20180928155321-4b5a12d3ff02
- 	github.com/opentracing/opentracing-go v1.1.0
-@@ -72,15 +66,15 @@ require (
- 	github.com/pborman/uuid v1.2.0
- 	github.com/philhofer/fwd v1.0.0 // indirect
- 	github.com/pires/go-proxyproto v0.0.0-20191211124218-517ecdf5bb2b
-	github.com/pkg/errors v0.8.1
-	github.com/prometheus/client_golang v1.4.1
-	github.com/prometheus/common v0.9.1
-+	github.com/pkg/errors v0.9.1
-+	github.com/prometheus/client_golang v1.7.1
-+	github.com/prometheus/common v0.10.0
- 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0
- 	github.com/samuel/go-zookeeper v0.0.0-20200724154423-2164a8ac840e
- 	github.com/satori/go.uuid v1.2.0 // indirect
- 	github.com/sjmudd/stopwatch v0.0.0-20170613150411-f380bf8a9be1
- 	github.com/smartystreets/goconvey v1.6.4 // indirect
-	github.com/stretchr/testify v1.4.0
-+	github.com/stretchr/testify v1.6.1
- 	github.com/tchap/go-patricia v0.0.0-20160729071656-dd168db6051b
- 	github.com/tebeka/selenium v0.9.9
- 	github.com/tinylib/msgp v1.1.1 // indirect
-@@ -90,28 +84,30 @@ require (
- 	github.com/uber/jaeger-lib v2.0.0+incompatible // indirect
- 	github.com/ugorji/go v1.1.7 // indirect
- 	github.com/z-division/go-zookeeper v0.0.0-20190128072838-6d7457066b9b
-	golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
-	golang.org/x/lint v0.0.0-20190409202823-959b441ac422
-	golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-+	go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489
-+	golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
-+	golang.org/x/lint v0.0.0-20200302205851-738671d3881b
-+	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
-+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
- 	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
-	golang.org/x/text v0.3.2
-	golang.org/x/time v0.0.0-20190308202827-9d24e82272b4
-	golang.org/x/tools v0.0.0-20191219041853-979b82bfef62
-	google.golang.org/api v0.9.0
-	google.golang.org/genproto v0.0.0-20190926190326-7ee9db18f195 // indirect
-	google.golang.org/grpc v1.24.0
-+	golang.org/x/text v0.3.4
-+	golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e
-+	golang.org/x/tools v0.0.0-20200616133436-c1934b75d054
-+	google.golang.org/api v0.20.0
-+	google.golang.org/grpc v1.27.1
- 	gopkg.in/DataDog/dd-trace-go.v1 v1.17.0
- 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
- 	gopkg.in/gcfg.v1 v1.2.3
- 	gopkg.in/ini.v1 v1.51.0 // indirect
- 	gopkg.in/ldap.v2 v2.5.0
- 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gotest.tools v2.2.0+incompatible
-	honnef.co/go/tools v0.0.1-2019.2.3
-	k8s.io/apiextensions-apiserver v0.17.3
-	k8s.io/apimachinery v0.17.3
-	k8s.io/client-go v0.17.3
-	k8s.io/utils v0.0.0-20191114184206-e782cd3c129f
-	sigs.k8s.io/yaml v1.1.0
-+	gotest.tools v2.2.0+incompatible // indirect
-+	gotest.tools/v3 v3.0.2
-+	honnef.co/go/tools v0.0.1-2020.1.3
-+	k8s.io/apiextensions-apiserver v0.20.5
-+	k8s.io/apimachinery v0.20.5
-+	k8s.io/client-go v0.20.5
-+	k8s.io/klog v0.3.0 // indirect
-+	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
-+	sigs.k8s.io/yaml v1.2.0
- )
--- a/SPECS/vitess/vitess.signatures.json
+++ b/SPECS/vitess/vitess.signatures.json
@ -1,6 +1,6 @@
 {
 "Signatures": {
-  "vitess-8.0.0-vendor.tar.gz": "888c1449ed82c8487d266cfb4a8af39cf759b76f0657c295e3a55a2f91856154",
-  "vitess-8.0.0.tar.gz": "c47320b9bcb874b1a6dfca78ec677be7c4bb4c7b2a6470df80bd1bc0ad125e92"
+  "vitess-16.0.2-vendor.tar.gz": "86cb3d667cef20d65bd122d47f71271a3cb7163a1e474dd1feba17674435ce2e",
+  "vitess-16.0.2.tar.gz": "89328d683f2694de4ada21c7a815d396a853ad45d39607aca467996678b69e0c"
 }
 }
--- a/SPECS/vitess/vitess.spec
+++ b/SPECS/vitess/vitess.spec
@ -2,8 +2,8 @@
 %bcond_without check

 Name:           vitess
-Version:        8.0.0
-Release:        12%{?dist}
+Version:        16.0.2
+Release:        1%{?dist}
 Summary:        Database clustering system for horizontal scaling of MySQL
 # Upstream license specification: MIT and Apache-2.0
 License:        MIT and ASL 2.0
@ -26,13 +26,6 @@ Source0:        %{name}-%{version}.tar.gz
 #           -cf %%{name}-%%{version}-vendor.tar.gz vendor
 #
 Source1:        %{name}-%{version}-vendor.tar.gz 
-# To use with newer k8s
-Patch0:         0001-Add-context-to-k8s-calls.patch
-# To use with newer azure-storage-blob
-Patch1:         0001-Fix-for-newer-azure-storage-blob.patch
-# Fix unit test error
-Patch2:         0001-Fix-unit-test-error.patch
-Patch3:         update-go-module-version.patch
 BuildRequires: golang

 %description
@ -66,6 +59,10 @@ tar -xf %{SOURCE1} --no-same-owner
 export VERSION=%{version}

 for cmd in $(find go/cmd/* -maxdepth 0 -type d); do
+  # Skip internal directory
+  if [ "$cmd" == "go/cmd/internal" ]; then
+    continue
+  fi
  go build -buildmode pie -compiler gc '-tags=rpm_crashtraceback ' \
           -ldflags "-X vitess.io/vitess/version=$VERSION -extldflags -Wl,-z,relro" \
           -mod=vendor -v -a -x -o ./bin/$(basename $cmd) ./$cmd
@ -107,6 +104,10 @@ go check -t go/cmd \
 %{_bindir}/*

 %changelog
+* Fri May 12 2023 Bala <balakumaran.kannan@microsoft.com> - 16.0.2-1
+- Update to 16.0.2 to fix CVE-2023-29194
+- Remove all the patches are they are merged with latest version
+
 * Wed Apr 05 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 8.0.0-12
 - Bump release to rebuild with go 1.19.8

--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -29077,8 +29077,8 @@
        "type": "other",
        "other": {
          "name": "vitess",
-          "version": "8.0.0",
-          "downloadUrl": "https://github.com/vitessio/vitess/archive/refs/tags/v8.0.0.tar.gz"
+          "version": "16.0.2",
+          "downloadUrl": "https://github.com/vitessio/vitess/archive/refs/tags/v16.0.2.tar.gz"
        }
      }
    },