Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch keda for CVE-2024-45338 #11743

Merged
merged 7 commits into from
Jan 14, 2025
Merged

Patch keda for CVE-2024-45338 #11743

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
28ac90a
keda: Add patch for CVE-2024-45338
Sumynwa Jan 2, 2025
47b8d8c
Merge branch 'fasttrack/2.0' into sumsharma/2_0_keda-CVE-2024-45338
jslobodzian Jan 7, 2025
7a159a0
Merge branch 'fasttrack/2.0' into sumsharma/2_0_keda-CVE-2024-45338
jslobodzian Jan 9, 2025
51f2c49
Merge branch 'fasttrack/2.0' into sumsharma/2_0_keda-CVE-2024-45338
jslobodzian Jan 10, 2025
d7aa726
Merge branch 'fasttrack/2.0' into sumsharma/2_0_keda-CVE-2024-45338
jslobodzian Jan 10, 2025
2d48d4d
Merge branch 'fasttrack/2.0' into sumsharma/2_0_keda-CVE-2024-45338
jslobodzian Jan 10, 2025
2283918
Merge branch 'fasttrack/2.0' into sumsharma/2_0_keda-CVE-2024-45338
jslobodzian Jan 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions SPECS/keda/CVE-2024-45338.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <[email protected]>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves

Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.

Thanks to Guido Vranken for reporting this issue.

Fixes golang/go#70906
Fixes CVE-2024-45338

Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1
7 changes: 5 additions & 2 deletions SPECS/keda/keda.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: Kubernetes-based Event Driven Autoscaling
Name: keda
Version: 2.4.0
Release: 24%{?dist}
Release: 25%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -33,7 +33,7 @@ Patch1: CVE-2023-44487.patch
Patch2: CVE-2021-44716.patch
Patch3: CVE-2022-32149.patch
Patch4: CVE-2024-6104.patch

Patch5: CVE-2024-45338.patch

BuildRequires: golang

Expand Down Expand Up @@ -69,6 +69,9 @@ cp ./bin/keda-adapter %{buildroot}%{_bindir}
%{_bindir}/%{name}-adapter

%changelog
* Thu Jan 02 2025 Sumedh Sharma <[email protected]> - 2.4.0-25
- Add patch for CVE-2024-45338.

* Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 2.4.0-24
- Bump release to rebuild with go 1.22.7

Expand Down
Loading