Skip to content

feat: [TASK] [Security] Fix Vulnerabilities in Tensorboard Controller (v1.11 Release) PR1 #786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mkoushni wants to merge 1 commit into
base: notebooks-v1
Choose a base branch
from
Open

feat: [TASK] [Security] Fix Vulnerabilities in Tensorboard Controller (v1.11 Release) PR1 #786

mkoushni wants to merge 1 commit into from
+16 −16

Conversation

@mkoushni
Copy link

@mkoushni mkoushni commented Dec 8, 2025
edited
Loading

Related: #781 (part 1,2)

This commit updates the necessary Go dependencies in the go.mod and go.sum files to patch a critical denial-of-service vulnerability affecting HTTP/2 endpoints.

Vulnerability: HTTP/2 Header Flooding (Resource Consumption DoS)

Component: components/tensorboard-controller

Updated dependencies:
golang.org/x/net → v0.47.0 (Reason: Fixes GHSA-4374-p667-p6c8, GHSA-4v7x-pqxf-cx7m, etc.)
golang.org/x/crypto → v0.45.0 (Reason: Fixes GHSA-v778-237x-gjrc, GHSA-45x7-px36-x8w8, etc.)

Addition updates:
golang.org/x/sys v0.38.0
golang.org/x/term v0.37.0
golang.org/x/text v0.31.0

The changes are contained entirely within the dependency manifest files: go.mod and go.sum.

Verification:
go mod tidy: passed
make build and make docker-build: passed
tensorboard controller workflows (the successful compilation and build of the Tensorboard Controller with these updated dependencies confirms that the fix has been successfully integrated) passed
notebooks-v1 deployment + volume and tensorboard creation(for testing) - passed

Trivy checks:
Report Summary

┌────────┬───────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼───────┼─────────────────┼─────────┤
│ go.mod │ gomod │ 3 │ - │
└────────┴───────┴─────────────────┴─────────┘

@github-project-automation github-project-automation bot moved this to Needs Triage in Kubeflow Notebooks Dec 8, 2025
@mkoushni mkoushni changed the base branch from main to notebooks-v1 December 8, 2025 15:33
@google-oss-prow google-oss-prow bot added size/M and removed size/XXL labels Dec 8, 2025
@mkoushni mkoushni changed the title CVE 2023 45288 [TASK] [Security] Fix Vulnerabilities in Tensorboard Controller (v1.11 Release) PR1 Dec 8, 2025
@google-oss-prow google-oss-prow bot added area/controller area - related to controller components area/v1 area - version - kubeflow notebooks v1 labels Dec 8, 2025
@google-oss-prow
Copy link

google-oss-prow bot commented Dec 8, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kimwnasptd for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mkoushni mkoushni changed the title [TASK] [Security] Fix Vulnerabilities in Tensorboard Controller (v1.11 Release) PR1 feat: [TASK] [Security] Fix Vulnerabilities in Tensorboard Controller (v1.11 Release) PR1 Dec 8, 2025
@mkoushni mkoushni marked this pull request as ready for review December 8, 2025 16:01
@liavweiss
Copy link

liavweiss commented Dec 8, 2025
edited
Loading

Hey Marina, thank you for the PR. I reviewed it briefly and noticed a few things I want to clarify before diving deeper:

  1. Regarding golang.org/x/net:
    In the task, I mentioned that the required fixed version for all vulnerabilities is v0.38.0.
    In your changes, only 1 out of the 3 vulnerabilities will be fixed.
    For example:

Package: golang.org/x/net
Installed Version: v0.17.0
Vulnerability CVE-2025-22870
Severity: MEDIUM
Fixed Version: 0.36.0

and

Package: golang.org/x/net
Installed Version: v0.17.0
Vulnerability CVE-2025-22872
Severity: MEDIUM
Fixed Version: 0.38.0

Please make sure the dependency is updated to v0.38.0 so all vulnerabilities are resolved.

  1. Regarding golang.org/x/crypto:
    In the task, I mentioned that the required fixed version for all vulnerabilities is v0.45.0.
    Here as well, your changes only address 1 out of the 3 vulnerabilities.

Package: golang.org/x/crypto
Installed Version: v0.14.0
Vulnerability CVE-2025-47914
Severity: MEDIUM
Fixed Version: 0.45.0

and

Package: golang.org/x/crypto
Installed Version: v0.14.0
Vulnerability CVE-2025-58181
Severity: MEDIUM
Fixed Version: 0.45.0

Please update the dependency to v0.45.0 so all vulnerabilities are covered.

  1. Your DCO check is failing because one of the commits is not properly signed off. Please update the commit with the correct Signed-off-by line and push again.

Related: #781

@mkoushni mkoushni force-pushed the CVE-2023-45288 branch 2 times, most recently from ede9baf to 4d20627 Compare December 10, 2025 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

@thesuperzapper thesuperzapper Awaiting requested review from thesuperzapper

Assignees

No one assigned

Labels

area/ci area - related to ci area/controller area - related to controller components area/v1 area - version - kubeflow notebooks v1 size/M

Projects

Kubeflow Notebooks
Status: Needs Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mkoushni @liavweiss