ubuntu-public-cloud team mailing list archive
-
ubuntu-public-cloud team
-
Mailing list archive
-
Message #00244
[Bug 2126660] Re: [FFe] Please update to 20250701.00
`google-osconfig-agent` doesn't seem to be seeded, and has no reverse-
depends, so I'd tend to say go ahead.
Please wait for a release-team member to actually approve, but given the
timing, I'd say that if you have a sponsor already ready to upload, go
ahead, and it will sit in the queue anyway. Please make sure to mention
this bug in the changelog for easier review by release-team members.
Question though: why not go through the security process, instead of the
SRU one, if there really is a CVE affecting JJ/NN/PP that is urgent?
--
You received this bug notification because you are a member of Ubuntu
Public Cloud, which is subscribed to google-osconfig-agent in Ubuntu.
https://bugs.launchpad.net/bugs/2126660
Title:
[FFe] Please update to 20250701.00
Status in google-osconfig-agent package in Ubuntu:
New
Bug description:
Google have requested we update `google-osconfig-agent` to upstream
version 20250701.00 [0] as a matter of urgency to correct
CVE-2024-24790 [1] which is present in the versions in PP/NN and JJ.
The new version requested at 20250701.00 updates the Golang version
from `1.22.7` to `1.24.0` and introduces `toolchain go1.24.2`.
There is also new functionality present in this update that the VM
Manager team would like expedited. Between the security vulnerability,
the specific request from Google and the fact that this package is not
seeded, I felt it was appropriate to raise an FFe so there is not the
delay between 25.10 QQ closing and 26.04 RR opening (and I can try and
expedite the SRUs to PP/NN and JJ).
This update will supersede the SRU in LP: #2113875 (that hasn't
reached `-proposed` yet for the non-devel releases)
Golang 1.24 is present in `questing` and `plucky`:
```
$ rmadison golang-1.24
golang-1.24 | 1.24.2-1 | plucky | source, all
golang-1.24 | 1.24.4-1ubuntu1~25.04.1 | plucky-proposed | source, all
golang-1.24 | 1.24.4-1ubuntu1 | questing | source, all
```
[Impact]
This package is provided by Google for installation within guests that
run on Google Compute Engine. It is part of a collection of tools and
daemons, that ensure that the Ubuntu images published to GCE run
properly on their platform.
Cloud platforms evolve at a rate that can't be handled in six-month
increments, and they will often develop features that they would like
to be available to customers who don't want to upgrade from earlier
Ubuntu releases. As such, updating this package to more recent
upstream releases is required within all Ubuntu releases, so they
continue to function properly in the GCP environment.
[Test Case]
I have already done testing with the version proposed
(`20250701.00-0ubuntu1`) from a PPA [2] - the custom image passed both
our CPC internal validation (CTF) and Google own testing (CIT [3]). I
can share these test results on request if needed!
[Vendored Dependencies]
```
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,8 @@
module github.com/GoogleCloudPlatform/osconfig
-go 1.22.7
+go 1.24.0
+
+toolchain go1.24.2
require (
cloud.google.com/go/compute/metadata v0.6.0
@@ -12,16 +14,18 @@ require (
github.com/go-ole/go-ole v1.3.0
github.com/golang/mock v1.6.0
github.com/google/go-cmp v0.7.0
+ github.com/google/osv-scalibr v0.2.0
+ github.com/kr/pretty v0.3.1
github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07
github.com/ulikunitz/xz v0.5.12
- golang.org/x/crypto v0.32.0
+ golang.org/x/crypto v0.38.0
golang.org/x/oauth2 v0.24.0
- golang.org/x/sys v0.30.0
+ golang.org/x/sys v0.33.0
google.golang.org/api v0.214.0
google.golang.org/genproto v0.0.0-20241118233622-e639e219e697
google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576
- google.golang.org/grpc v1.68.0
- google.golang.org/protobuf v1.36.3
+ google.golang.org/grpc v1.70.0
+ google.golang.org/protobuf v1.36.5
)
require (
@@ -33,28 +37,98 @@ require (
cloud.google.com/go/logging v1.13.0 // indirect
cloud.google.com/go/longrunning v0.6.3 // indirect
cloud.google.com/go/monitoring v1.21.2 // indirect
+ deps.dev/api/v3 v3.0.0-20250307021655-d811e36f9cad // indirect
+ deps.dev/util/maven v0.0.0-20250307021655-d811e36f9cad // indirect
+ deps.dev/util/pypi v0.0.0-20250307021655-d811e36f9cad // indirect
+ deps.dev/util/resolve v0.0.0-20250310223405-f4cf91c9e684 // indirect
+ deps.dev/util/semver v0.0.0-20250307021655-d811e36f9cad // indirect
+ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+ github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
+ github.com/BurntSushi/toml v1.3.2 // indirect
+ github.com/CycloneDX/cyclonedx-go v0.9.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect
- github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
+ github.com/Microsoft/go-winio v0.6.2 // indirect
+ github.com/Microsoft/hcsshim v0.11.7 // indirect
+ github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
- github.com/envoyproxy/go-control-plane v0.13.1 // indirect
+ github.com/containerd/cgroups v1.1.0 // indirect
+ github.com/containerd/containerd v1.7.27 // indirect
+ github.com/containerd/containerd/api v1.8.0 // indirect
+ github.com/containerd/continuity v0.4.4 // indirect
+ github.com/containerd/errdefs v0.3.0 // indirect
+ github.com/containerd/fifo v1.1.0 // indirect
+ github.com/containerd/log v0.1.0 // indirect
+ github.com/containerd/platforms v0.2.1 // indirect
+ github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+ github.com/containerd/ttrpc v1.2.7 // indirect
+ github.com/containerd/typeurl/v2 v2.1.1 // indirect
+ github.com/davecgh/go-spew v1.1.1 // indirect
+ github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb // indirect
+ github.com/distribution/reference v0.6.0 // indirect
+ github.com/docker/cli v25.0.3+incompatible // indirect
+ github.com/docker/distribution v2.8.3+incompatible // indirect
+ github.com/docker/docker v25.0.6+incompatible // indirect
+ github.com/docker/docker-credential-helpers v0.8.1 // indirect
+ github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
+ github.com/edsrzf/mmap-go v1.1.0 // indirect
+ github.com/envoyproxy/go-control-plane/envoy v1.32.3 // indirect
+ github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 // indirect
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+ github.com/erikvarga/go-rpmdb v0.0.0-20240208180226-b97e041ef9af // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
+ github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+ github.com/go-git/go-billy/v5 v5.6.2 // indirect
+ github.com/go-git/go-git/v5 v5.14.0 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
+ github.com/gobwas/glob v0.2.3 // indirect
+ github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/glog v1.2.4 // indirect
+ github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
github.com/golang/protobuf v1.5.4 // indirect
+ github.com/google/go-containerregistry v0.19.1 // indirect
github.com/google/s2a-go v0.1.8 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
github.com/googleapis/gax-go/v2 v2.14.0 // indirect
+ github.com/groob/plist v0.1.1 // indirect
+ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/julienschmidt/httprouter v1.3.0 // indirect
+ github.com/klauspost/compress v1.17.7 // indirect
+ github.com/kr/text v0.2.0 // indirect
+ github.com/mattn/go-sqlite3 v1.14.28 // indirect
+ github.com/mitchellh/go-homedir v1.1.0 // indirect
+ github.com/moby/locker v1.0.1 // indirect
+ github.com/moby/sys/mountinfo v0.6.2 // indirect
+ github.com/moby/sys/sequential v0.5.0 // indirect
+ github.com/moby/sys/signal v0.7.0 // indirect
+ github.com/moby/sys/user v0.3.0 // indirect
+ github.com/moby/sys/userns v0.1.0 // indirect
+ github.com/opencontainers/go-digest v1.0.0 // indirect
+ github.com/opencontainers/image-spec v1.1.0 // indirect
+ github.com/opencontainers/runtime-spec v1.1.0 // indirect
+ github.com/opencontainers/selinux v1.11.0 // indirect
+ github.com/package-url/packageurl-go v0.1.2 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+ github.com/rogpeppe/go-internal v1.14.1 // indirect
+ github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c // indirect
+ github.com/saferwall/pe v1.5.6 // indirect
+ github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
+ github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
+ github.com/spdx/tools-golang v0.5.3 // indirect
+ github.com/tidwall/gjson v1.18.0 // indirect
+ github.com/tidwall/jsonc v0.3.2 // indirect
+ github.com/tidwall/match v1.1.1 // indirect
+ github.com/tidwall/pretty v1.2.0 // indirect
+ github.com/vbatts/tar-split v0.11.5 // indirect
go.chromium.org/luci v0.0.0-20201204084249-3e81ee3e83fe // indirect
+ go.etcd.io/bbolt v1.3.10 // indirect
+ go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.32.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0 // indirect
@@ -64,10 +138,18 @@ require (
go.opentelemetry.io/otel/sdk v1.35.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
go.opentelemetry.io/otel/trace v1.35.0 // indirect
- golang.org/x/net v0.34.0 // indirect
- golang.org/x/sync v0.10.0 // indirect
- golang.org/x/text v0.21.0 // indirect
+ go.uber.org/multierr v1.11.0 // indirect
+ golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+ golang.org/x/mod v0.21.0 // indirect
+ golang.org/x/net v0.40.0 // indirect
+ golang.org/x/sync v0.14.0 // indirect
+ golang.org/x/text v0.25.0 // indirect
golang.org/x/time v0.9.0 // indirect
- google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect
- google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a // indirect
+ golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a // indirect
+ gopkg.in/ini.v1 v1.67.0 // indirect
+ gopkg.in/warnings.v0 v0.1.2 // indirect
+ gopkg.in/yaml.v3 v3.0.1 // indirect
+ sigs.k8s.io/yaml v1.4.0 // indirect
+ www.velocidex.com/golang/regparser v0.0.0-20240404115756-2169ac0e3c09 // indirect
)
```
Golang 1.24 is present in `questing` and `plucky`:
```
$ rmadison golang-1.24
golang-1.24 | 1.24.2-1 | plucky | source, all
golang-1.24 | 1.24.4-1ubuntu1~25.04.1 | plucky-proposed | source, all
golang-1.24 | 1.24.4-1ubuntu1 | questing | source, all
```
Which would normally cause an issue for a future SRU, but fortunately we now completely vendor the golang dependencies.
[Other Information]
This bug is used for tracking of releasing the new upstream version
for all supported series, as per the approved policy mentioned in the
following MRE:
https://wiki.ubuntu.com/google-osconfig-agent-Updates
This package is only used on AMD64 and ARM64 but it is build for all
available architectures.
[Refs]
[0]: https://github.com/GoogleCloudPlatform/osconfig/releases/tag/20250701.00
[1]: https://nvd.nist.gov/vuln/detail/cve-2024-24790
[2]: https://launchpad.net/~kajiya/+archive/ubuntu/kajiya-google-osconfig-agent/+packages?field.name_filter=&field.status_filter=published&field.series_filter=questing
[3]: https://github.com/GoogleCloudPlatform/cloud-image-tests
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/google-osconfig-agent/+bug/2126660/+subscriptions
References
