[.dsc diff] questing 20250416.02-0ubuntu1 vs. 20250701.00-0ubuntu1 ** Attachment added: "[.dsc diff] questing 20250416.02-0ubuntu1 vs. 20250701.00-0ubuntu1" https://bugs.launchpad.net/ubuntu/+source/google-osconfig-agent/+bug/2126660/+attachment/5914171/+files/osconfig-20250416.02-0ubuntu1-dsc-vs-osconfig-20250701.00-0ubuntu1-dsc
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Public Cloud, which is subscribed to google-osconfig-agent in Ubuntu. https://bugs.launchpad.net/bugs/2126660 Title: [FFe] Please update to 20250701.00 Status in google-osconfig-agent package in Ubuntu: New Bug description: Google have requested we update `google-osconfig-agent` to upstream version 20250701.00 [0] as a matter of urgency to correct CVE-2024-24790 [1]. The new version requested at 20250701.00 updates the Golang version from `1.22.7` to `1.24.0` and introduces `toolchain go1.24.2`. There is also new functionality present in this update that the VM Manager team would like expedited. Between the security vulnerability, the specific request from Google and the fact that this package is not seeded, I felt it was appropriate to raise an FFe so there is not the delay between 25.10 QQ closing and 26.04 RR opening. This update will supersede the SRU in LP: #2113875 (that hasn't reached `-proposed` yet for the non-devel releases) Golang 1.24 is present in `questing` and `plucky`: ``` $ rmadison golang-1.24 golang-1.24 | 1.24.2-1 | plucky | source, all golang-1.24 | 1.24.4-1ubuntu1~25.04.1 | plucky-proposed | source, all golang-1.24 | 1.24.4-1ubuntu1 | questing | source, all ``` [Impact] This package is provided by Google for installation within guests that run on Google Compute Engine. It is part of a collection of tools and daemons, that ensure that the Ubuntu images published to GCE run properly on their platform. Cloud platforms evolve at a rate that can't be handled in six-month increments, and they will often develop features that they would like to be available to customers who don't want to upgrade from earlier Ubuntu releases. As such, updating this package to more recent upstream releases is required within all Ubuntu releases, so they continue to function properly in the GCP environment. [Test Case] I have already done testing with the version proposed (`20250701.00-0ubuntu1`) from a PPA [2] - the custom image passed both our CPC internal validation (CTF) and Google own testing (CIT [3]). I can share these test results on request if needed! [Vendored Dependencies] ``` --- a/go.mod +++ b/go.mod @@ -1,6 +1,8 @@ module github.com/GoogleCloudPlatform/osconfig -go 1.22.7 +go 1.24.0 + +toolchain go1.24.2 require ( cloud.google.com/go/compute/metadata v0.6.0 @@ -12,16 +14,18 @@ require ( github.com/go-ole/go-ole v1.3.0 github.com/golang/mock v1.6.0 github.com/google/go-cmp v0.7.0 + github.com/google/osv-scalibr v0.2.0 + github.com/kr/pretty v0.3.1 github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07 github.com/ulikunitz/xz v0.5.12 - golang.org/x/crypto v0.32.0 + golang.org/x/crypto v0.38.0 golang.org/x/oauth2 v0.24.0 - golang.org/x/sys v0.30.0 + golang.org/x/sys v0.33.0 google.golang.org/api v0.214.0 google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 - google.golang.org/grpc v1.68.0 - google.golang.org/protobuf v1.36.3 + google.golang.org/grpc v1.70.0 + google.golang.org/protobuf v1.36.5 ) require ( @@ -33,28 +37,98 @@ require ( cloud.google.com/go/logging v1.13.0 // indirect cloud.google.com/go/longrunning v0.6.3 // indirect cloud.google.com/go/monitoring v1.21.2 // indirect + deps.dev/api/v3 v3.0.0-20250307021655-d811e36f9cad // indirect + deps.dev/util/maven v0.0.0-20250307021655-d811e36f9cad // indirect + deps.dev/util/pypi v0.0.0-20250307021655-d811e36f9cad // indirect + deps.dev/util/resolve v0.0.0-20250310223405-f4cf91c9e684 // indirect + deps.dev/util/semver v0.0.0-20250307021655-d811e36f9cad // indirect + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect + github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect + github.com/BurntSushi/toml v1.3.2 // indirect + github.com/CycloneDX/cyclonedx-go v0.9.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect - github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect + github.com/Microsoft/go-winio v0.6.2 // indirect + github.com/Microsoft/hcsshim v0.11.7 // indirect + github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect - github.com/envoyproxy/go-control-plane v0.13.1 // indirect + github.com/containerd/cgroups v1.1.0 // indirect + github.com/containerd/containerd v1.7.27 // indirect + github.com/containerd/containerd/api v1.8.0 // indirect + github.com/containerd/continuity v0.4.4 // indirect + github.com/containerd/errdefs v0.3.0 // indirect + github.com/containerd/fifo v1.1.0 // indirect + github.com/containerd/log v0.1.0 // indirect + github.com/containerd/platforms v0.2.1 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect + github.com/containerd/ttrpc v1.2.7 // indirect + github.com/containerd/typeurl/v2 v2.1.1 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb // indirect + github.com/distribution/reference v0.6.0 // indirect + github.com/docker/cli v25.0.3+incompatible // indirect + github.com/docker/distribution v2.8.3+incompatible // indirect + github.com/docker/docker v25.0.6+incompatible // indirect + github.com/docker/docker-credential-helpers v0.8.1 // indirect + github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect + github.com/edsrzf/mmap-go v1.1.0 // indirect + github.com/envoyproxy/go-control-plane/envoy v1.32.3 // indirect + github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 // indirect github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect + github.com/erikvarga/go-rpmdb v0.0.0-20240208180226-b97e041ef9af // indirect github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect + github.com/go-git/go-billy/v5 v5.6.2 // indirect + github.com/go-git/go-git/v5 v5.14.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/glog v1.2.4 // indirect + github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/golang/protobuf v1.5.4 // indirect + github.com/google/go-containerregistry v0.19.1 // indirect github.com/google/s2a-go v0.1.8 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect github.com/googleapis/gax-go/v2 v2.14.0 // indirect + github.com/groob/plist v0.1.1 // indirect + github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/julienschmidt/httprouter v1.3.0 // indirect + github.com/klauspost/compress v1.17.7 // indirect + github.com/kr/text v0.2.0 // indirect + github.com/mattn/go-sqlite3 v1.14.28 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/moby/locker v1.0.1 // indirect + github.com/moby/sys/mountinfo v0.6.2 // indirect + github.com/moby/sys/sequential v0.5.0 // indirect + github.com/moby/sys/signal v0.7.0 // indirect + github.com/moby/sys/user v0.3.0 // indirect + github.com/moby/sys/userns v0.1.0 // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/opencontainers/image-spec v1.1.0 // indirect + github.com/opencontainers/runtime-spec v1.1.0 // indirect + github.com/opencontainers/selinux v1.11.0 // indirect + github.com/package-url/packageurl-go v0.1.2 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + github.com/rogpeppe/go-internal v1.14.1 // indirect + github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c // indirect + github.com/saferwall/pe v1.5.6 // indirect + github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect github.com/sirupsen/logrus v1.9.3 // indirect + github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect + github.com/spdx/tools-golang v0.5.3 // indirect + github.com/tidwall/gjson v1.18.0 // indirect + github.com/tidwall/jsonc v0.3.2 // indirect + github.com/tidwall/match v1.1.1 // indirect + github.com/tidwall/pretty v1.2.0 // indirect + github.com/vbatts/tar-split v0.11.5 // indirect go.chromium.org/luci v0.0.0-20201204084249-3e81ee3e83fe // indirect + go.etcd.io/bbolt v1.3.10 // indirect + go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib/detectors/gcp v1.32.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0 // indirect @@ -64,10 +138,18 @@ require ( go.opentelemetry.io/otel/sdk v1.35.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect go.opentelemetry.io/otel/trace v1.35.0 // indirect - golang.org/x/net v0.34.0 // indirect - golang.org/x/sync v0.10.0 // indirect - golang.org/x/text v0.21.0 // indirect + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect + golang.org/x/mod v0.21.0 // indirect + golang.org/x/net v0.40.0 // indirect + golang.org/x/sync v0.14.0 // indirect + golang.org/x/text v0.25.0 // indirect golang.org/x/time v0.9.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect - google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a // indirect + golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a // indirect + gopkg.in/ini.v1 v1.67.0 // indirect + gopkg.in/warnings.v0 v0.1.2 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect + www.velocidex.com/golang/regparser v0.0.0-20240404115756-2169ac0e3c09 // indirect ) ``` Golang 1.24 is present in `questing` and `plucky`: ``` $ rmadison golang-1.24 golang-1.24 | 1.24.2-1 | plucky | source, all golang-1.24 | 1.24.4-1ubuntu1~25.04.1 | plucky-proposed | source, all golang-1.24 | 1.24.4-1ubuntu1 | questing | source, all ``` Which would normally cause an issue for a future SRU, but fortunately we now completely vendor the golang dependencies. [Other Information] This bug is used for tracking of releasing the new upstream version for all supported series, as per the approved policy mentioned in the following MRE: https://wiki.ubuntu.com/google-osconfig-agent-Updates This package is only used on AMD64 and ARM64 but it is build for all available architectures. [Refs] [0]: https://github.com/GoogleCloudPlatform/osconfig/releases/tag/20250701.00 [1]: https://nvd.nist.gov/vuln/detail/cve-2024-24790 [2]: https://launchpad.net/~kajiya/+archive/ubuntu/kajiya-google-osconfig-agent/+packages?field.name_filter=&field.status_filter=published&field.series_filter=questing [3]: https://github.com/GoogleCloudPlatform/cloud-image-tests To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/google-osconfig-agent/+bug/2126660/+subscriptions -- Mailing list: https://launchpad.net/~ubuntu-public-cloud Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-public-cloud More help : https://help.launchpad.net/ListHelp
