From 9cc6e5b27f8d1d566ebef440b2bb0c5dad45c26b Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 19 Oct 2023 10:13:32 +0200 Subject: [PATCH 1/2] update to go1.20.9, test go1.21.2 go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go package, as well as bug fixes to the go command and the linker. See the Go 1.20.9 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.9+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.20.8...go1.20.9 From the security mailing: [security] Go 1.21.2 and Go 1.20.9 are released Hello gophers, We have just released Go versions 1.21.2 and 1.20.9, minor point releases. These minor releases include 1 security fixes following the security policy: - cmd/go: line directives allows arbitrary execution during build "//line" directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compliation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploting this issue significantly more complex. This is CVE-2023-39323 and Go issue https://go.dev/issue/63211. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build.yml | 4 ++-- Dockerfile | 2 +- dockerfiles/docs.Dockerfile | 2 +- dockerfiles/git.Dockerfile | 2 +- dockerfiles/lint.Dockerfile | 2 +- dockerfiles/vendor.Dockerfile | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 58df5234..56f5b15f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,8 +26,8 @@ jobs: fail-fast: false matrix: go: - - 1.20.8 - - 1.21.1 + - 1.20.9 + - 1.21.2 steps: - name: Checkout diff --git a/Dockerfile b/Dockerfile index 0e5fe397..060d5bc5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.8 +ARG GO_VERSION=1.20.9 ARG ALPINE_VERSION=3.18 ARG XX_VERSION=1.2.1 diff --git a/dockerfiles/docs.Dockerfile b/dockerfiles/docs.Dockerfile index e1d728a1..a4061403 100644 --- a/dockerfiles/docs.Dockerfile +++ b/dockerfiles/docs.Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.8 +ARG GO_VERSION=1.20.9 ARG ALPINE_VERSION=3.18 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base diff --git a/dockerfiles/git.Dockerfile b/dockerfiles/git.Dockerfile index b935a8a6..b770a607 100644 --- a/dockerfiles/git.Dockerfile +++ b/dockerfiles/git.Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.8 +ARG GO_VERSION=1.20.9 ARG ALPINE_VERSION=3.18 FROM alpine:${ALPINE_VERSION} AS base diff --git a/dockerfiles/lint.Dockerfile b/dockerfiles/lint.Dockerfile index 105d3ac1..25596cef 100644 --- a/dockerfiles/lint.Dockerfile +++ b/dockerfiles/lint.Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.8 +ARG GO_VERSION=1.20.9 ARG ALPINE_VERSION=3.18 ARG GOLANGCI_LINT_VERSION=v1.54.2 ARG BUILDTAGS="include_gcs" diff --git a/dockerfiles/vendor.Dockerfile b/dockerfiles/vendor.Dockerfile index 554fbba6..0e2a80d3 100644 --- a/dockerfiles/vendor.Dockerfile +++ b/dockerfiles/vendor.Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.8 +ARG GO_VERSION=1.20.9 ARG ALPINE_VERSION=3.18 ARG MODOUTDATED_VERSION=v0.8.0 From 46d13ff75bfbe7abe232ae8e45933d7088227352 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 19 Oct 2023 10:45:12 +0200 Subject: [PATCH 2/2] update to go1.20.10, test go1.21.3 go1.20.10 (released 2023-10-10) includes a security fix to the net/http package. See the Go 1.20.10 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.10+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.20.9...go1.20.10 From the security mailing: [security] Go 1.21.3 and Go 1.20.10 are released Hello gophers, We have just released Go versions 1.21.3 and 1.20.10, minor point releases. These minor releases include 1 security fixes following the security policy: - net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build.yml | 4 ++-- Dockerfile | 2 +- dockerfiles/docs.Dockerfile | 2 +- dockerfiles/git.Dockerfile | 2 +- dockerfiles/lint.Dockerfile | 2 +- dockerfiles/vendor.Dockerfile | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 56f5b15f..6621d621 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,8 +26,8 @@ jobs: fail-fast: false matrix: go: - - 1.20.9 - - 1.21.2 + - 1.20.10 + - 1.21.3 steps: - name: Checkout diff --git a/Dockerfile b/Dockerfile index 060d5bc5..6b87ab68 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.9 +ARG GO_VERSION=1.20.10 ARG ALPINE_VERSION=3.18 ARG XX_VERSION=1.2.1 diff --git a/dockerfiles/docs.Dockerfile b/dockerfiles/docs.Dockerfile index a4061403..84306d3a 100644 --- a/dockerfiles/docs.Dockerfile +++ b/dockerfiles/docs.Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.9 +ARG GO_VERSION=1.20.10 ARG ALPINE_VERSION=3.18 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base diff --git a/dockerfiles/git.Dockerfile b/dockerfiles/git.Dockerfile index b770a607..698ad10e 100644 --- a/dockerfiles/git.Dockerfile +++ b/dockerfiles/git.Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.9 +ARG GO_VERSION=1.20.10 ARG ALPINE_VERSION=3.18 FROM alpine:${ALPINE_VERSION} AS base diff --git a/dockerfiles/lint.Dockerfile b/dockerfiles/lint.Dockerfile index 25596cef..ca77e401 100644 --- a/dockerfiles/lint.Dockerfile +++ b/dockerfiles/lint.Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.9 +ARG GO_VERSION=1.20.10 ARG ALPINE_VERSION=3.18 ARG GOLANGCI_LINT_VERSION=v1.54.2 ARG BUILDTAGS="include_gcs" diff --git a/dockerfiles/vendor.Dockerfile b/dockerfiles/vendor.Dockerfile index 0e2a80d3..c5bdde94 100644 --- a/dockerfiles/vendor.Dockerfile +++ b/dockerfiles/vendor.Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.9 +ARG GO_VERSION=1.20.10 ARG ALPINE_VERSION=3.18 ARG MODOUTDATED_VERSION=v0.8.0