From 952fa4d207e0361b8d7742d3f5210c58b77525ae Mon Sep 17 00:00:00 2001 From: Bjorn Neergaard Date: Fri, 3 Feb 2023 05:48:09 -0700 Subject: [PATCH 1/6] Upgrade to Go 1.20 Signed-off-by: Bjorn Neergaard Co-authored-by: Cory Snider Signed-off-by: Cory Snider (cherry picked from commit d4e7a87b9655bef350f487b01c1a6c9ca281f836) Signed-off-by: Cory Snider --- .github/workflows/.windows.yml | 2 +- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- hack/with-go-mod.sh | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/.windows.yml b/.github/workflows/.windows.yml index 14d82d5063..074977ef59 100644 --- a/.github/workflows/.windows.yml +++ b/.github/workflows/.windows.yml @@ -15,7 +15,7 @@ on: default: false env: - GO_VERSION: 1.19.10 + GO_VERSION: "1.20" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ad77d46bb5..3eaac9a2d8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ on: pull_request: env: - GO_VERSION: 1.19.10 + GO_VERSION: "1.20" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 ITG_CLI_MATRIX_SIZE: 6 diff --git a/Dockerfile b/Dockerfile index 3573f0270b..70543feca6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.10 +ARG GO_VERSION=1.20 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" ARG XX_VERSION=1.2.1 diff --git a/Dockerfile.e2e b/Dockerfile.e2e index cf7a2cd99d..03aca36087 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.10 +ARG GO_VERSION=1.20 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index d8af8f5735..572f4a249c 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.19.10 +ARG GO_VERSION=1.20 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" diff --git a/Dockerfile.windows b/Dockerfile.windows index 7cb443af15..e02fa47984 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.19.10 +ARG GO_VERSION=1.20 ARG GOTESTSUM_VERSION=v1.8.2 ARG GOWINRES_VERSION=v0.3.0 ARG CONTAINERD_VERSION=v1.6.21 diff --git a/hack/with-go-mod.sh b/hack/with-go-mod.sh index 911eb3b50b..3be44d11ec 100755 --- a/hack/with-go-mod.sh +++ b/hack/with-go-mod.sh @@ -23,7 +23,7 @@ else tee "${ROOTDIR}/go.mod" >&2 <<- EOF module github.com/docker/docker - go 1.18 + go 1.19 EOF trap 'rm -f "${ROOTDIR}/go.mod"' EXIT fi From a7948ebf6c75513d878bd8ee7438fa6fe632e6a7 Mon Sep 17 00:00:00 2001 From: Cory Snider Date: Tue, 14 Feb 2023 14:34:59 -0500 Subject: [PATCH 2/6] Upgrade to Go 1.20.1 Signed-off-by: Cory Snider (cherry picked from commit cd779dae46ee1d1bc69491946a8eb548f37020bd) Signed-off-by: Cory Snider --- .github/workflows/.windows.yml | 2 +- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/.windows.yml b/.github/workflows/.windows.yml index 074977ef59..3990d7bdea 100644 --- a/.github/workflows/.windows.yml +++ b/.github/workflows/.windows.yml @@ -15,7 +15,7 @@ on: default: false env: - GO_VERSION: "1.20" + GO_VERSION: "1.20.1" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3eaac9a2d8..5da4524e4b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ on: pull_request: env: - GO_VERSION: "1.20" + GO_VERSION: "1.20.1" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 ITG_CLI_MATRIX_SIZE: 6 diff --git a/Dockerfile b/Dockerfile index 70543feca6..9a4b839885 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20 +ARG GO_VERSION=1.20.1 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" ARG XX_VERSION=1.2.1 diff --git a/Dockerfile.e2e b/Dockerfile.e2e index 03aca36087..7154e29551 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.20 +ARG GO_VERSION=1.20.1 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index 572f4a249c..cc7d94a3e6 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.20 +ARG GO_VERSION=1.20.1 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" diff --git a/Dockerfile.windows b/Dockerfile.windows index e02fa47984..25400a1a83 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.20 +ARG GO_VERSION=1.20.1 ARG GOTESTSUM_VERSION=v1.8.2 ARG GOWINRES_VERSION=v0.3.0 ARG CONTAINERD_VERSION=v1.6.21 From 81ae2ab38870595a970fe0c92650f2e25a3a73ab Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Mar 2023 10:16:50 +0100 Subject: [PATCH 3/6] update to go1.20.2 Includes a security fix for crypto/elliptic (CVE-2023-24532). > go1.20.2 (released 2023-03-07) includes a security fix to the crypto/elliptic package, > as well as bug fixes to the compiler, the covdata command, the linker, the runtime, and > the crypto/ecdh, crypto/rsa, crypto/x509, os, and syscall packages. > See the Go 1.20.2 milestone on our issue tracker for details. https://go.dev/doc/devel/release#go1.20.minor From the announcement: > We have just released Go versions 1.20.2 and 1.19.7, minor point releases. > > These minor releases include 1 security fixes following the security policy: > > - crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results > > The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an > incorrect result if called with some specific unreduced scalars (a scalar larger > than the order of the curve). > > This does not impact usages of crypto/ecdsa or crypto/ecdh. > > This is CVE-2023-24532 and Go issue https://go.dev/issue/58647. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 02dec48babfe8342eb22c0c200309e779415261d) Signed-off-by: Cory Snider --- .github/workflows/.windows.yml | 2 +- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/.windows.yml b/.github/workflows/.windows.yml index 3990d7bdea..f41f42febe 100644 --- a/.github/workflows/.windows.yml +++ b/.github/workflows/.windows.yml @@ -15,7 +15,7 @@ on: default: false env: - GO_VERSION: "1.20.1" + GO_VERSION: "1.20.2" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5da4524e4b..11ec5374be 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ on: pull_request: env: - GO_VERSION: "1.20.1" + GO_VERSION: "1.20.2" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 ITG_CLI_MATRIX_SIZE: 6 diff --git a/Dockerfile b/Dockerfile index 9a4b839885..167cfb5ddc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.1 +ARG GO_VERSION=1.20.2 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" ARG XX_VERSION=1.2.1 diff --git a/Dockerfile.e2e b/Dockerfile.e2e index 7154e29551..1ab2a98cb4 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.20.1 +ARG GO_VERSION=1.20.2 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index cc7d94a3e6..bc2d500d19 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.20.1 +ARG GO_VERSION=1.20.2 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" diff --git a/Dockerfile.windows b/Dockerfile.windows index 25400a1a83..9fbf7aecbd 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.20.1 +ARG GO_VERSION=1.20.2 ARG GOTESTSUM_VERSION=v1.8.2 ARG GOWINRES_VERSION=v0.3.0 ARG CONTAINERD_VERSION=v1.6.21 From 9279c41ea5a8633edde7353c90f0000066f2abec Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 5 Apr 2023 14:24:07 +0200 Subject: [PATCH 4/6] update go to go1.20.3 go1.20.3 (released 2023-04-04) includes security fixes to the go/parser, html/template, mime/multipart, net/http, and net/textproto packages, as well as bug fixes to the compiler, the linker, the runtime, and the time package. See the Go 1.20.3 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.3+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.20.2...go1.20.3 Further details from the announcement on the mailing list: We have just released Go versions 1.20.3 and 1.19.8, minor point releases. These minor releases include 4 security fixes following the security policy: - go/parser: infinite loop in parsing Calling any of the Parse functions on Go source code which contains `//line` directives with very large line numbers can cause an infinite loop due to integer overflow. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2023-24537 and Go issue https://go.dev/issue/59180. - html/template: backticks not treated as string delimiters Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contained a Go template action within a Javascript template literal, the contents of the action could be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, we've decided to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. Template.Parse will now return an Error when it encounters templates like this, with a currently unexported ErrorCode with a value of 12. This ErrorCode will be exported in the next major release. Users who rely on this behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue. This is CVE-2023-24538 and Go issue https://go.dev/issue/59234. - net/http, net/textproto: denial of service from excessive memory allocation HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs. Certain unusual patterns of input data could cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. Header parsing now correctly allocates only the memory required to hold parsed headers. Thanks to Jakob Ackermann (@das7pad) for discovering this issue. This is CVE-2023-24534 and Go issue https://go.dev/issue/58975. - net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm could undercount the amount of memory consumed, leading it to accept larger inputs than intended. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. ReadForm could allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, mime/multipart.Reader now imposes the following limits on the size of parsed forms: Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. Thanks to Jakob Ackermann for discovering this issue. This is CVE-2023-24536 and Go issue https://go.dev/issue/59153. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit f6cc8e3512e0ef882a6f9e49a034d2544aafcd0c) Signed-off-by: Cory Snider --- .github/workflows/.windows.yml | 2 +- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/.windows.yml b/.github/workflows/.windows.yml index f41f42febe..35a44255b1 100644 --- a/.github/workflows/.windows.yml +++ b/.github/workflows/.windows.yml @@ -15,7 +15,7 @@ on: default: false env: - GO_VERSION: "1.20.2" + GO_VERSION: "1.20.3" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 11ec5374be..5ae5f21434 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ on: pull_request: env: - GO_VERSION: "1.20.2" + GO_VERSION: "1.20.3" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 ITG_CLI_MATRIX_SIZE: 6 diff --git a/Dockerfile b/Dockerfile index 167cfb5ddc..d53f71b469 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.2 +ARG GO_VERSION=1.20.3 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" ARG XX_VERSION=1.2.1 diff --git a/Dockerfile.e2e b/Dockerfile.e2e index 1ab2a98cb4..66ec88cff9 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.20.2 +ARG GO_VERSION=1.20.3 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index bc2d500d19..f557433f8a 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.20.2 +ARG GO_VERSION=1.20.3 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" diff --git a/Dockerfile.windows b/Dockerfile.windows index 9fbf7aecbd..ae776d0383 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.20.2 +ARG GO_VERSION=1.20.3 ARG GOTESTSUM_VERSION=v1.8.2 ARG GOWINRES_VERSION=v0.3.0 ARG CONTAINERD_VERSION=v1.6.21 From 4c57e2d55f7229b02d96ef7e21aa1c87b14da905 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 3 May 2023 20:42:33 +0200 Subject: [PATCH 5/6] update go to go1.20.4 go1.20.4 (released 2023-05-02) includes three security fixes to the html/template package, as well as bug fixes to the compiler, the runtime, and the crypto/subtle, crypto/tls, net/http, and syscall packages. See the Go 1.20.4 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved release notes: https://go.dev/doc/devel/release#go1.20.4 full diff: https://github.com/golang/go/compare/go1.20.3...go1.20.4 from the announcement: > These minor releases include 3 security fixes following the security policy: > > - html/template: improper sanitization of CSS values > > Angle brackets (`<>`) were not considered dangerous characters when inserted > into CSS contexts. Templates containing multiple actions separated by a '/' > character could result in unexpectedly closing the CSS context and allowing > for injection of unexpected HMTL, if executed with untrusted input. > > Thanks to Juho Nurminen of Mattermost for reporting this issue. > > This is CVE-2023-24539 and Go issue https://go.dev/issue/59720. > > - html/template: improper handling of JavaScript whitespace > > Not all valid JavaScript whitespace characters were considered to be > whitespace. Templates containing whitespace characters outside of the character > set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain > actions may not be properly sanitized during execution. > > Thanks to Juho Nurminen of Mattermost for reporting this issue. > > This is CVE-2023-24540 and Go issue https://go.dev/issue/59721. > > - html/template: improper handling of empty HTML attributes > > Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") > executed with empty input could result in output that would have unexpected > results when parsed due to HTML normalization rules. This may allow injection > of arbitrary attributes into tags. > > Thanks to Juho Nurminen of Mattermost for reporting this issue. > > This is CVE-2023-29400 and Go issue https://go.dev/issue/59722. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit b7e8868235a393addf65f7157ee336c7737a5015) Signed-off-by: Cory Snider --- .github/workflows/.windows.yml | 2 +- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/.windows.yml b/.github/workflows/.windows.yml index 35a44255b1..7788ea884c 100644 --- a/.github/workflows/.windows.yml +++ b/.github/workflows/.windows.yml @@ -15,7 +15,7 @@ on: default: false env: - GO_VERSION: "1.20.3" + GO_VERSION: "1.20.4" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5ae5f21434..ec9e4e6886 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ on: pull_request: env: - GO_VERSION: "1.20.3" + GO_VERSION: "1.20.4" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 ITG_CLI_MATRIX_SIZE: 6 diff --git a/Dockerfile b/Dockerfile index d53f71b469..49b48ce60b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.3 +ARG GO_VERSION=1.20.4 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" ARG XX_VERSION=1.2.1 diff --git a/Dockerfile.e2e b/Dockerfile.e2e index 66ec88cff9..9dc49e845a 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.20.3 +ARG GO_VERSION=1.20.4 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index f557433f8a..e0013d6258 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.20.3 +ARG GO_VERSION=1.20.4 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" diff --git a/Dockerfile.windows b/Dockerfile.windows index ae776d0383..7e10cf3b48 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.20.3 +ARG GO_VERSION=1.20.4 ARG GOTESTSUM_VERSION=v1.8.2 ARG GOWINRES_VERSION=v0.3.0 ARG CONTAINERD_VERSION=v1.6.21 From a70bbdf673235526a9cb054c8e404e2583f99167 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 14 Jun 2023 12:47:05 +0200 Subject: [PATCH 6/6] update go to go1.20.5 go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and runtime packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5 These minor releases include 3 security fixes following the security policy: - cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29402 and Go issue https://go.dev/issue/60167. - runtime: unexpected behavior of setuid/setgid binaries The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers. Thanks to Vincent Dehors from Synacktiv for reporting this issue. This is CVE-2023-29403 and Go issue https://go.dev/issue/60272. - cmd/go: improper sanitization of LDFLAGS The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 98a44bb18e21c9729575992c1d4a8cbee5a40bb7) Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 24c882c3e06f61fa6b66c08101399eec898432ed) Signed-off-by: Cory Snider --- .github/workflows/.windows.yml | 2 +- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- Dockerfile.e2e | 2 +- Dockerfile.simple | 2 +- Dockerfile.windows | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/.windows.yml b/.github/workflows/.windows.yml index 7788ea884c..6d1541c853 100644 --- a/.github/workflows/.windows.yml +++ b/.github/workflows/.windows.yml @@ -15,7 +15,7 @@ on: default: false env: - GO_VERSION: "1.20.4" + GO_VERSION: "1.20.5" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ec9e4e6886..6556709203 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ on: pull_request: env: - GO_VERSION: "1.20.4" + GO_VERSION: "1.20.5" GOTESTLIST_VERSION: v0.3.1 TESTSTAT_VERSION: v0.1.3 ITG_CLI_MATRIX_SIZE: 6 diff --git a/Dockerfile b/Dockerfile index 49b48ce60b..5c43676327 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.4 +ARG GO_VERSION=1.20.5 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" ARG XX_VERSION=1.2.1 diff --git a/Dockerfile.e2e b/Dockerfile.e2e index 9dc49e845a..b4f16feb25 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.20.4 +ARG GO_VERSION=1.20.5 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff --git a/Dockerfile.simple b/Dockerfile.simple index e0013d6258..0431db9b80 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.20.4 +ARG GO_VERSION=1.20.5 ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" diff --git a/Dockerfile.windows b/Dockerfile.windows index 7e10cf3b48..7a2f2ca227 100644 --- a/Dockerfile.windows +++ b/Dockerfile.windows @@ -165,7 +165,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.20.4 +ARG GO_VERSION=1.20.5 ARG GOTESTSUM_VERSION=v1.8.2 ARG GOWINRES_VERSION=v0.3.0 ARG CONTAINERD_VERSION=v1.6.21