From afc62d8d1c66bcdd44fbee1226809af2bd5719cc Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 5 Dec 2023 23:45:18 +0100 Subject: [PATCH 1/2] update to go1.21.4 Reverts "update to go1.21.4" due to regressions / breaking changes." This reverts commit 4cf1c50ad174f9e1bb19785f6f4c2db508c539eb. This re-applies commit 6472dabe4c9b5bdad472ff5c809dafe82f7c7064. ---- update to go1.21.4 go1.21.4 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker, the runtime, the compiler, and the go/types, net/http, and runtime/cgo packages. See the Go 1.21.4 milestone on our issue tracker for details: - https://github.com/golang/go/issues?q=milestone%3AGo1.21.4+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.3...go1.21.4 from the security mailing: [security] Go 1.21.4 and Go 1.20.11 are released Hello gophers, We have just released Go versions 1.21.4 and 1.20.11, minor point releases. These minor releases include 2 security fixes following the security policy: - path/filepath: recognize `\??\` as a Root Local Device path prefix. On Windows, a path beginning with `\??\` is a Root Local Device path equivalent to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to access arbitrary locations on the system. For example, the path `\??\c:\x` is equivalent to the more common path c:\x. The filepath package did not recognize paths with a `\??\` prefix as special. Clean could convert a rooted path such as `\a\..\??\b` into the root local device path `\??\b`. It will now convert this path into `.\??\b`. `IsAbs` did not report paths beginning with `\??\` as absolute. It now does so. VolumeName now reports the `\??\` prefix as a volume name. `Join(`\`, `??`, `b`)` could convert a seemingly innocent sequence of path elements into the root local device path `\??\b`. It will now convert this to `\.\??\b`. This is CVE-2023-45283 and https://go.dev/issue/63713. - path/filepath: recognize device names with trailing spaces and superscripts The `IsLocal` function did not correctly detect reserved names in some cases: - reserved names followed by spaces, such as "COM1 ". - "COM" or "LPT" followed by a superscript 1, 2, or 3. `IsLocal` now correctly reports these names as non-local. This is CVE-2023-45284 and https://go.dev/issue/63713. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- e2e/testdata/Dockerfile.gencerts | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0907ba26d194..e2586bcbc932 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -63,7 +63,7 @@ jobs: name: Set up Go uses: actions/setup-go@v4 with: - go-version: 1.21.3 + go-version: 1.21.4 - name: Test run: | diff --git a/Dockerfile b/Dockerfile index 8a8b0ffb1d09..6c312a312421 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.18 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.21.3 +ARG GO_VERSION=1.21.4 ARG XX_VERSION=1.2.1 ARG GOVERSIONINFO_VERSION=v1.3.0 ARG GOTESTSUM_VERSION=v1.10.0 diff --git a/docker-bake.hcl b/docker-bake.hcl index e8a2ddbf3a35..2761520fc7ae 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.21.3" + default = "1.21.4" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index d37095eb1038..a9911a7c003f 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.3 +ARG GO_VERSION=1.21.4 ARG ALPINE_VERSION=3.18 ARG BUILDX_VERSION=0.12.0 diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index e03b4857bf65..beeaf6e8cf27 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.3 +ARG GO_VERSION=1.21.4 ARG ALPINE_VERSION=3.18 ARG GOLANGCI_LINT_VERSION=v1.55.2 diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index 6c85db696555..9895238f2dbb 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.3 +ARG GO_VERSION=1.21.4 ARG ALPINE_VERSION=3.18 ARG MODOUTDATED_VERSION=v0.8.0 diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts index e6d5d6923ffc..aaa4c90b90e5 100644 --- a/e2e/testdata/Dockerfile.gencerts +++ b/e2e/testdata/Dockerfile.gencerts @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.3 +ARG GO_VERSION=1.21.4 FROM golang:${GO_VERSION}-alpine AS generated ENV GOTOOLCHAIN=local From bdb45a9c2d8782d4a856310b4567fade14316dbf Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 5 Dec 2023 23:48:22 +0100 Subject: [PATCH 2/2] update to go1.21.5 go1.21.5 (released 2023-12-05) includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rand, net, os, and syscall packages. See the Go 1.21.5 milestone on our issue tracker for details: - https://github.com/golang/go/issues?q=milestone%3AGo1.21.5+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.5...go1.21.5 from the security mailing: [security] Go 1.21.5 and Go 1.20.12 are released Hello gophers, We have just released Go versions 1.21.5 and 1.20.12, minor point releases. These minor releases include 3 security fixes following the security policy: - net/http: limit chunked data overhead A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-39326 and Go issue https://go.dev/issue/64433. - cmd/go: go get may unexpectedly fallback to insecure git Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). Thanks to David Leadbeater for reporting this issue. This is CVE-2023-45285 and Go issue https://go.dev/issue/63845. - path/filepath: retain trailing \ when cleaning paths like \\?\c:\ Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?\, resulting in filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other effects). The previous behavior has been restored. This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- e2e/testdata/Dockerfile.gencerts | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e2586bcbc932..f95f2bdee3d8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -63,7 +63,7 @@ jobs: name: Set up Go uses: actions/setup-go@v4 with: - go-version: 1.21.4 + go-version: 1.21.5 - name: Test run: | diff --git a/Dockerfile b/Dockerfile index 6c312a312421..70b915fe3b0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.18 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.21.4 +ARG GO_VERSION=1.21.5 ARG XX_VERSION=1.2.1 ARG GOVERSIONINFO_VERSION=v1.3.0 ARG GOTESTSUM_VERSION=v1.10.0 diff --git a/docker-bake.hcl b/docker-bake.hcl index 2761520fc7ae..4eaa3e931cab 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.21.4" + default = "1.21.5" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index a9911a7c003f..9f225234631a 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.4 +ARG GO_VERSION=1.21.5 ARG ALPINE_VERSION=3.18 ARG BUILDX_VERSION=0.12.0 diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index beeaf6e8cf27..fd02e9479b37 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.4 +ARG GO_VERSION=1.21.5 ARG ALPINE_VERSION=3.18 ARG GOLANGCI_LINT_VERSION=v1.55.2 diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index 9895238f2dbb..053351b84897 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.4 +ARG GO_VERSION=1.21.5 ARG ALPINE_VERSION=3.18 ARG MODOUTDATED_VERSION=v0.8.0 diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts index aaa4c90b90e5..aa01da7c16ee 100644 --- a/e2e/testdata/Dockerfile.gencerts +++ b/e2e/testdata/Dockerfile.gencerts @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.4 +ARG GO_VERSION=1.21.5 FROM golang:${GO_VERSION}-alpine AS generated ENV GOTOOLCHAIN=local