From c5aee98be71a2a3feccd8d2b4a8c91c6d22f5fb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Wed, 8 May 2024 09:50:01 +0200 Subject: [PATCH 1/4] update to go1.21.10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These minor releases include 2 security fixes following the security policy: - cmd/go: arbitrary code execution during build on darwin On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. Thanks to Juho Forsén of Mattermost for reporting this issue. This is CVE-2024-24787 and Go issue https://go.dev/issue/67119. - net: malformed DNS message can cause infinite loop A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. Thanks to long-name-let-people-remember-you on GitHub for reporting this issue, and to Mateusz Poliwczak for bringing the issue to our attention. This is CVE-2024-24788 and Go issue https://go.dev/issue/66754. View the release notes for more information: https://go.dev/doc/devel/release#go1.22.3 - https://github.com/golang/go/issues?q=milestone%3AGo1.21.10+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.9...go1.21.10 **- Description for the changelog** ```markdown changelog Update Go runtime to 1.21.10 ``` Signed-off-by: Paweł Gronowski (cherry picked from commit eb99994c75752c78e08c902ea02e7f359bad1af7) Signed-off-by: Austin Vazquez --- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- e2e/testdata/Dockerfile.gencerts | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ca41b09a17dc..e8d7ef45908f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -63,7 +63,7 @@ jobs: name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.21.9 + go-version: 1.21.10 - name: Test run: | diff --git a/Dockerfile b/Dockerfile index 314fa9089970..a6c8f7d4a18d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.18 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.21.9 +ARG GO_VERSION=1.21.10 ARG XX_VERSION=1.2.1 ARG GOVERSIONINFO_VERSION=v1.3.0 ARG GOTESTSUM_VERSION=v1.10.0 diff --git a/docker-bake.hcl b/docker-bake.hcl index bb65406d7806..7da05d743689 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.21.9" + default = "1.21.10" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index b5d18da93c18..59872bb7faad 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.9 +ARG GO_VERSION=1.21.10 ARG ALPINE_VERSION=3.18 ARG BUILDX_VERSION=0.12.1 diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 60200bc85846..13717064d343 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.9 +ARG GO_VERSION=1.21.10 ARG ALPINE_VERSION=3.18 ARG GOLANGCI_LINT_VERSION=v1.55.2 diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index 0030f15123d1..84fbc4811a9f 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.9 +ARG GO_VERSION=1.21.10 ARG ALPINE_VERSION=3.18 ARG MODOUTDATED_VERSION=v0.8.0 diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts index 67a53d4b127f..55b7a66b1510 100644 --- a/e2e/testdata/Dockerfile.gencerts +++ b/e2e/testdata/Dockerfile.gencerts @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.9 +ARG GO_VERSION=1.21.10 FROM golang:${GO_VERSION}-alpine AS generated ENV GOTOOLCHAIN=local From 1fbc90faf74815fa8c22f9762870e6b1ae9ee0c3 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 4 Jun 2024 23:39:27 +0200 Subject: [PATCH 2/4] update to go1.21.11 go1.21.11 (released 2024-06-04) includes security fixes to the archive/zip and net/netip packages, as well as bug fixes to the compiler, the go command, the runtime, and the os package. See the Go 1.21.11 milestone on our issue tracker for details; - https://github.com/golang/go/issues?q=milestone%3AGo1.21.11+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.10...go1.21.11 From the security announcement; We have just released Go versions 1.22.4 and 1.21.11, minor point releases. These minor releases include 2 security fixes following the security policy: - archive/zip: mishandling of corrupt central directory record The archive/zip package's handling of certain types of invalid zip files differed from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Thanks to Yufan You for reporting this issue. This is CVE-2024-24789 and Go issue https://go.dev/issue/66869. - net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Thanks to Enze Wang of Alioth and Jianjun Chen of Zhongguancun Lab for reporting this issue. This is CVE-2024-24790 and Go issue https://go.dev/issue/67680. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 630e1d3e95b18da36dbb53f516c54ee00f2e421f) Signed-off-by: Austin Vazquez --- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- e2e/testdata/Dockerfile.gencerts | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e8d7ef45908f..175520518dbd 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -63,7 +63,7 @@ jobs: name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.21.10 + go-version: 1.21.11 - name: Test run: | diff --git a/Dockerfile b/Dockerfile index a6c8f7d4a18d..22919849a0ce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.18 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.21.10 +ARG GO_VERSION=1.21.11 ARG XX_VERSION=1.2.1 ARG GOVERSIONINFO_VERSION=v1.3.0 ARG GOTESTSUM_VERSION=v1.10.0 diff --git a/docker-bake.hcl b/docker-bake.hcl index 7da05d743689..389d836b49af 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.21.10" + default = "1.21.11" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 59872bb7faad..625ba1f2c62f 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.10 +ARG GO_VERSION=1.21.11 ARG ALPINE_VERSION=3.18 ARG BUILDX_VERSION=0.12.1 diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 13717064d343..21ff44c0208b 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.10 +ARG GO_VERSION=1.21.11 ARG ALPINE_VERSION=3.18 ARG GOLANGCI_LINT_VERSION=v1.55.2 diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index 84fbc4811a9f..bc5ca3c34004 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.10 +ARG GO_VERSION=1.21.11 ARG ALPINE_VERSION=3.18 ARG MODOUTDATED_VERSION=v0.8.0 diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts index 55b7a66b1510..7bcecaf830d0 100644 --- a/e2e/testdata/Dockerfile.gencerts +++ b/e2e/testdata/Dockerfile.gencerts @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.10 +ARG GO_VERSION=1.21.11 FROM golang:${GO_VERSION}-alpine AS generated ENV GOTOOLCHAIN=local From a90d08534b10b6c2c48cfa3dba4478a9a55aeb52 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sun, 26 May 2024 11:37:01 +0200 Subject: [PATCH 3/4] Dockerfile: update ALPINE_VERSION to 3.20 Update to the current version of Alpine, which is also the default for the golang:alpine image Signed-off-by: Sebastiaan van Stijn (cherry picked from commit e70f68595d26d935a09ead0f0fe6dd1c6c518d80) Signed-off-by: Austin Vazquez --- Dockerfile | 2 +- dockerfiles/Dockerfile.authors | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 22919849a0ce..180dd5d08465 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG ALPINE_VERSION=3.18 +ARG ALPINE_VERSION=3.20 ARG BASE_DEBIAN_DISTRO=bookworm ARG GO_VERSION=1.21.11 diff --git a/dockerfiles/Dockerfile.authors b/dockerfiles/Dockerfile.authors index 278ad769fea1..321a752c47ef 100644 --- a/dockerfiles/Dockerfile.authors +++ b/dockerfiles/Dockerfile.authors @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG ALPINE_VERSION=3.18 +ARG ALPINE_VERSION=3.20 FROM alpine:${ALPINE_VERSION} AS gen RUN apk add --no-cache bash git diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 625ba1f2c62f..fa0e40a36058 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG GO_VERSION=1.21.11 -ARG ALPINE_VERSION=3.18 +ARG ALPINE_VERSION=3.20 ARG BUILDX_VERSION=0.12.1 FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 21ff44c0208b..2e99812dbe8e 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG GO_VERSION=1.21.11 -ARG ALPINE_VERSION=3.18 +ARG ALPINE_VERSION=3.20 ARG GOLANGCI_LINT_VERSION=v1.55.2 FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index bc5ca3c34004..f204ea273e19 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG GO_VERSION=1.21.11 -ARG ALPINE_VERSION=3.18 +ARG ALPINE_VERSION=3.20 ARG MODOUTDATED_VERSION=v0.8.0 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base From 0dd60b064f4fa743dc0a362c1964daf2b38c0183 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Wed, 3 Jul 2024 10:59:37 +0200 Subject: [PATCH 4/4] update to go1.21.12 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - https://github.com/golang/go/issues?q=milestone%3AGo1.21.12+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.11...go1.21.12 These minor releases include 1 security fixes following the security policy: net/http: denial of service due to improper 100-continue handling The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Thanks to Geoff Franks for reporting this issue. This is CVE-2024-24791 and Go issue https://go.dev/issue/67555. View the release notes for more information: https://go.dev/doc/devel/release#go1.21.12 **- Description for the changelog** ```markdown changelog Update Go runtime to 1.21.12 ``` Signed-off-by: Paweł Gronowski (cherry picked from commit d73d7d4ed3f6211aa157d59a2e6674a1774dabc3) Signed-off-by: Austin Vazquez --- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- e2e/testdata/Dockerfile.gencerts | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 175520518dbd..18213461baa9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -63,7 +63,7 @@ jobs: name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.21.11 + go-version: 1.21.12 - name: Test run: | diff --git a/Dockerfile b/Dockerfile index 180dd5d08465..2cf7cd1ea020 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.20 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.21.11 +ARG GO_VERSION=1.21.12 ARG XX_VERSION=1.2.1 ARG GOVERSIONINFO_VERSION=v1.3.0 ARG GOTESTSUM_VERSION=v1.10.0 diff --git a/docker-bake.hcl b/docker-bake.hcl index 389d836b49af..cb75552a09f2 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.21.11" + default = "1.21.12" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index fa0e40a36058..cef1597b4000 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.11 +ARG GO_VERSION=1.21.12 ARG ALPINE_VERSION=3.20 ARG BUILDX_VERSION=0.12.1 diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 2e99812dbe8e..b41c54041fb4 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.11 +ARG GO_VERSION=1.21.12 ARG ALPINE_VERSION=3.20 ARG GOLANGCI_LINT_VERSION=v1.55.2 diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index f204ea273e19..9acb89182240 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.11 +ARG GO_VERSION=1.21.12 ARG ALPINE_VERSION=3.20 ARG MODOUTDATED_VERSION=v0.8.0 diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts index 7bcecaf830d0..3c9cc7e80177 100644 --- a/e2e/testdata/Dockerfile.gencerts +++ b/e2e/testdata/Dockerfile.gencerts @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.11 +ARG GO_VERSION=1.21.12 FROM golang:${GO_VERSION}-alpine AS generated ENV GOTOOLCHAIN=local