From 15258b687e5b46f01bb41bd1f6b932eecaa1975c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 11 Oct 2023 20:04:12 +0200 Subject: [PATCH 1/2] update to go1.20.9 go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go package, as well as bug fixes to the go command and the linker. See the Go 1.20.9 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.9+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.20.8...go1.20.9 From the security mailing: [security] Go 1.21.2 and Go 1.20.9 are released Hello gophers, We have just released Go versions 1.21.2 and 1.20.9, minor point releases. These minor releases include 1 security fixes following the security policy: - cmd/go: line directives allows arbitrary execution during build "//line" directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compliation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploting this issue significantly more complex. This is CVE-2023-39323 and Go issue https://go.dev/issue/63211. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- e2e/testdata/Dockerfile.gencerts | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2fcc3922e7..f3c7cf209a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -63,7 +63,7 @@ jobs: name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.20.8 + go-version: 1.20.9 - name: Test run: | diff --git a/Dockerfile b/Dockerfile index 8ba91370d2..ba5bd1dfc0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.20.8 +ARG GO_VERSION=1.20.9 ARG ALPINE_VERSION=3.17 ARG XX_VERSION=1.1.1 ARG GOVERSIONINFO_VERSION=v1.3.0 diff --git a/docker-bake.hcl b/docker-bake.hcl index 47aa11d027..a3473462d0 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.20.8" + default = "1.20.9" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index f190c0964b..43c9a39720 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.8 +ARG GO_VERSION=1.20.9 ARG ALPINE_VERSION=3.17 ARG BUILDX_VERSION=0.11.2 diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 13ccb8caa4..ec8097e6e5 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.8 +ARG GO_VERSION=1.20.9 ARG ALPINE_VERSION=3.17 ARG GOLANGCI_LINT_VERSION=v1.52.2 diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index 9f960c5e0b..f1fbadd96e 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.8 +ARG GO_VERSION=1.20.9 ARG ALPINE_VERSION=3.17 ARG MODOUTDATED_VERSION=v0.8.0 diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts index 5d5a13fe11..079fc08078 100644 --- a/e2e/testdata/Dockerfile.gencerts +++ b/e2e/testdata/Dockerfile.gencerts @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.8 +ARG GO_VERSION=1.20.9 FROM golang:${GO_VERSION}-alpine AS generated RUN go install github.com/dmcgowan/quicktls@master From e0ba3923194379ffcc7f4cdbd8a579bcef0b2763 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 11 Oct 2023 20:04:46 +0200 Subject: [PATCH 2/2] update to go1.20.10 go1.20.10 (released 2023-10-10) includes a security fix to the net/http package. See the Go 1.20.10 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.10+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.20.9...go1.20.10 From the security mailing: [security] Go 1.21.3 and Go 1.20.10 are released Hello gophers, We have just released Go versions 1.21.3 and 1.20.10, minor point releases. These minor releases include 1 security fixes following the security policy: - net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- e2e/testdata/Dockerfile.gencerts | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f3c7cf209a..7bd90b13df 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -63,7 +63,7 @@ jobs: name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.20.9 + go-version: 1.20.10 - name: Test run: | diff --git a/Dockerfile b/Dockerfile index ba5bd1dfc0..024fe2677d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.20.9 +ARG GO_VERSION=1.20.10 ARG ALPINE_VERSION=3.17 ARG XX_VERSION=1.1.1 ARG GOVERSIONINFO_VERSION=v1.3.0 diff --git a/docker-bake.hcl b/docker-bake.hcl index a3473462d0..53fc4ca42b 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.20.9" + default = "1.20.10" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 43c9a39720..a17ad086db 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.9 +ARG GO_VERSION=1.20.10 ARG ALPINE_VERSION=3.17 ARG BUILDX_VERSION=0.11.2 diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index ec8097e6e5..5575c4f37b 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.9 +ARG GO_VERSION=1.20.10 ARG ALPINE_VERSION=3.17 ARG GOLANGCI_LINT_VERSION=v1.52.2 diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index f1fbadd96e..12f3afc6f2 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.9 +ARG GO_VERSION=1.20.10 ARG ALPINE_VERSION=3.17 ARG MODOUTDATED_VERSION=v0.8.0 diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts index 079fc08078..37e8d525b0 100644 --- a/e2e/testdata/Dockerfile.gencerts +++ b/e2e/testdata/Dockerfile.gencerts @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.20.9 +ARG GO_VERSION=1.20.10 FROM golang:${GO_VERSION}-alpine AS generated RUN go install github.com/dmcgowan/quicktls@master