6769f62746
- https://github.com/golang/go/issues?q=milestone%3AGo1.24.6+label%3ACherryPickApproved - full diff: golang/go@go1.24.5...go1.24.6 These minor releases include 2 security fixes following the security policy: - os/exec: LookPath may return unexpected paths If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Thanks to Olivier Mengué for reporting this issue. This is CVE-2025-47906 and Go issue https://go.dev/issue/74466. - database/sql: incorrect results returned from Rows.Scan Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error. We believe this affects most database/sql drivers. Thanks to Spike Curtis from Coder for reporting this issue. This is CVE-2025-47907 and https://go.dev/issue/74831. View the release notes for more information: https://go.dev/doc/devel/release#go1.24.6 Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
80 lines
2.3 KiB
YAML
80 lines
2.3 KiB
YAML
name: codeql
|
|
|
|
# Default to 'contents: read', which grants actions to read commits.
|
|
#
|
|
# If any permission is set, any permission not included in the list is
|
|
# implicitly set to "none".
|
|
#
|
|
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'master'
|
|
- '[0-9]+.[0-9]+'
|
|
- '[0-9]+.x'
|
|
tags:
|
|
- 'v*'
|
|
pull_request:
|
|
# The branches below must be a subset of the branches above
|
|
branches: ["master"]
|
|
schedule:
|
|
# ┌───────────── minute (0 - 59)
|
|
# │ ┌───────────── hour (0 - 23)
|
|
# │ │ ┌───────────── day of the month (1 - 31)
|
|
# │ │ │ ┌───────────── month (1 - 12)
|
|
# │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday)
|
|
# │ │ │ │ │
|
|
# │ │ │ │ │
|
|
# │ │ │ │ │
|
|
# * * * * *
|
|
- cron: '0 9 * * 4'
|
|
|
|
jobs:
|
|
codeql:
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 10
|
|
env:
|
|
DISABLE_WARN_OUTSIDE_CONTAINER: '1'
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 2
|
|
# CodeQL 2.16.4's auto-build added support for multi-module repositories,
|
|
# and is trying to be smart by searching for modules in every directory,
|
|
# including vendor directories. If no module is found, it's creating one
|
|
# which is ... not what we want, so let's give it a "go.mod".
|
|
# see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698
|
|
-
|
|
name: Create go.mod
|
|
run: |
|
|
ln -s vendor.mod go.mod
|
|
ln -s vendor.sum go.sum
|
|
-
|
|
name: Update Go
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version: "1.24.6"
|
|
-
|
|
name: Initialize CodeQL
|
|
uses: github/codeql-action/init@v3
|
|
with:
|
|
languages: go
|
|
-
|
|
name: Autobuild
|
|
uses: github/codeql-action/autobuild@v3
|
|
-
|
|
name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@v3
|
|
with:
|
|
category: "/language:go"
|