From c38c41a97d51410d57d6bed08e5aadfdb55608a7 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 14 Aug 2019 02:39:26 +0200 Subject: [PATCH] Bump golang 1.11.13 (CVE-2019-9512, CVE-2019-9514) go1.11.13 (released 2019/08/13) includes security fixes to the net/http and net/url packages. See the Go 1.11.13 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.13 - net/http: Denial of Service vulnerabilities in the HTTP/2 implementation net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages. The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606. Thanks to Jonathan Looney from Netflix for discovering and reporting these issues. This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2. net/url: parsing validation issue - url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse. The issue is CVE-2019-14809 and Go issue golang.org/issue/29098. Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering and reporting this issue. Signed-off-by: Sebastiaan van Stijn Upstream-commit: d122605850fca5df1ff8babe7ee9f1dfed2a335b Component: engine --- components/engine/Dockerfile | 2 +- components/engine/Dockerfile.e2e | 2 +- components/engine/Dockerfile.simple | 2 +- components/engine/Dockerfile.windows | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/engine/Dockerfile b/components/engine/Dockerfile index 121f1ed2a9..fb4a3864f3 100644 --- a/components/engine/Dockerfile +++ b/components/engine/Dockerfile @@ -24,7 +24,7 @@ # the case. Therefore, you don't have to disable it anymore. # -ARG GO_VERSION=1.11.12 +ARG GO_VERSION=1.11.13 FROM golang:${GO_VERSION}-stretch AS base ARG APT_MIRROR diff --git a/components/engine/Dockerfile.e2e b/components/engine/Dockerfile.e2e index 9a2ec32d1f..d1c899db7d 100644 --- a/components/engine/Dockerfile.e2e +++ b/components/engine/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.11.12 +ARG GO_VERSION=1.11.13 FROM golang:${GO_VERSION}-alpine3.9 AS builder diff --git a/components/engine/Dockerfile.simple b/components/engine/Dockerfile.simple index 5762742533..60a9f63880 100644 --- a/components/engine/Dockerfile.simple +++ b/components/engine/Dockerfile.simple @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.11.12 +ARG GO_VERSION=1.11.13 FROM golang:${GO_VERSION}-stretch diff --git a/components/engine/Dockerfile.windows b/components/engine/Dockerfile.windows index 6dc3a859b2..63fa2822e4 100644 --- a/components/engine/Dockerfile.windows +++ b/components/engine/Dockerfile.windows @@ -158,7 +158,7 @@ FROM microsoft/windowsservercore # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.11.12 +ARG GO_VERSION=1.11.13 # Environment variable notes: # - GO_VERSION must be consistent with 'Dockerfile' used by Linux.