From 5033fdcda88910d6b6068cc2f44afa326e1d7071 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 8 Jul 2019 11:31:25 +0200 Subject: [PATCH 1/6] Revert "[18.09] Bump Golang 1.10.8 (CVE-2019-6486)" This reverts commit 9aec27794cc1e702bd9b9f3ac476695fc0d522a4. Signed-off-by: Sebastiaan van Stijn Upstream-commit: e05230d281769067cc4e9224218f25634f5b894a Component: packaging --- components/packaging/Makefile | 2 +- components/packaging/deb/Makefile | 2 +- components/packaging/image/Makefile | 2 +- components/packaging/rpm/Makefile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/packaging/Makefile b/components/packaging/Makefile index 200c1dbf5d..bb12174fdf 100644 --- a/components/packaging/Makefile +++ b/components/packaging/Makefile @@ -5,7 +5,7 @@ VERSION?=0.0.0-dev DOCKER_GITCOMMIT:=abcdefg ARCH=$(shell uname -m) STATIC_VERSION=$(shell static/gen-static-ver $(ENGINE_DIR) $(VERSION)) -GO_VERSION:=1.10.8 +GO_VERSION:=1.10.6 DEFAULT_PRODUCT_LICENSE:=Community Engine PLATFORM=Docker Engine - Community BUILDTIME=$(shell date -u -d "@$${SOURCE_DATE_EPOCH:-$$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/') diff --git a/components/packaging/deb/Makefile b/components/packaging/deb/Makefile index c6bfc5a671..1d1c591e57 100644 --- a/components/packaging/deb/Makefile +++ b/components/packaging/deb/Makefile @@ -6,7 +6,7 @@ CLI_DIR:=$(CURDIR)/../../cli GITCOMMIT?=$(shell cd $(CLI_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.10.8 +GO_VERSION:=1.10.6 GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) DEB_VERSION=$(shell ./gen-deb-ver $(CLI_DIR) "$(VERSION)") CHOWN:=docker run --rm -v $(CURDIR):/v -w /v alpine chown diff --git a/components/packaging/image/Makefile b/components/packaging/image/Makefile index bd5cfe71fe..5b3620f337 100644 --- a/components/packaging/image/Makefile +++ b/components/packaging/image/Makefile @@ -3,7 +3,7 @@ ENGINE_DIR:=$(CURDIR)/../../engine CLI_DIR:=$(CURDIR)/../../cli VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.10.8 +GO_VERSION:=1.10.6 ENGINE_GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) STATIC_VERSION=$(shell ../static/gen-static-ver $(ENGINE_DIR) $(VERSION)) DOCKER_HUB_ORG?=dockereng diff --git a/components/packaging/rpm/Makefile b/components/packaging/rpm/Makefile index 8de1fb1944..033baad3aa 100644 --- a/components/packaging/rpm/Makefile +++ b/components/packaging/rpm/Makefile @@ -6,7 +6,7 @@ CLI_DIR:=$(CURDIR)/../../cli GITCOMMIT=$(shell cd $(ENGINE_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.10.8 +GO_VERSION:=1.10.6 GO_IMAGE?=$(GO_BASE_IMAGE):$(GO_VERSION) GEN_RPM_VER=$(shell ./gen-rpm-ver $(CLI_DIR) $(VERSION)) CHOWN=docker run --rm -i -v $(CURDIR):/v -w /v alpine chown From 19cae1634ad71df74dee808a2b3aa2aaeebbd9f1 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 14 Dec 2018 02:04:33 +0100 Subject: [PATCH 2/6] Bump Golang 1.11.3 (CVE-2018-16875) go1.11.3 (released 2018/12/14) - crypto/x509: CPU denial of service in chain validation golang/go#29233 - cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231 - cmd/go: remote command execution during "go get -u" golang/go#29230 See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 517a30b48d7b483e27eb3c3328356a8e83272988) Signed-off-by: Sebastiaan van Stijn Upstream-commit: 17565b93d361b1b189962b3e98c431316a7cc628 Component: packaging --- components/packaging/Makefile | 2 +- components/packaging/deb/Makefile | 2 +- components/packaging/image/Makefile | 2 +- components/packaging/rpm/Makefile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/packaging/Makefile b/components/packaging/Makefile index bb12174fdf..e2483ab596 100644 --- a/components/packaging/Makefile +++ b/components/packaging/Makefile @@ -5,7 +5,7 @@ VERSION?=0.0.0-dev DOCKER_GITCOMMIT:=abcdefg ARCH=$(shell uname -m) STATIC_VERSION=$(shell static/gen-static-ver $(ENGINE_DIR) $(VERSION)) -GO_VERSION:=1.10.6 +GO_VERSION:=1.11.3 DEFAULT_PRODUCT_LICENSE:=Community Engine PLATFORM=Docker Engine - Community BUILDTIME=$(shell date -u -d "@$${SOURCE_DATE_EPOCH:-$$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/') diff --git a/components/packaging/deb/Makefile b/components/packaging/deb/Makefile index 1d1c591e57..357756b0b5 100644 --- a/components/packaging/deb/Makefile +++ b/components/packaging/deb/Makefile @@ -6,7 +6,7 @@ CLI_DIR:=$(CURDIR)/../../cli GITCOMMIT?=$(shell cd $(CLI_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.10.6 +GO_VERSION:=1.11.3 GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) DEB_VERSION=$(shell ./gen-deb-ver $(CLI_DIR) "$(VERSION)") CHOWN:=docker run --rm -v $(CURDIR):/v -w /v alpine chown diff --git a/components/packaging/image/Makefile b/components/packaging/image/Makefile index 5b3620f337..0ed668f48f 100644 --- a/components/packaging/image/Makefile +++ b/components/packaging/image/Makefile @@ -3,7 +3,7 @@ ENGINE_DIR:=$(CURDIR)/../../engine CLI_DIR:=$(CURDIR)/../../cli VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.10.6 +GO_VERSION:=1.11.3 ENGINE_GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) STATIC_VERSION=$(shell ../static/gen-static-ver $(ENGINE_DIR) $(VERSION)) DOCKER_HUB_ORG?=dockereng diff --git a/components/packaging/rpm/Makefile b/components/packaging/rpm/Makefile index 033baad3aa..935a694ccd 100644 --- a/components/packaging/rpm/Makefile +++ b/components/packaging/rpm/Makefile @@ -6,7 +6,7 @@ CLI_DIR:=$(CURDIR)/../../cli GITCOMMIT=$(shell cd $(ENGINE_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.10.6 +GO_VERSION:=1.11.3 GO_IMAGE?=$(GO_BASE_IMAGE):$(GO_VERSION) GEN_RPM_VER=$(shell ./gen-rpm-ver $(CLI_DIR) $(VERSION)) CHOWN=docker run --rm -i -v $(CURDIR):/v -w /v alpine chown From cd1b18d66d5cc5a6010282bda24b3618939ec01a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 23 Jan 2019 23:57:21 +0100 Subject: [PATCH 3/6] Bump Golang 1.11.5 (CVE-2019-6486) See the milestone for details; https://github.com/golang/go/issues?q=milestone%3AGo1.11.5+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn (cherry picked from commit a86dd09775725e0ea79bcc25613879d09d11ba0c) Signed-off-by: Sebastiaan van Stijn Upstream-commit: f571ca6a512ac099bdb5a8cd4c44f6256b60fa70 Component: packaging --- components/packaging/Makefile | 2 +- components/packaging/deb/Makefile | 2 +- components/packaging/image/Makefile | 2 +- components/packaging/rpm/Makefile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/packaging/Makefile b/components/packaging/Makefile index e2483ab596..2bff8da8e3 100644 --- a/components/packaging/Makefile +++ b/components/packaging/Makefile @@ -5,7 +5,7 @@ VERSION?=0.0.0-dev DOCKER_GITCOMMIT:=abcdefg ARCH=$(shell uname -m) STATIC_VERSION=$(shell static/gen-static-ver $(ENGINE_DIR) $(VERSION)) -GO_VERSION:=1.11.3 +GO_VERSION:=1.11.5 DEFAULT_PRODUCT_LICENSE:=Community Engine PLATFORM=Docker Engine - Community BUILDTIME=$(shell date -u -d "@$${SOURCE_DATE_EPOCH:-$$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/') diff --git a/components/packaging/deb/Makefile b/components/packaging/deb/Makefile index 357756b0b5..1a56ccf885 100644 --- a/components/packaging/deb/Makefile +++ b/components/packaging/deb/Makefile @@ -6,7 +6,7 @@ CLI_DIR:=$(CURDIR)/../../cli GITCOMMIT?=$(shell cd $(CLI_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.11.3 +GO_VERSION:=1.11.5 GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) DEB_VERSION=$(shell ./gen-deb-ver $(CLI_DIR) "$(VERSION)") CHOWN:=docker run --rm -v $(CURDIR):/v -w /v alpine chown diff --git a/components/packaging/image/Makefile b/components/packaging/image/Makefile index 0ed668f48f..2289f3dd85 100644 --- a/components/packaging/image/Makefile +++ b/components/packaging/image/Makefile @@ -3,7 +3,7 @@ ENGINE_DIR:=$(CURDIR)/../../engine CLI_DIR:=$(CURDIR)/../../cli VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.11.3 +GO_VERSION:=1.11.5 ENGINE_GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) STATIC_VERSION=$(shell ../static/gen-static-ver $(ENGINE_DIR) $(VERSION)) DOCKER_HUB_ORG?=dockereng diff --git a/components/packaging/rpm/Makefile b/components/packaging/rpm/Makefile index 935a694ccd..e3be516c6e 100644 --- a/components/packaging/rpm/Makefile +++ b/components/packaging/rpm/Makefile @@ -6,7 +6,7 @@ CLI_DIR:=$(CURDIR)/../../cli GITCOMMIT=$(shell cd $(ENGINE_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.11.3 +GO_VERSION:=1.11.5 GO_IMAGE?=$(GO_BASE_IMAGE):$(GO_VERSION) GEN_RPM_VER=$(shell ./gen-rpm-ver $(CLI_DIR) $(VERSION)) CHOWN=docker run --rm -i -v $(CURDIR):/v -w /v alpine chown From 29233058d52ab604886d2cf9d4f8af823273d260 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 8 Jul 2019 11:33:07 +0200 Subject: [PATCH 4/6] Bump golang 1.11.11 go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package. See the Go 1.11.11 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.11 Signed-off-by: Sebastiaan van Stijn Upstream-commit: f33c398df1eabda69ca05ff6c5c45351790a8696 Component: packaging --- components/packaging/Makefile | 2 +- components/packaging/deb/Makefile | 2 +- components/packaging/image/Makefile | 2 +- components/packaging/rpm/Makefile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/packaging/Makefile b/components/packaging/Makefile index 2bff8da8e3..139580320e 100644 --- a/components/packaging/Makefile +++ b/components/packaging/Makefile @@ -5,7 +5,7 @@ VERSION?=0.0.0-dev DOCKER_GITCOMMIT:=abcdefg ARCH=$(shell uname -m) STATIC_VERSION=$(shell static/gen-static-ver $(ENGINE_DIR) $(VERSION)) -GO_VERSION:=1.11.5 +GO_VERSION:=1.11.11 DEFAULT_PRODUCT_LICENSE:=Community Engine PLATFORM=Docker Engine - Community BUILDTIME=$(shell date -u -d "@$${SOURCE_DATE_EPOCH:-$$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/') diff --git a/components/packaging/deb/Makefile b/components/packaging/deb/Makefile index 1a56ccf885..2af689b061 100644 --- a/components/packaging/deb/Makefile +++ b/components/packaging/deb/Makefile @@ -6,7 +6,7 @@ CLI_DIR:=$(CURDIR)/../../cli GITCOMMIT?=$(shell cd $(CLI_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.11.5 +GO_VERSION:=1.11.11 GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) DEB_VERSION=$(shell ./gen-deb-ver $(CLI_DIR) "$(VERSION)") CHOWN:=docker run --rm -v $(CURDIR):/v -w /v alpine chown diff --git a/components/packaging/image/Makefile b/components/packaging/image/Makefile index 2289f3dd85..2698ca9670 100644 --- a/components/packaging/image/Makefile +++ b/components/packaging/image/Makefile @@ -3,7 +3,7 @@ ENGINE_DIR:=$(CURDIR)/../../engine CLI_DIR:=$(CURDIR)/../../cli VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.11.5 +GO_VERSION:=1.11.11 ENGINE_GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) STATIC_VERSION=$(shell ../static/gen-static-ver $(ENGINE_DIR) $(VERSION)) DOCKER_HUB_ORG?=dockereng diff --git a/components/packaging/rpm/Makefile b/components/packaging/rpm/Makefile index e3be516c6e..71fb6257b3 100644 --- a/components/packaging/rpm/Makefile +++ b/components/packaging/rpm/Makefile @@ -6,7 +6,7 @@ CLI_DIR:=$(CURDIR)/../../cli GITCOMMIT=$(shell cd $(ENGINE_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.11.5 +GO_VERSION:=1.11.11 GO_IMAGE?=$(GO_BASE_IMAGE):$(GO_VERSION) GEN_RPM_VER=$(shell ./gen-rpm-ver $(CLI_DIR) $(VERSION)) CHOWN=docker run --rm -i -v $(CURDIR):/v -w /v alpine chown From 0f4d86716a6ac68b9ad4c10d16500c9ab4f2a277 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 23 Jul 2019 16:37:25 -0700 Subject: [PATCH 5/6] Bump Go to 1.11.12 go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker. See the Go 1.11.12 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.12 Full diff: https://github.com/golang/go/compare/go1.11.11...go1.11.12 Signed-off-by: Kir Kolyshkin Upstream-commit: f8eb0d84d32b427805b1d7afee815375f92fe2ee Component: packaging --- components/packaging/Makefile | 2 +- components/packaging/deb/Makefile | 2 +- components/packaging/image/Makefile | 2 +- components/packaging/rpm/Makefile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/packaging/Makefile b/components/packaging/Makefile index 139580320e..917a1f3452 100644 --- a/components/packaging/Makefile +++ b/components/packaging/Makefile @@ -5,7 +5,7 @@ VERSION?=0.0.0-dev DOCKER_GITCOMMIT:=abcdefg ARCH=$(shell uname -m) STATIC_VERSION=$(shell static/gen-static-ver $(ENGINE_DIR) $(VERSION)) -GO_VERSION:=1.11.11 +GO_VERSION:=1.11.12 DEFAULT_PRODUCT_LICENSE:=Community Engine PLATFORM=Docker Engine - Community BUILDTIME=$(shell date -u -d "@$${SOURCE_DATE_EPOCH:-$$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/') diff --git a/components/packaging/deb/Makefile b/components/packaging/deb/Makefile index 2af689b061..a96028fa7a 100644 --- a/components/packaging/deb/Makefile +++ b/components/packaging/deb/Makefile @@ -6,7 +6,7 @@ CLI_DIR:=$(CURDIR)/../../cli GITCOMMIT?=$(shell cd $(CLI_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.11.11 +GO_VERSION:=1.11.12 GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) DEB_VERSION=$(shell ./gen-deb-ver $(CLI_DIR) "$(VERSION)") CHOWN:=docker run --rm -v $(CURDIR):/v -w /v alpine chown diff --git a/components/packaging/image/Makefile b/components/packaging/image/Makefile index 2698ca9670..a5c6d40c64 100644 --- a/components/packaging/image/Makefile +++ b/components/packaging/image/Makefile @@ -3,7 +3,7 @@ ENGINE_DIR:=$(CURDIR)/../../engine CLI_DIR:=$(CURDIR)/../../cli VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.11.11 +GO_VERSION:=1.11.12 ENGINE_GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) STATIC_VERSION=$(shell ../static/gen-static-ver $(ENGINE_DIR) $(VERSION)) DOCKER_HUB_ORG?=dockereng diff --git a/components/packaging/rpm/Makefile b/components/packaging/rpm/Makefile index 71fb6257b3..68e494c3eb 100644 --- a/components/packaging/rpm/Makefile +++ b/components/packaging/rpm/Makefile @@ -6,7 +6,7 @@ CLI_DIR:=$(CURDIR)/../../cli GITCOMMIT=$(shell cd $(ENGINE_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang -GO_VERSION:=1.11.11 +GO_VERSION:=1.11.12 GO_IMAGE?=$(GO_BASE_IMAGE):$(GO_VERSION) GEN_RPM_VER=$(shell ./gen-rpm-ver $(CLI_DIR) $(VERSION)) CHOWN=docker run --rm -i -v $(CURDIR):/v -w /v alpine chown From ff2d7c542ff0539db9bf1bb8893ee4b76060ce7b Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 6 Aug 2019 23:10:33 +0200 Subject: [PATCH 6/6] Pin Golang images to debian stretch variant Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 1310e3974e8193745ce70cd74a20ab9d2151b8ac) Signed-off-by: Sebastiaan van Stijn Upstream-commit: 32cdb89aac13e9af7446891eab8fb1aa54c22034 Component: packaging --- components/packaging/deb/Makefile | 2 +- components/packaging/image/Makefile | 2 +- components/packaging/rpm/Makefile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/components/packaging/deb/Makefile b/components/packaging/deb/Makefile index a96028fa7a..ecfa2d695e 100644 --- a/components/packaging/deb/Makefile +++ b/components/packaging/deb/Makefile @@ -7,7 +7,7 @@ GITCOMMIT?=$(shell cd $(CLI_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang GO_VERSION:=1.11.12 -GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) +GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION)-stretch DEB_VERSION=$(shell ./gen-deb-ver $(CLI_DIR) "$(VERSION)") CHOWN:=docker run --rm -v $(CURDIR):/v -w /v alpine chown EPOCH?=5 diff --git a/components/packaging/image/Makefile b/components/packaging/image/Makefile index a5c6d40c64..fbfd257558 100644 --- a/components/packaging/image/Makefile +++ b/components/packaging/image/Makefile @@ -4,7 +4,7 @@ CLI_DIR:=$(CURDIR)/../../cli VERSION?=0.0.0-dev GO_BASE_IMAGE=golang GO_VERSION:=1.11.12 -ENGINE_GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION) +ENGINE_GO_IMAGE=$(GO_BASE_IMAGE):$(GO_VERSION)-stretch STATIC_VERSION=$(shell ../static/gen-static-ver $(ENGINE_DIR) $(VERSION)) DOCKER_HUB_ORG?=dockereng ARCH=$(shell uname -m) diff --git a/components/packaging/rpm/Makefile b/components/packaging/rpm/Makefile index 68e494c3eb..9611976eae 100644 --- a/components/packaging/rpm/Makefile +++ b/components/packaging/rpm/Makefile @@ -7,7 +7,7 @@ GITCOMMIT=$(shell cd $(ENGINE_DIR) && git rev-parse --short HEAD) VERSION?=0.0.0-dev GO_BASE_IMAGE=golang GO_VERSION:=1.11.12 -GO_IMAGE?=$(GO_BASE_IMAGE):$(GO_VERSION) +GO_IMAGE?=$(GO_BASE_IMAGE):$(GO_VERSION)-stretch GEN_RPM_VER=$(shell ./gen-rpm-ver $(CLI_DIR) $(VERSION)) CHOWN=docker run --rm -i -v $(CURDIR):/v -w /v alpine chown