2018-02-27 08:11:32 -05:00
|
|
|
version: "{build}"
|
|
|
|
|
|
|
|
|
|
clone_folder: c:\gopath\src\github.com\docker\cli
|
|
|
|
|
|
|
|
|
|
environment:
|
|
|
|
|
GOPATH: c:\gopath
|
Update Golang 1.12.12 (CVE-2019-17596)
Golang 1.12.12
-------------------------------
full diff: https://github.com/golang/go/compare/go1.12.11...go1.12.12
go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime,
syscall and net packages. See the Go 1.12.12 milestone on our issue tracker for
details.
https://github.com/golang/go/issues?q=milestone%3AGo1.12.12
Golang 1.12.11 (CVE-2019-17596)
-------------------------------
full diff: https://github.com/golang/go/compare/go1.12.10...go1.12.11
go1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa
package. See the Go 1.12.11 milestone on our issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.12.11
[security] Go 1.13.2 and Go 1.12.11 are released
Hi gophers,
We have just released Go 1.13.2 and Go 1.12.11 to address a recently reported
security issue. We recommend that all affected users update to one of these
releases (if you're not sure which, choose Go 1.13.2).
Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using
crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic,
even if the certificates don't chain to a trusted root. The chain can be
delivered via a crypto/tls connection to a client, or to a server that accepts
and verifies client certificates. net/http clients can be made to crash by an
HTTPS server, while net/http servers that accept client certificates will
recover the panic and are unaffected.
Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request, parsing a golang.org/x/crypto/openpgp Entity, or during a
golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client
can panic due to a malformed host key, while a server could panic if either
PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts
a certificate with a malformed public key.
The issue is CVE-2019-17596 and Go issue golang.org/issue/34960.
Thanks to Daniel Mandragona for discovering and reporting this issue. We'd also
like to thank regilero for a previous disclosure of CVE-2019-16276.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-20 17:26:31 -04:00
|
|
|
GOVERSION: 1.12.12
|
2018-02-27 08:11:32 -05:00
|
|
|
DEPVERSION: v0.4.1
|
|
|
|
|
|
|
|
|
|
install:
|
|
|
|
|
- rmdir c:\go /s /q
|
|
|
|
|
- appveyor DownloadFile https://storage.googleapis.com/golang/go%GOVERSION%.windows-amd64.msi
|
|
|
|
|
- msiexec /i go%GOVERSION%.windows-amd64.msi /q
|
|
|
|
|
- go version
|
|
|
|
|
- go env
|
|
|
|
|
|
|
|
|
|
deploy: false
|
|
|
|
|
|
|
|
|
|
build_script:
|
|
|
|
|
- ps: .\scripts\make.ps1 -Binary
|
|
|
|
|
|
|
|
|
|
test_script:
|
2019-04-10 22:44:16 -04:00
|
|
|
- ps: .\scripts\make.ps1 -TestUnit
|
