From f38bea4ac399f65a40af258a4d972d97eee5c786 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sun, 20 Oct 2019 23:26:31 +0200 Subject: [PATCH] Update Golang 1.12.12 (CVE-2019-17596) Golang 1.12.12 ------------------------------- full diff: https://github.com/golang/go/compare/go1.12.11...go1.12.12 go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime, syscall and net packages. See the Go 1.12.12 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.12.12 Golang 1.12.11 (CVE-2019-17596) ------------------------------- full diff: https://github.com/golang/go/compare/go1.12.10...go1.12.11 go1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa package. See the Go 1.12.11 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.12.11 [security] Go 1.13.2 and Go 1.12.11 are released Hi gophers, We have just released Go 1.13.2 and Go 1.12.11 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you're not sure which, choose Go 1.13.2). Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. The issue is CVE-2019-17596 and Go issue golang.org/issue/34960. Thanks to Daniel Mandragona for discovering and reporting this issue. We'd also like to thank regilero for a previous disclosure of CVE-2019-16276. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 474d522ee2cb9357f73891f1a86c7162d0b9d23c) Signed-off-by: Sebastiaan van Stijn --- appveyor.yml | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.cross | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/appveyor.yml b/appveyor.yml index c117563fda..ebff5720e2 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.12.10 + GOVERSION: 1.12.12 DEPVERSION: v0.4.1 install: diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index 86b402e145..728016e40a 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.12.10 +ARG GO_VERSION=1.12.12 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.cross b/dockerfiles/Dockerfile.cross index 696f03f30e..95f767a53e 100644 --- a/dockerfiles/Dockerfile.cross +++ b/dockerfiles/Dockerfile.cross @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.12.10 +ARG GO_VERSION=1.12.12 FROM dockercore/golang-cross:${GO_VERSION} ENV DISABLE_WARN_OUTSIDE_CONTAINER=1 diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 4d336f5f53..f17196d3b4 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.12.10 +ARG GO_VERSION=1.12.12 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index e7a23a8286..2c11c8feac 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.12.10 +ARG GO_VERSION=1.12.12 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION} diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index ac9b5442f6..1d30d87b3f 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.12.10 +ARG GO_VERSION=1.12.12 FROM golang:${GO_VERSION}-alpine