From fc9535e61f8defd84af99660fdf353c85f207250 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 2 Sep 2022 21:06:22 +0200 Subject: [PATCH 1/8] update to golang 1.19 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 07ac2d8dc4b6881b656b60a3f6359d6efd386278) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 22d68c1cf6..71e01dfd8f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.18.10 +ARG GO_VERSION=1.19.0 ARG ALPINE_VERSION=3.16 ARG XX_VERSION=1.1.0 diff --git a/appveyor.yml b/appveyor.yml index b0c031a29f..2075572b5c 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.18.10 + GOVERSION: 1.19.0 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 6d24ff5bf5..9ac29aee8d 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.18.10" + default = "1.19.0" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index b0239a2641..a885e2eb8e 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.10 +ARG GO_VERSION=1.19.0 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 1b51313c4a..5b25dae4af 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.10 +ARG GO_VERSION=1.19.0 ARG ALPINE_VERSION=3.16 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index 2597f58cf3..45dfa7daa4 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.10 +ARG GO_VERSION=1.19.0 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 966c232bf5..f728e83a10 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.10 +ARG GO_VERSION=1.19.0 ARG ALPINE_VERSION=3.16 ARG GOLANGCI_LINT_VERSION=v1.49.0 From 0e05f9efcb8e69810f2986f2fd14650a35b47a35 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 6 Sep 2022 22:19:38 +0200 Subject: [PATCH 2/8] Update to go 1.19.1 to address CVE-2022-27664, CVE-2022-32190 From the mailing list: We have just released Go versions 1.19.1 and 1.18.6, minor point releases. These minor releases include 2 security fixes following the security policy: - net/http: handle server errors after sending GOAWAY A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service. Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this. This is CVE-2022-27664 and Go issue https://go.dev/issue/54658. - net/url: JoinPath does not strip relative path components in all circumstances JoinPath and URL.JoinPath would not remove `../` path components appended to a relative path. For example, `JoinPath("https://go.dev", "../go")` returned the URL `https://go.dev/../go`, despite the JoinPath documentation stating that `../` path elements are cleaned from the result. Thanks to q0jt for reporting this issue. This is CVE-2022-32190 and Go issue https://go.dev/issue/54385. Release notes: go1.19.1 (released 2022-09-06) includes security fixes to the net/http and net/url packages, as well as bug fixes to the compiler, the go command, the pprof command, the linker, the runtime, and the crypto/tls and crypto/x509 packages. See the Go 1.19.1 milestone on the issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 3a17d8a9091674406f0237ca5274428d3912d65a) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 71e01dfd8f..f096104679 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.19.0 +ARG GO_VERSION=1.19.1 ARG ALPINE_VERSION=3.16 ARG XX_VERSION=1.1.0 diff --git a/appveyor.yml b/appveyor.yml index 2075572b5c..489b7ca26b 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.19.0 + GOVERSION: 1.19.1 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 9ac29aee8d..7548f63d79 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.19.0" + default = "1.19.1" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index a885e2eb8e..3e14c1aa5c 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.0 +ARG GO_VERSION=1.19.1 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 5b25dae4af..019af891b6 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.0 +ARG GO_VERSION=1.19.1 ARG ALPINE_VERSION=3.16 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index 45dfa7daa4..7de17f946c 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.0 +ARG GO_VERSION=1.19.1 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index f728e83a10..3a26c071d1 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.0 +ARG GO_VERSION=1.19.1 ARG ALPINE_VERSION=3.16 ARG GOLANGCI_LINT_VERSION=v1.49.0 From eac65a6faedc61c79c5c8850693ec2b023a81e1e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 4 Oct 2022 20:51:47 +0200 Subject: [PATCH 3/8] Update to go 1.19.2 to address CVE-2022-2879, CVE-2022-2880, CVE-2022-41715 From the mailing list: We have just released Go versions 1.19.2 and 1.18.7, minor point releases. These minor releases include 3 security fixes following the security policy: - archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-2879 and Go issue https://go.dev/issue/54853. - net/http/httputil: ReverseProxy should not forward unparseable query parameters Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue. This is CVE-2022-2880 and Go issue https://go.dev/issue/54663. - regexp/syntax: limit memory used by parsing regexps The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-41715 and Go issue https://go.dev/issue/55949. View the release notes for more information: https://go.dev/doc/devel/release#go1.19.2 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 485f1f79c513a853f90f3922848f455010539be9) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index f096104679..a343d7f67d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.19.1 +ARG GO_VERSION=1.19.2 ARG ALPINE_VERSION=3.16 ARG XX_VERSION=1.1.0 diff --git a/appveyor.yml b/appveyor.yml index 489b7ca26b..de5b0a5018 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.19.1 + GOVERSION: 1.19.2 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 7548f63d79..3a01889ed1 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.19.1" + default = "1.19.2" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index 3e14c1aa5c..1f64260143 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.1 +ARG GO_VERSION=1.19.2 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 019af891b6..c719d059ee 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.1 +ARG GO_VERSION=1.19.2 ARG ALPINE_VERSION=3.16 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index 7de17f946c..d86f5eea91 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.1 +ARG GO_VERSION=1.19.2 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 3a26c071d1..d620d5fe26 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.1 +ARG GO_VERSION=1.19.2 ARG ALPINE_VERSION=3.16 ARG GOLANGCI_LINT_VERSION=v1.49.0 From ff13dd39f37b8c1ebf58f657dfdaa0338df6e78b Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 5 Nov 2022 17:39:57 +0100 Subject: [PATCH 4/8] Update to Go 1.19.3 to address CVE-2022-41716 On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D". Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This is CVE-2022-41716 and Go issue https://go.dev/issue/56284. This Go release also fixes https://github.com/golang/go/issues/56309, a runtime bug which can cause random memory corruption when a goroutine exits with runtime.LockOSThread() set. This fix is necessary to unblock work to replace certain uses of pkg/reexec with unshared OS threads. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 85eee32f4cdec142fe1eef993eecd1f9558e9055) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index a343d7f67d..e1bf84d34e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.19.2 +ARG GO_VERSION=1.19.3 ARG ALPINE_VERSION=3.16 ARG XX_VERSION=1.1.0 diff --git a/appveyor.yml b/appveyor.yml index de5b0a5018..99978a9ecc 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.19.2 + GOVERSION: 1.19.3 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 3a01889ed1..b271506f9c 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.19.2" + default = "1.19.3" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index 1f64260143..6f1a411330 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.2 +ARG GO_VERSION=1.19.3 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index c719d059ee..799bfef11b 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.2 +ARG GO_VERSION=1.19.3 ARG ALPINE_VERSION=3.16 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index d86f5eea91..cb2a6a1d1f 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.2 +ARG GO_VERSION=1.19.3 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index d620d5fe26..5988924c2c 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.2 +ARG GO_VERSION=1.19.3 ARG ALPINE_VERSION=3.16 ARG GOLANGCI_LINT_VERSION=v1.49.0 From 16b95be9da7f17da8a016ff4581efbbb24cc193e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 6 Dec 2022 23:03:41 +0100 Subject: [PATCH 5/8] update to go1.19.4 Includes security fixes for net/http (CVE-2022-41717, CVE-2022-41720), and os (CVE-2022-41720). These minor releases include 2 security fixes following the security policy: - os, net/http: avoid escapes from os.DirFS and http.Dir on Windows The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory \(the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. The behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. This is CVE-2022-41720 and Go issue https://go.dev/issue/56694. - net/http: limit canonical header cache by bytes, not entries An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users manually configuring HTTP/2. Thanks to Josselin Costanzi for reporting this issue. This is CVE-2022-41717 and Go issue https://go.dev/issue/56350. View the release notes for more information: https://go.dev/doc/devel/release#go1.19.4 And the milestone on the issue tracker: https://github.com/golang/go/issues?q=milestone%3AGo1.19.4+label%3ACherryPickApproved Full diff: https://github.com/golang/go/compare/go1.19.3...go1.19.4 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 016846e950e2fbfcae89005652d932ff74648976) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index e1bf84d34e..4886ee6f2e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.19.3 +ARG GO_VERSION=1.19.4 ARG ALPINE_VERSION=3.16 ARG XX_VERSION=1.1.0 diff --git a/appveyor.yml b/appveyor.yml index 99978a9ecc..57d0e74a17 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.19.3 + GOVERSION: 1.19.4 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index b271506f9c..6389654d1a 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.19.3" + default = "1.19.4" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index 6f1a411330..1dbd6e0129 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.3 +ARG GO_VERSION=1.19.4 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 799bfef11b..1d3a03eb7a 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.3 +ARG GO_VERSION=1.19.4 ARG ALPINE_VERSION=3.16 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index cb2a6a1d1f..1e70d6833b 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.3 +ARG GO_VERSION=1.19.4 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 5988924c2c..4ded757027 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.3 +ARG GO_VERSION=1.19.4 ARG ALPINE_VERSION=3.16 ARG GOLANGCI_LINT_VERSION=v1.49.0 From ad4d0e07e3035471bda638855bba71ac4dd175a3 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 11 Jan 2023 00:41:55 +0100 Subject: [PATCH 6/8] update to go1.19.5 go1.19.5 (released 2023-01-10) includes fixes to the compiler, the linker, and the crypto/x509, net/http, sync/atomic, and syscall packages. See the Go 1.19.5 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.19.5+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.19.4...go1.19.5 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit b9e1ad3d1931164008dfbf9413e1b5cf2a906372) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4886ee6f2e..3c0cb9ab8d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.19.4 +ARG GO_VERSION=1.19.5 ARG ALPINE_VERSION=3.16 ARG XX_VERSION=1.1.0 diff --git a/appveyor.yml b/appveyor.yml index 57d0e74a17..81ef27e341 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.19.4 + GOVERSION: 1.19.5 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 6389654d1a..71dd47abdd 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.19.4" + default = "1.19.5" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index 1dbd6e0129..10fbb157e2 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.4 +ARG GO_VERSION=1.19.5 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 1d3a03eb7a..3364eab00a 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.4 +ARG GO_VERSION=1.19.5 ARG ALPINE_VERSION=3.16 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index 1e70d6833b..4bfa8b13ce 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.4 +ARG GO_VERSION=1.19.5 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 4ded757027..13eab8fc1f 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.4 +ARG GO_VERSION=1.19.5 ARG ALPINE_VERSION=3.16 ARG GOLANGCI_LINT_VERSION=v1.49.0 From 0ddd3ff204732ffd9682962b92fd2057577776f7 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 17 Feb 2023 01:05:16 +0100 Subject: [PATCH 7/8] update to go1.19.6 go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls, mime/multipart, net/http, and path/filepath packages, as well as bug fixes to the go command, the linker, the runtime, and the crypto/x509, net/http, and time packages. See the Go 1.19.6 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.19.6+label%3ACherryPickApproved From the announcement on the security mailing: We have just released Go versions 1.20.1 and 1.19.6, minor point releases. These minor releases include 4 security fixes following the security policy: - path/filepath: path traversal in filepath.Clean on Windows On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b. This is CVE-2022-41722 and Go issue https://go.dev/issue/57274. - net/http, mime/multipart: denial of service from excessive resource consumption Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map ntry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. This is CVE-2022-41725 and Go issue https://go.dev/issue/58006. - crypto/tls: large handshake records may cause panics Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth > = RequestClientCert). This is CVE-2022-41724 and Go issue https://go.dev/issue/58001. - net/http: avoid quadratic complexity in HPACK decoding A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually configuring HTTP/2. This is CVE-2022-41723 and Go issue https://go.dev/issue/57855. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit e921e103a4c5a844cfc90d10de824c97cd78f00e) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3c0cb9ab8d..84eebb913f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.19.5 +ARG GO_VERSION=1.19.6 ARG ALPINE_VERSION=3.16 ARG XX_VERSION=1.1.0 diff --git a/appveyor.yml b/appveyor.yml index 81ef27e341..0f4b15d0f6 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.19.5 + GOVERSION: 1.19.6 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 71dd47abdd..4452f7f23f 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.19.5" + default = "1.19.6" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index 10fbb157e2..92aaa8d0fb 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.5 +ARG GO_VERSION=1.19.6 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 3364eab00a..e916d18915 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.5 +ARG GO_VERSION=1.19.6 ARG ALPINE_VERSION=3.16 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index 4bfa8b13ce..e9a1c9a5be 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.5 +ARG GO_VERSION=1.19.6 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 13eab8fc1f..404134b804 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.5 +ARG GO_VERSION=1.19.6 ARG ALPINE_VERSION=3.16 ARG GOLANGCI_LINT_VERSION=v1.49.0 From 39a0de9a45205675874504dc5d504f811e7c5ad1 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Mar 2023 10:22:54 +0100 Subject: [PATCH 8/8] update to go1.19.7 Includes a security fix for crypto/elliptic (CVE-2023-24532). > go1.19.7 (released 2023-03-07) includes a security fix to the crypto/elliptic > package, as well as bug fixes to the linker, the runtime, and the crypto/x509 > and syscall packages. See the Go 1.19.7 milestone on our issue tracker for > details. https://go.dev/doc/devel/release#go1.19.minor From the announcement: > We have just released Go versions 1.20.2 and 1.19.7, minor point releases. > > These minor releases include 1 security fixes following the security policy: > > - crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results > > The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an > incorrect result if called with some specific unreduced scalars (a scalar larger > than the order of the curve). > > This does not impact usages of crypto/ecdsa or crypto/ecdh. > > This is CVE-2023-24532 and Go issue https://go.dev/issue/58647. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 23da1cec6c9cf541095012122084da019fff9b92) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 84eebb913f..70ed52bf1c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.19.6 +ARG GO_VERSION=1.19.7 ARG ALPINE_VERSION=3.16 ARG XX_VERSION=1.1.0 diff --git a/appveyor.yml b/appveyor.yml index 0f4b15d0f6..a030e73222 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.19.6 + GOVERSION: 1.19.7 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 4452f7f23f..2aa4c48aaa 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.19.6" + default = "1.19.7" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index 92aaa8d0fb..4ebe09d25b 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.6 +ARG GO_VERSION=1.19.7 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index e916d18915..46e977ff69 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.6 +ARG GO_VERSION=1.19.7 ARG ALPINE_VERSION=3.16 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index e9a1c9a5be..32e323c69b 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.19.6 +ARG GO_VERSION=1.19.7 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 404134b804..a732efaadf 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.19.6 +ARG GO_VERSION=1.19.7 ARG ALPINE_VERSION=3.16 ARG GOLANGCI_LINT_VERSION=v1.49.0