Commit Graph

70 Commits

Author SHA1 Message Date
Sebastiaan van Stijn aa720f154a
update golang to 1.18.3
go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
compiler, and the crypto/tls and text/template/parse packages. See the Go
1.18.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.3+label%3ACherryPickApproved

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

- crypto/rand: rand.Read hangs with extremely large buffers
  On Windows, rand.Read will hang indefinitely if passed a buffer larger than
  1 << 32 - 1 bytes.

  Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
  for reporting this issue.

  This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
  Session tickets generated by crypto/tls did not contain a randomly generated
  ticket_age_add. This allows an attacker that can observe TLS handshakes to
  correlate successive connections by comparing ticket ages during session
  resumption.

  Thanks to GitHub user nervuri for reporting this.

  This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows

  If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
  are executed when Cmd.Path is unset and, in the working directory, there are
  binaries named either "..com" or "..exe", they will be executed.

  Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
  this.

  This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows

  On Windows, the `filepath.Clean` function could convert an invalid path to a
  valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

  Thanks to Unrud for reporting this issue.

  This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.

[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 09:22:18 +02:00
Sebastiaan van Stijn f5d16893dd
update golang to 1.18.2
go1.18.2 (released 2022-05-10) includes security fixes to the syscall package,
as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509,
go/types, net/http/httptest, reflect, and sync/atomic packages. See the Go 1.18.2
milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.2+label%3ACherryPickApproved

Full diff: http://github.com/golang/go/compare/go1.18.1...go1.18.2

Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-11 14:20:44 +02:00
Sebastiaan van Stijn c3fe1b962f
update golang to 1.18.1
go1.18.1 (released 2022-04-12) includes security fixes to the crypto/elliptic,
crypto/x509, and encoding/pem packages, as well as bug fixes to the compiler,
linker, runtime, the go command, vet, and the bytes, crypto/x509, and go/types
packages. See the Go 1.18.1 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.1+label%3ACherryPickApproved

Includes fixes for:

- CVE-2022-24675 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675)
- CVE-2022-27536 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27536)
- CVE-2022-28327 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-19 09:58:44 +02:00
Sebastiaan van Stijn 635c55d52f
update go to 1.18.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-28 17:23:09 +02:00
Sebastiaan van Stijn dce5929794
Update to debian bullseye
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-28 16:00:46 +02:00
Tonis Tiigi 6119e4ba90
update go to 1.17.8
Removes the platform based switch between different versions.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-26 17:00:56 +01:00
CrazyMax 7dc35c03fc
validate manpages target
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-02-25 17:11:17 +01:00
CrazyMax a650f4ddd0
switch to cli-docs-tool for yaml docs generation
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
switch to cli-docs-tool and validate yamldocs

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-02-25 17:11:16 +01:00
CrazyMax bea6c0d242
validate authors target
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-02-25 17:03:25 +01:00
CrazyMax 7e560ae76f
vendor with go mod
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-12-16 21:16:01 +01:00
CrazyMax 3425e9dc3c
ci: add glibc to build matrix
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-12-09 16:37:12 +01:00
CrazyMax 4d93717ae5
ci: github actions test workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-12-07 14:50:22 +01:00
CrazyMax 62ea2bf1aa
GitHub Actions e2e tests
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-11-17 17:18:25 +01:00
CrazyMax dbac826815
Fix checkout behavior and FileVersion
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-10-12 10:48:31 +02:00
CrazyMax d9f4352c26
GitHub Actions cross
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-09-26 18:01:55 +02:00
CrazyMax 698c155478
GitHub Actions for lint
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-08-05 08:44:21 +02:00
Sebastiaan van Stijn 0d11ef3056
GH Actions: run CodeQL only on cron-job, not on pull requests
Analysis takes more than 10 minutes, which is quite long to
run, so change it to only run on a cron job.

Also changing the cron to run on Thursdays instead of Fridays;
no need to worry about security issues during the Weekend.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-01 16:51:28 +02:00
Sebastiaan van Stijn c8e3ddc768
Add CodeQL Analysis workflow (again)
This feature went GA, so adding this workflow again. Workflow
is updated to the suggested template when enabling.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-01 14:23:28 +02:00
Sebastiaan van Stijn 176380db88
Revert "Add CodeQL Analysis workflow"
This feature does not appear to be generally available yet, so
reverting for now.

This reverts commit 454c1927c0.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-07-20 10:26:10 +02:00
Sebastiaan van Stijn 454c1927c0
Add CodeQL Analysis workflow
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-07-15 18:34:53 +02:00