From 6b752b5362a646636e7972f711c7edad5efe30e3 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 11 Oct 2023 20:26:25 +0200 Subject: [PATCH 1/2] update to go1.21.2, go1.20.9 go1.21.2 (released 2023-10-05) includes one security fixes to the cmd/go package, as well as bug fixes to the compiler, the go command, the linker, the runtime, and the runtime/metrics package. See the Go 1.21.2 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.21.2+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.21.1...go1.21.2 From the security mailing: [security] Go 1.21.2 and Go 1.20.9 are released Hello gophers, We have just released Go versions 1.21.2 and 1.20.9, minor point releases. These minor releases include 1 security fixes following the security policy: - cmd/go: line directives allows arbitrary execution during build "//line" directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compliation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploting this issue significantly more complex. This is CVE-2023-39323 and Go issue https://go.dev/issue/63211. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build-test-images.yml | 2 +- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 2 +- .github/workflows/images.yml | 2 +- .github/workflows/nightly.yml | 2 +- .github/workflows/release.yml | 2 +- Vagrantfile | 2 +- contrib/Dockerfile.test | 2 +- contrib/fuzz/oss_fuzz_build.sh | 4 ++-- script/setup/prepare_env_windows.ps1 | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index 1d7c87e23..d8f5b8903 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -43,7 +43,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.21.1" + go-version: "1.21.2" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f4c3ecc28..248196225 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ on: env: # Go version we currently use to build containerd across all CI. # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions. - GO_VERSION: "1.21.1" + GO_VERSION: "1.21.2" permissions: # added using https://github.com/step-security/secure-workflows contents: read @@ -209,7 +209,7 @@ jobs: strategy: matrix: os: [ubuntu-22.04, macos-12, windows-2019, windows-2022] - go-version: ["1.20.8", "1.21.1"] + go-version: ["1.20.9", "1.21.2"] steps: - uses: actions/setup-go@v4 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d6ae47155..e948de676 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,7 +34,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: 1.21.1 + go-version: 1.21.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index 035681982..e93b4b735 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -28,7 +28,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.21.1" + go-version: "1.21.2" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index a4e482997..d66653876 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,7 +7,7 @@ on: - ".github/workflows/nightly.yml" env: - GO_VERSION: "1.21.1" + GO_VERSION: "1.21.2" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 10157529d..116584891 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ on: name: Release env: - GO_VERSION: "1.21.1" + GO_VERSION: "1.21.2" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/Vagrantfile b/Vagrantfile index 7d374ff13..3a6ca7b34 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -104,7 +104,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.21.1", + 'GO_VERSION': ENV['GO_VERSION'] || "1.21.2", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index ef4182b04..f74cee6ac 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -29,7 +29,7 @@ # docker run --privileged containerd-test # ------------------------------------------------------------------------------ -ARG GOLANG_VERSION=1.21.1 +ARG GOLANG_VERSION=1.21.2 ARG GOLANG_IMAGE=golang FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang diff --git a/contrib/fuzz/oss_fuzz_build.sh b/contrib/fuzz/oss_fuzz_build.sh index 48c3672e9..8ad20cefb 100755 --- a/contrib/fuzz/oss_fuzz_build.sh +++ b/contrib/fuzz/oss_fuzz_build.sh @@ -43,11 +43,11 @@ go run main.go $SRC/containerd/images apt-get update && apt-get install -y wget cd $SRC -wget --quiet https://go.dev/dl/go1.21.1.linux-amd64.tar.gz +wget --quiet https://go.dev/dl/go1.21.2.linux-amd64.tar.gz mkdir temp-go rm -rf /root/.go/* -tar -C temp-go/ -xzf go1.21.1.linux-amd64.tar.gz +tar -C temp-go/ -xzf go1.21.2.linux-amd64.tar.gz mv temp-go/go/* /root/.go/ cd $SRC/containerd diff --git a/script/setup/prepare_env_windows.ps1 b/script/setup/prepare_env_windows.ps1 index 6b04aa28f..d3ca42de6 100644 --- a/script/setup/prepare_env_windows.ps1 +++ b/script/setup/prepare_env_windows.ps1 @@ -5,7 +5,7 @@ # lived test environment. Set-MpPreference -DisableRealtimeMonitoring:$true -$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.1"; make = ""; nssm = "" } +$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.2"; make = ""; nssm = "" } Write-Host "Downloading chocolatey package" curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip' From 313f514fdd1c3754136ebe7ca85abce0f7f4fcf5 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 11 Oct 2023 20:29:07 +0200 Subject: [PATCH 2/2] update to go1.21.3. gp1.20.10 go1.21.3 (released 2023-10-10) includes a security fix to the net/http package. See the Go 1.21.3 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.21.3+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.21.2...go1.21.3 From the security mailing: [security] Go 1.21.3 and Go 1.20.10 are released Hello gophers, We have just released Go versions 1.21.3 and 1.20.10, minor point releases. These minor releases include 1 security fixes following the security policy: - net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build-test-images.yml | 2 +- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 2 +- .github/workflows/images.yml | 2 +- .github/workflows/nightly.yml | 2 +- .github/workflows/release.yml | 2 +- Vagrantfile | 2 +- contrib/Dockerfile.test | 2 +- contrib/fuzz/oss_fuzz_build.sh | 4 ++-- script/setup/prepare_env_windows.ps1 | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index d8f5b8903..91351262f 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -43,7 +43,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.21.2" + go-version: "1.21.3" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 248196225..babb7b4ae 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ on: env: # Go version we currently use to build containerd across all CI. # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions. - GO_VERSION: "1.21.2" + GO_VERSION: "1.21.3" permissions: # added using https://github.com/step-security/secure-workflows contents: read @@ -209,7 +209,7 @@ jobs: strategy: matrix: os: [ubuntu-22.04, macos-12, windows-2019, windows-2022] - go-version: ["1.20.9", "1.21.2"] + go-version: ["1.20.10", "1.21.3"] steps: - uses: actions/setup-go@v4 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e948de676..6d1c69d20 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,7 +34,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: 1.21.2 + go-version: 1.21.3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index e93b4b735..461e8d81b 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -28,7 +28,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.21.2" + go-version: "1.21.3" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index d66653876..739124e9e 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,7 +7,7 @@ on: - ".github/workflows/nightly.yml" env: - GO_VERSION: "1.21.2" + GO_VERSION: "1.21.3" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 116584891..64570af85 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ on: name: Release env: - GO_VERSION: "1.21.2" + GO_VERSION: "1.21.3" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/Vagrantfile b/Vagrantfile index 3a6ca7b34..81ff99b7a 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -104,7 +104,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.21.2", + 'GO_VERSION': ENV['GO_VERSION'] || "1.21.3", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index f74cee6ac..4aeac8fda 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -29,7 +29,7 @@ # docker run --privileged containerd-test # ------------------------------------------------------------------------------ -ARG GOLANG_VERSION=1.21.2 +ARG GOLANG_VERSION=1.21.3 ARG GOLANG_IMAGE=golang FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang diff --git a/contrib/fuzz/oss_fuzz_build.sh b/contrib/fuzz/oss_fuzz_build.sh index 8ad20cefb..c94a303e5 100755 --- a/contrib/fuzz/oss_fuzz_build.sh +++ b/contrib/fuzz/oss_fuzz_build.sh @@ -43,11 +43,11 @@ go run main.go $SRC/containerd/images apt-get update && apt-get install -y wget cd $SRC -wget --quiet https://go.dev/dl/go1.21.2.linux-amd64.tar.gz +wget --quiet https://go.dev/dl/go1.21.3.linux-amd64.tar.gz mkdir temp-go rm -rf /root/.go/* -tar -C temp-go/ -xzf go1.21.2.linux-amd64.tar.gz +tar -C temp-go/ -xzf go1.21.3.linux-amd64.tar.gz mv temp-go/go/* /root/.go/ cd $SRC/containerd diff --git a/script/setup/prepare_env_windows.ps1 b/script/setup/prepare_env_windows.ps1 index d3ca42de6..597f7a3a6 100644 --- a/script/setup/prepare_env_windows.ps1 +++ b/script/setup/prepare_env_windows.ps1 @@ -5,7 +5,7 @@ # lived test environment. Set-MpPreference -DisableRealtimeMonitoring:$true -$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.2"; make = ""; nssm = "" } +$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.3"; make = ""; nssm = "" } Write-Host "Downloading chocolatey package" curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'