From 734219a21aae2cb1882b5650d6e5d2f2d7f79725 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 5 Dec 2023 23:34:44 +0100 Subject: [PATCH] update to go1.21.5, go1.20.12 go1.21.5 (released 2023-12-05) includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rand, net, os, and syscall packages. See the Go 1.21.5 milestone on our issue tracker for details: - https://github.com/golang/go/issues?q=milestone%3AGo1.21.5+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.4...go1.21.5 from the security mailing: [security] Go 1.21.5 and Go 1.20.12 are released Hello gophers, We have just released Go versions 1.21.5 and 1.20.12, minor point releases. These minor releases include 3 security fixes following the security policy: - net/http: limit chunked data overhead A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-39326 and Go issue https://go.dev/issue/64433. - cmd/go: go get may unexpectedly fallback to insecure git Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). Thanks to David Leadbeater for reporting this issue. This is CVE-2023-45285 and Go issue https://go.dev/issue/63845. - path/filepath: retain trailing \ when cleaning paths like \\?\c:\ Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?\, resulting in filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other effects). The previous behavior has been restored. This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build-test-images.yml | 2 +- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 2 +- .github/workflows/images.yml | 2 +- .github/workflows/nightly.yml | 2 +- .github/workflows/release.yml | 2 +- Vagrantfile | 2 +- contrib/Dockerfile.test | 2 +- contrib/fuzz/oss_fuzz_build.sh | 4 ++-- script/setup/prepare_env_windows.ps1 | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index d95af1de5..e90c1f68e 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -43,7 +43,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.21.4" + go-version: "1.21.5" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e77cde019..982975b37 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ on: env: # Go version we currently use to build containerd across all CI. # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions. - GO_VERSION: "1.21.4" + GO_VERSION: "1.21.5" permissions: # added using https://github.com/step-security/secure-workflows contents: read @@ -209,7 +209,7 @@ jobs: strategy: matrix: os: [ubuntu-22.04, macos-12, windows-2019, windows-2022] - go-version: ["1.20.11", "1.21.4"] + go-version: ["1.20.12", "1.21.5"] steps: - uses: actions/setup-go@v4 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fa04ef5fa..3e95fccf1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,7 +34,7 @@ jobs: - uses: actions/setup-go@v3 with: - go-version: 1.21.4 + go-version: 1.21.5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index 633a2001c..6c4893713 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -28,7 +28,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.21.4" + go-version: "1.21.5" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 93d34136b..4b1a0f088 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,7 +7,7 @@ on: - ".github/workflows/nightly.yml" env: - GO_VERSION: "1.21.4" + GO_VERSION: "1.21.5" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7eb3c9c88..998aa7d13 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ on: name: Release env: - GO_VERSION: "1.21.4" + GO_VERSION: "1.21.5" permissions: # added using https://github.com/step-security/secure-workflows contents: read diff --git a/Vagrantfile b/Vagrantfile index e7b0546df..09b97b512 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -104,7 +104,7 @@ EOF config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.21.4", + 'GO_VERSION': ENV['GO_VERSION'] || "1.21.5", } sh.inline = <<~SHELL #!/usr/bin/env bash diff --git a/contrib/Dockerfile.test b/contrib/Dockerfile.test index 58a3cf328..3bcb2b6d4 100644 --- a/contrib/Dockerfile.test +++ b/contrib/Dockerfile.test @@ -29,7 +29,7 @@ # docker run --privileged containerd-test # ------------------------------------------------------------------------------ -ARG GOLANG_VERSION=1.21.4 +ARG GOLANG_VERSION=1.21.5 ARG GOLANG_IMAGE=golang FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang diff --git a/contrib/fuzz/oss_fuzz_build.sh b/contrib/fuzz/oss_fuzz_build.sh index af2d09843..7888b6c6f 100755 --- a/contrib/fuzz/oss_fuzz_build.sh +++ b/contrib/fuzz/oss_fuzz_build.sh @@ -43,11 +43,11 @@ go run main.go $SRC/containerd/images apt-get update && apt-get install -y wget cd $SRC -wget --quiet https://go.dev/dl/go1.21.4.linux-amd64.tar.gz +wget --quiet https://go.dev/dl/go1.21.5.linux-amd64.tar.gz mkdir temp-go rm -rf /root/.go/* -tar -C temp-go/ -xzf go1.21.4.linux-amd64.tar.gz +tar -C temp-go/ -xzf go1.21.5.linux-amd64.tar.gz mv temp-go/go/* /root/.go/ cd $SRC/containerd diff --git a/script/setup/prepare_env_windows.ps1 b/script/setup/prepare_env_windows.ps1 index f14cd01eb..45b448351 100644 --- a/script/setup/prepare_env_windows.ps1 +++ b/script/setup/prepare_env_windows.ps1 @@ -5,7 +5,7 @@ # lived test environment. Set-MpPreference -DisableRealtimeMonitoring:$true -$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.4"; make = ""; nssm = "" } +$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.21.5"; make = ""; nssm = "" } Write-Host "Downloading chocolatey package" curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'