Update Go to 1.17.3
go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the go command, the misc/wasm directory, and to the net/http and syscall packages. See the Go 1.17.3 milestone on our issue tracker for details. From the announcement e-mail: [security] Go 1.17.3 and Go 1.16.10 are released We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor releases include two security fixes following the security policy: - archive/zip: don't panic on (*Reader).Open Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument. Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team for reporting this issue. This is CVE-2021-41772 and Go issue golang.org/issue/48085. - debug/macho: invalid dynamic symbol table command can cause panic Malformed binaries parsed using Open or OpenFat can cause a panic when calling ImportedSymbols, due to an out-of-bounds slice operation. Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this issue. This is CVE-2021-41771 and Go issue golang.org/issue/48990. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
@@ -1,6 +1,6 @@
|
||||
# Prepare windows environment for building and running containerd tests
|
||||
|
||||
$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.17.2"; make = ""; nssm = "" }
|
||||
$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.17.3"; make = ""; nssm = "" }
|
||||
|
||||
write-host "Downloading chocolatey package"
|
||||
curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'
|
||||
|
||||
Reference in New Issue
Block a user