4ffef752d0
go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip, encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath packages, as well as bug fixes to the compiler, the go command, the linker, the runtime, and the runtime/metrics package. See the Go 1.18.4 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved This update addresses: CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148. Full diff: https://github.com/golang/go/compare/go1.18.3...go1.18.4 From the security announcement; https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These minor releases include 9 security fixes following the security policy: - net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. This is CVE-2022-1705 and https://go.dev/issue/53188. - When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. This is https://go.dev/issue/53423 and CVE-2022-32148. Thanks to Christian Mehlmauer for reporting this issue. - compress/gzip: stack exhaustion in Reader.Read Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. This is CVE-2022-30631 and Go issue https://go.dev/issue/53168. - encoding/xml: stack exhaustion in Unmarshal Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion. This is CVE-2022-30633 and Go issue https://go.dev/issue/53611. - encoding/xml: stack exhaustion in Decoder.Skip Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. The Go Security team discovered this issue, and it was independently reported by Juho Nurminen of Mattermost. This is CVE-2022-28131 and Go issue https://go.dev/issue/53614. - encoding/gob: stack exhaustion in Decoder.Decode Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is CVE-2022-30635 and Go issue https://go.dev/issue/53615. - path/filepath: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-30632 and Go issue https://go.dev/issue/53416. - io/fs: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. This is CVE-2022-30630 and Go issue https://go.dev/issue/53415. - go/parser: stack exhaustion in all Parse* functions Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-1962 and Go issue https://go.dev/issue/53616. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
contrib
The contrib directory contains packages that do not belong in the core containerd packages but still contribute to overall containerd usability.
Package such as Apparmor or Selinux are placed in contrib because they are platform dependent and often require higher level tools and profiles to work.
Packaging and other built tools can be added to contrib to aid in packaging containerd for various distributions.
Testing
Code in the contrib directory may or may not have been tested in the normal test pipeline for core components.