Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[26.1 backport] ci: update to go1.22.8 #5513

Open
wants to merge 3 commits into
base: 26.1
Choose a base branch
from
Open

[26.1 backport] ci: update to go1.22.8 #5513

wants to merge 3 commits into from
+8 −8

Commits on Oct 8, 2024

  1. update to go1.22.7 

    - https://github.com/golang/go/issues?q=milestone%3AGo1.22.7+label%3ACherryPickApproved
- full diff: golang/go@go1.22.6...go1.22.7

These minor releases include 3 security fixes following the security policy:

- go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

    This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

- encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

    This is a follow-up to CVE-2022-30635.

    Thanks to Md Sakib Anwar of The Ohio State University ([email protected]) for reporting this issue.

    This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

- go/build/constraint: stack exhaustion in Parse

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

    This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1

Signed-off-by: Paweł Gronowski <[email protected]>
(cherry picked from commit 3bf39d2)
Signed-off-by: Austin Vazquez <[email protected]>
    @vvoland @austinvazquez
    vvoland authored and austinvazquez committed Oct 8, 2024
    Configuration menu
    Copy the full SHA
    60853f5 View commit details
    Browse the repository at this point in the history

  2. gha: update codeql workflow to go1.22.7 

    commit d7d5659 updated this
repository to go1.22, but the codeql action didn't specify a
patch version, and was missed.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit e1213ed)
Signed-off-by: Austin Vazquez <[email protected]>
    @thaJeztah @austinvazquez
    thaJeztah authored and austinvazquez committed Oct 8, 2024
    Configuration menu
    Copy the full SHA
    7fff8a0 View commit details
    Browse the repository at this point in the history

  3. ci: update to go1.22.8 

    Signed-off-by: Austin Vazquez <[email protected]>
(cherry picked from commit a6ab659)
Signed-off-by: Austin Vazquez <[email protected]>
    @austinvazquez
    austinvazquez committed Oct 8, 2024
    Configuration menu
    Copy the full SHA
    1b1d411 View commit details
    Browse the repository at this point in the history