From 52037f602bffd9b9cc4e85029ac1e8ca4a491956 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Thu, 5 Sep 2024 17:51:27 +0200 Subject: [PATCH 1/3] update to go1.22.7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - https://github.com/golang/go/issues?q=milestone%3AGo1.22.7+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.22.6...go1.22.7 These minor releases include 3 security fixes following the security policy: - go/parser: stack exhaustion in all Parse* functions Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. This is CVE-2024-34155 and Go issue https://go.dev/issue/69138. - encoding/gob: stack exhaustion in Decoder.Decode Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue. This is CVE-2024-34156 and Go issue https://go.dev/issue/69139. - go/build/constraint: stack exhaustion in Parse Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. This is CVE-2024-34158 and Go issue https://go.dev/issue/69141. View the release notes for more information: https://go.dev/doc/devel/release#go1.23.1 Signed-off-by: Paweł Gronowski (cherry picked from commit 3bf39d25a0903c1f7ee952453ff89f399101caa2) Signed-off-by: Austin Vazquez --- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- e2e/testdata/Dockerfile.gencerts | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8d9bb084d343..2ee6bc1ade21 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -72,7 +72,7 @@ jobs: name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.22.6 + go-version: 1.22.7 - name: Test run: | diff --git a/Dockerfile b/Dockerfile index a7a6874692f5..ec5e447c54c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.20 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.22.6 +ARG GO_VERSION=1.22.7 ARG XX_VERSION=1.2.1 ARG GOVERSIONINFO_VERSION=v1.3.0 ARG GOTESTSUM_VERSION=v1.10.0 diff --git a/docker-bake.hcl b/docker-bake.hcl index cafd6814535f..dadc531df596 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.22.6" + default = "1.22.7" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 49822097e5eb..ab49768f4d1b 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.22.6 +ARG GO_VERSION=1.22.7 ARG ALPINE_VERSION=3.20 ARG BUILDX_VERSION=0.12.1 diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index ef87d954889e..1e090e59eb27 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.22.6 +ARG GO_VERSION=1.22.7 ARG ALPINE_VERSION=3.20 ARG GOLANGCI_LINT_VERSION=v1.55.2 diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index df1aa0142628..56802f532193 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.22.6 +ARG GO_VERSION=1.22.7 ARG ALPINE_VERSION=3.20 ARG MODOUTDATED_VERSION=v0.8.0 diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts index e3ad38b12559..67d842286b85 100644 --- a/e2e/testdata/Dockerfile.gencerts +++ b/e2e/testdata/Dockerfile.gencerts @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.22.6 +ARG GO_VERSION=1.22.7 FROM golang:${GO_VERSION}-alpine AS generated ENV GOTOOLCHAIN=local From 24c47bad80e3bad473e544176707467e7bf26449 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 17 Sep 2024 21:39:56 +0200 Subject: [PATCH 2/3] gha: update codeql workflow to go1.22.7 commit d7d56599ca0d80f3b06b69b6a9a6e91321416775 updated this repository to go1.22, but the codeql action didn't specify a patch version, and was missed. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit e1213edcc62e6fa5a1aab83b5fa1ae351dabf127) Signed-off-by: Austin Vazquez --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a3f82a1ed161..8262d870f7f2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -57,7 +57,7 @@ jobs: name: Update Go uses: actions/setup-go@v5 with: - go-version: '1.21' + go-version: 1.22.7 - name: Initialize CodeQL uses: github/codeql-action/init@v3 From 718cd79a8aa3369c3a5b78ec0e6d13f00836e1d9 Mon Sep 17 00:00:00 2001 From: Austin Vazquez Date: Fri, 4 Oct 2024 20:15:42 +0000 Subject: [PATCH 3/3] ci: update to go1.22.8 Signed-off-by: Austin Vazquez (cherry picked from commit a6ab65948e6ecaf4167e2ef91b24c30929296256) Signed-off-by: Austin Vazquez --- .github/workflows/codeql.yml | 2 +- .github/workflows/test.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- e2e/testdata/Dockerfile.gencerts | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8262d870f7f2..2a43b7ddb8af 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -57,7 +57,7 @@ jobs: name: Update Go uses: actions/setup-go@v5 with: - go-version: 1.22.7 + go-version: 1.22.8 - name: Initialize CodeQL uses: github/codeql-action/init@v3 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2ee6bc1ade21..4ce85dd16a62 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -72,7 +72,7 @@ jobs: name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.22.7 + go-version: 1.22.8 - name: Test run: | diff --git a/Dockerfile b/Dockerfile index ec5e447c54c6..c3ddc99d3eec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.20 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.22.7 +ARG GO_VERSION=1.22.8 ARG XX_VERSION=1.2.1 ARG GOVERSIONINFO_VERSION=v1.3.0 ARG GOTESTSUM_VERSION=v1.10.0 diff --git a/docker-bake.hcl b/docker-bake.hcl index dadc531df596..f80642f49f4a 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.22.7" + default = "1.22.8" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index ab49768f4d1b..96115d4fe4a4 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.22.7 +ARG GO_VERSION=1.22.8 ARG ALPINE_VERSION=3.20 ARG BUILDX_VERSION=0.12.1 diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 1e090e59eb27..06cc7fca9cf1 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.22.7 +ARG GO_VERSION=1.22.8 ARG ALPINE_VERSION=3.20 ARG GOLANGCI_LINT_VERSION=v1.55.2 diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index 56802f532193..ad92ca08d060 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.22.7 +ARG GO_VERSION=1.22.8 ARG ALPINE_VERSION=3.20 ARG MODOUTDATED_VERSION=v0.8.0 diff --git a/e2e/testdata/Dockerfile.gencerts b/e2e/testdata/Dockerfile.gencerts index 67d842286b85..e502dfc095d5 100644 --- a/e2e/testdata/Dockerfile.gencerts +++ b/e2e/testdata/Dockerfile.gencerts @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.22.7 +ARG GO_VERSION=1.22.8 FROM golang:${GO_VERSION}-alpine AS generated ENV GOTOOLCHAIN=local