From f14ba9f5d726981bf912426cbbf9f31ce5d8d898 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 19 Aug 2022 16:50:01 +0200 Subject: [PATCH 1/9] [20.10] Dockerfile: use syntax=docker/dockerfile:1 Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index b562d7e91450..db56497dfe9e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1.3 +# syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine ARG GO_VERSION=1.17.13 diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 9d3b3b72d463..47acd7d4854c 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1.3 +# syntax=docker/dockerfile:1 ARG GO_VERSION=1.17.13 diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 1da2d7daac6d..ca9c5932b04a 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1.3 +# syntax=docker/dockerfile:1 ARG GO_VERSION=1.17.13 ARG GOLANGCI_LINTER_SHA=v1.45.2 From b3022b91d17981a2ae908732413fec27bb6a7d17 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 19 Aug 2022 16:52:49 +0200 Subject: [PATCH 2/9] [20.10] Dockerfile.lint: use go install "go get@version" is no longer supported on newer versions of go. Also renaming the build-arg to match what's used in master. Signed-off-by: Sebastiaan van Stijn --- dockerfiles/Dockerfile.lint | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index ca9c5932b04a..6e7b8eb44580 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,16 +1,16 @@ # syntax=docker/dockerfile:1 ARG GO_VERSION=1.17.13 -ARG GOLANGCI_LINTER_SHA=v1.45.2 +ARG GOLANGCI_LINT_VERSION=v1.45.2 FROM golang:${GO_VERSION}-alpine AS build ENV CGO_ENABLED=0 RUN apk add --no-cache git -ARG GOLANGCI_LINTER_SHA +ARG GOLANGCI_LINT_VERSION ARG GO111MODULE=on RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ - go get github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINTER_SHA} + go install github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION} FROM golang:${GO_VERSION}-alpine AS lint ENV GO111MODULE=off From 86bf1966e2ab40ff73cbdbcf8370d9052c218896 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sun, 27 Mar 2022 22:15:42 +0200 Subject: [PATCH 3/9] staticcheck: ignore SA1019: strings.Title is deprecated This function is deprecated because it has known limitations when using with multi-byte strings. This limitations are quite "corner case", and our use (mostly) is for ASCII strings. The suggestion replacement brings 20k+ lines of code, which is a bit too much to fix those corner cases. templates/templates.go:23:14: SA1019: strings.Title is deprecated: The rule Title uses for word boundaries does not handle Unicode punctuation properly. Use golang.org/x/text/cases instead. (staticcheck) "title": strings.Title, ^ Signed-off-by: Sebastiaan van Stijn (cherry picked from commit bf29b40a8c915187fd11378c56cd93bc2177219b) Signed-off-by: Sebastiaan van Stijn --- templates/templates.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/templates.go b/templates/templates.go index 0e8dd1536874..deb043299dbe 100644 --- a/templates/templates.go +++ b/templates/templates.go @@ -20,7 +20,7 @@ var basicFunctions = template.FuncMap{ }, "split": strings.Split, "join": strings.Join, - "title": strings.Title, + "title": strings.Title, //nolint:staticcheck // strings.Title is deprecated, but we only use it for ASCII, so replacing with golang.org/x/text is out of scope "lower": strings.ToLower, "upper": strings.ToUpper, "pad": padWithSpace, From 990186f2f605df2953937b4124d5595413e51528 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sun, 27 Mar 2022 19:14:36 +0200 Subject: [PATCH 4/9] update go to 1.18.0 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 635c55d52fb48cc65f13b565006db755fdb170e5) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index db56497dfe9e..fa710dffdb2c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.17.13 +ARG GO_VERSION=1.18.0 ARG XX_VERSION=1.1.0 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx diff --git a/appveyor.yml b/appveyor.yml index d06e03c0cb75..3b8395f32695 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.17.13 + GOVERSION: 1.18.0 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 1b18ea6786c2..5fe938775789 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.17.13" + default = "1.18.0" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index c5f0552a603c..a515be8adebd 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.17.13 +ARG GO_VERSION=1.18.0 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 47acd7d4854c..fc29c2bc1b94 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.17.13 +ARG GO_VERSION=1.18.0 FROM golang:${GO_VERSION}-alpine AS golang ENV CGO_ENABLED=0 diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index 69cdd0745c52..ba496c94b4ec 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.17.13 +ARG GO_VERSION=1.18.0 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 6e7b8eb44580..dc8c523865ee 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.17.13 +ARG GO_VERSION=1.18.0 ARG GOLANGCI_LINT_VERSION=v1.45.2 FROM golang:${GO_VERSION}-alpine AS build From 386d50c2e9356817db4413688988951f2aaf4e4b Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 19 Apr 2022 09:58:44 +0200 Subject: [PATCH 5/9] update golang to 1.18.1 go1.18.1 (released 2022-04-12) includes security fixes to the crypto/elliptic, crypto/x509, and encoding/pem packages, as well as bug fixes to the compiler, linker, runtime, the go command, vet, and the bytes, crypto/x509, and go/types packages. See the Go 1.18.1 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.18.1+label%3ACherryPickApproved Includes fixes for: - CVE-2022-24675 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675) - CVE-2022-27536 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27536) - CVE-2022-28327 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327) Signed-off-by: Sebastiaan van Stijn (cherry picked from commit c3fe1b962f11c1363d6db8882a006460d4364964) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index fa710dffdb2c..38f60490ffbd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.18.0 +ARG GO_VERSION=1.18.1 ARG XX_VERSION=1.1.0 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx diff --git a/appveyor.yml b/appveyor.yml index 3b8395f32695..d28d75227c76 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.18.0 + GOVERSION: 1.18.1 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 5fe938775789..8b011af87fbb 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.18.0" + default = "1.18.1" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index a515be8adebd..d3c9c3bf3fe8 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.0 +ARG GO_VERSION=1.18.1 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index fc29c2bc1b94..856481460c1e 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.0 +ARG GO_VERSION=1.18.1 FROM golang:${GO_VERSION}-alpine AS golang ENV CGO_ENABLED=0 diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index ba496c94b4ec..9a889a25d7a9 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.0 +ARG GO_VERSION=1.18.1 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index dc8c523865ee..1829ce07991e 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.0 +ARG GO_VERSION=1.18.1 ARG GOLANGCI_LINT_VERSION=v1.45.2 FROM golang:${GO_VERSION}-alpine AS build From c904936d69fac5dffdc799d1e83438bd1490e65f Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 11 May 2022 14:20:44 +0200 Subject: [PATCH 6/9] update golang to 1.18.2 go1.18.2 (released 2022-05-10) includes security fixes to the syscall package, as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509, go/types, net/http/httptest, reflect, and sync/atomic packages. See the Go 1.18.2 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.18.2+label%3ACherryPickApproved Full diff: http://github.com/golang/go/compare/go1.18.1...go1.18.2 Includes fixes for: - CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526); (description at https://go.dev/issue/52313). Signed-off-by: Sebastiaan van Stijn (cherry picked from commit f5d16893dd23e8f00f50278740cccbb0ce00e9e8) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 38f60490ffbd..96829c4edb3c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.18.1 +ARG GO_VERSION=1.18.2 ARG XX_VERSION=1.1.0 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx diff --git a/appveyor.yml b/appveyor.yml index d28d75227c76..496896af739c 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.18.1 + GOVERSION: 1.18.2 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 8b011af87fbb..fedb2fefa6b0 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.18.1" + default = "1.18.2" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index d3c9c3bf3fe8..93615b0a2f83 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.1 +ARG GO_VERSION=1.18.2 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 856481460c1e..81762ca21fb7 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.1 +ARG GO_VERSION=1.18.2 FROM golang:${GO_VERSION}-alpine AS golang ENV CGO_ENABLED=0 diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index 9a889a25d7a9..a64ed6159de8 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.1 +ARG GO_VERSION=1.18.2 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 1829ce07991e..b893aadec07d 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.1 +ARG GO_VERSION=1.18.2 ARG GOLANGCI_LINT_VERSION=v1.45.2 FROM golang:${GO_VERSION}-alpine AS build From 0389090aebc48783852a714bf667014c02aa389d Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 2 Jun 2022 09:22:18 +0200 Subject: [PATCH 7/9] update golang to 1.18.3 go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand, crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the compiler, and the crypto/tls and text/template/parse packages. See the Go 1.18.3 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.18.3+label%3ACherryPickApproved Hello gophers, We have just released Go versions 1.18.3 and 1.17.11, minor point releases. These minor releases include 4 security fixes following the security policy: - crypto/rand: rand.Read hangs with extremely large buffers On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes. Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset, for reporting this issue. This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561. - crypto/tls: session tickets lack random ticket_age_add Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. Thanks to GitHub user nervuri for reporting this. This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814. - `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput` are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed. Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting this. This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574. - `path/filepath`: Clean(`.\c:`) returns `c:` on Windows On Windows, the `filepath.Clean` function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`. Thanks to Unrud for reporting this issue. This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476. [CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634 [CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629 [CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580 [CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit aa720f154a1dae2f140fb6b81646ff3c0413b46e) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 96829c4edb3c..86b5a3cb1102 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.18.2 +ARG GO_VERSION=1.18.3 ARG XX_VERSION=1.1.0 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx diff --git a/appveyor.yml b/appveyor.yml index 496896af739c..0bbad6d9a9c9 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.18.2 + GOVERSION: 1.18.3 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index fedb2fefa6b0..f05086976539 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.18.2" + default = "1.18.3" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index 93615b0a2f83..6105e08008f4 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.2 +ARG GO_VERSION=1.18.3 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 81762ca21fb7..f11bb21a116f 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.2 +ARG GO_VERSION=1.18.3 FROM golang:${GO_VERSION}-alpine AS golang ENV CGO_ENABLED=0 diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index a64ed6159de8..3e970bfec803 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.2 +ARG GO_VERSION=1.18.3 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index b893aadec07d..8d024b039266 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.2 +ARG GO_VERSION=1.18.3 ARG GOLANGCI_LINT_VERSION=v1.45.2 FROM golang:${GO_VERSION}-alpine AS build From c70b01ec1fe7e3ac88538a3852ed3ea16d75ad14 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 13 Jul 2022 10:52:34 +0200 Subject: [PATCH 8/9] update golang to 1.18.4 go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip, encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath packages, as well as bug fixes to the compiler, the go command, the linker, the runtime, and the runtime/metrics package. See the Go 1.18.4 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved This update addresses: CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148. Full diff: https://github.com/golang/go/compare/go1.18.3...go1.18.4 From the security announcement; https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These minor releases include 9 security fixes following the security policy: - net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. This is CVE-2022-1705 and https://go.dev/issue/53188. - When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. This is https://go.dev/issue/53423 and CVE-2022-32148. Thanks to Christian Mehlmauer for reporting this issue. - compress/gzip: stack exhaustion in Reader.Read Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. This is CVE-2022-30631 and Go issue https://go.dev/issue/53168. - encoding/xml: stack exhaustion in Unmarshal Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion. This is CVE-2022-30633 and Go issue https://go.dev/issue/53611. - encoding/xml: stack exhaustion in Decoder.Skip Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. The Go Security team discovered this issue, and it was independently reported by Juho Nurminen of Mattermost. This is CVE-2022-28131 and Go issue https://go.dev/issue/53614. - encoding/gob: stack exhaustion in Decoder.Decode Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is CVE-2022-30635 and Go issue https://go.dev/issue/53615. - path/filepath: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-30632 and Go issue https://go.dev/issue/53416. - io/fs: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. This is CVE-2022-30630 and Go issue https://go.dev/issue/53415. - go/parser: stack exhaustion in all Parse* functions Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-1962 and Go issue https://go.dev/issue/53616. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 046e7e61f5e2c2df311bb595aeb1aa81ab44cc8d) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 86b5a3cb1102..6b5eead5115a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.18.3 +ARG GO_VERSION=1.18.4 ARG XX_VERSION=1.1.0 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx diff --git a/appveyor.yml b/appveyor.yml index 0bbad6d9a9c9..cfb08c7f82a0 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.18.3 + GOVERSION: 1.18.4 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index f05086976539..998683df04a5 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.18.3" + default = "1.18.4" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index 6105e08008f4..eb5c3f79d329 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.3 +ARG GO_VERSION=1.18.4 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index f11bb21a116f..2bbbbb2e1cfc 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.3 +ARG GO_VERSION=1.18.4 FROM golang:${GO_VERSION}-alpine AS golang ENV CGO_ENABLED=0 diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index 3e970bfec803..5b739d33e549 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.3 +ARG GO_VERSION=1.18.4 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 8d024b039266..c1cfa31629ac 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.3 +ARG GO_VERSION=1.18.4 ARG GOLANGCI_LINT_VERSION=v1.45.2 FROM golang:${GO_VERSION}-alpine AS build From bdac0b38d93bf7b1a375007efe048015157c574b Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 3 Aug 2022 20:15:57 +0200 Subject: [PATCH 9/9] Update golang to 1.18.5 Update Go runtime to 1.18.5 to address CVE-2022-32189. Full diff: https://github.com/golang/go/compare/go1.18.4...go1.18.5 -------------------------------------------------------- From the security announcement: https://groups.google.com/g/golang-announce/c/YqYYG87xB10 We have just released Go versions 1.18.5 and 1.17.13, minor point releases. These minor releases include 1 security fixes following the security policy: encoding/gob & math/big: decoding big.Float and big.Rat can panic Decoding big.Float and big.Rat types can panic if the encoded message is too short. This is CVE-2022-32189 and Go issue https://go.dev/issue/53871. View the release notes for more information: https://go.dev/doc/devel/release#go1.18.5 Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 6191b662b34da45462b0d9ac082510e4fb361e15) Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- appveyor.yml | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.binary-native | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.e2e | 2 +- dockerfiles/Dockerfile.lint | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6b5eead5115a..0308bf641735 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.18.4 +ARG GO_VERSION=1.18.5 ARG XX_VERSION=1.1.0 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx diff --git a/appveyor.yml b/appveyor.yml index cfb08c7f82a0..6c349b85f2da 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli environment: GOPATH: c:\gopath - GOVERSION: 1.18.4 + GOVERSION: 1.18.5 DEPVERSION: v0.4.1 install: diff --git a/docker-bake.hcl b/docker-bake.hcl index 998683df04a5..c2d2e2a359bd 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.18.4" + default = "1.18.5" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.binary-native b/dockerfiles/Dockerfile.binary-native index eb5c3f79d329..04ac764024cd 100644 --- a/dockerfiles/Dockerfile.binary-native +++ b/dockerfiles/Dockerfile.binary-native @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.4 +ARG GO_VERSION=1.18.5 FROM golang:${GO_VERSION}-alpine diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 2bbbbb2e1cfc..b49b996b0f4f 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.4 +ARG GO_VERSION=1.18.5 FROM golang:${GO_VERSION}-alpine AS golang ENV CGO_ENABLED=0 diff --git a/dockerfiles/Dockerfile.e2e b/dockerfiles/Dockerfile.e2e index 5b739d33e549..64453ffafe39 100644 --- a/dockerfiles/Dockerfile.e2e +++ b/dockerfiles/Dockerfile.e2e @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.18.4 +ARG GO_VERSION=1.18.5 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index c1cfa31629ac..110c1c29873f 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.18.4 +ARG GO_VERSION=1.18.5 ARG GOLANGCI_LINT_VERSION=v1.45.2 FROM golang:${GO_VERSION}-alpine AS build