[20.10 backport] update to go 1.17.8 #43468
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thaJeztah
requested review from
cpuguy83,
tianon,
johnstep and
tonistiigi
as code owners
AkihiroSuda
approved these changes
Apr 7, 2022
|
^^ I'm happy to remove the "revert" commits if people prefer not to have those. I usually do a revert first, to make sure we don't miss possibly "other changes" that were included in those commits, but understand it's a bit "noisy". |
|
I think it seems fine (better) to squash? |
|
some of the commit messages contain useful info, but that's for the cherry-picks, so I'm generally in favour of keeping those), but for the reverts, I'm fine with dropping. |
full diff: golang/sys@b64e53b...d19ff85 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit f0d3e90) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
…r Go 1.17) Go 1.17 requires golang.org/x/sys a76c4d0a0096537dc565908b53073460d96c8539 (May 8, 2021) or later, see golang/go#45702. While this seems to affect macOS only, let's update to the latest version. full diff: golang/sys@d19ff85...63515b4 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit d48c8b7) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Golang '.0' releases are released without a trailing .0 (i.e. go1.17
is equal to go1.17.0). For the base image, we want to specify the go
version including their patch release (golang:1.17 is equivalent to
go1.17.x), so adjust the script to also accept the trailing .0, because
otherwise the download-URL is not found:
hack/vendor.sh archive/tar
update vendored copy of archive/tar
downloading: https://golang.org/dl/go1.17.0.src.tar.gz
curl: (22) The requested URL returned error: 404
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9ed88a0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit aa60630) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This includes additional fixes for CVE-2021-39293. go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip package, as well as bug fixes to the compiler, linker, the go command, and to the crypto/rand, embed, go/types, html/template, and net/http packages. See the Go 1.17.1 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.1+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 0050ddd) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.17.2 (released 2021-10-07) includes a security fix to the linker and misc/wasm directory, as well as bug fixes to the compiler, the runtime, the go command, and to the time and text/template packages. See the Go 1.17.2 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.2+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit e7fb0c8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the go command, the misc/wasm directory, and to the net/http and syscall packages. See the Go 1.17.3 milestone on our issue tracker for details. From the announcement e-mail: [security] Go 1.17.3 and Go 1.16.10 are released We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor releases include two security fixes following the security policy: - archive/zip: don't panic on (*Reader).Open Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument. Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team for reporting this issue. This is CVE-2021-41772 and Go issue golang.org/issue/48085. - debug/macho: invalid dynamic symbol table command can cause panic Malformed binaries parsed using Open or OpenFat can cause a panic when calling ImportedSymbols, due to an out-of-bounds slice operation. Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this issue. This is CVE-2021-41771 and Go issue golang.org/issue/48990. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit ce668d6) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime, and the go/types, net/http, and time packages. See the Go 1.17.4 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.4+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 6bb3891) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.17.5 (released 2021-12-09) includes security fixes to the syscall and net/http packages. See the Go 1.17.5 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.5+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit d620cb6) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.17.6 (released 2022-01-06) includes fixes to the compiler, linker, runtime, and the crypto/x509, net/http, and reflect packages. See the Go 1.17.6 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.6+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit f85ae52) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes security fixes for crypto/elliptic (CVE-2022-23806), math/big (CVE-2022-23772), and cmd/go (CVE-2022-23773). go1.17.7 (released 2022-02-10) includes security fixes to the crypto/elliptic, math/big packages and to the go command, as well as bug fixes to the compiler, linker, runtime, the go command, and the debug/macho, debug/pe, and net/http/httptest packages. See the Go 1.17.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.7+label%3ACherryPickApproved full diff: golang/go@go1.17.6...go1.17.7 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit cad6c8f) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Addresses [CVE-2022-24921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921) go1.17.8 (released 2022-03-03) includes a security fix to the regexp/syntax package, as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509, and net packages. See the Go 1.17.8 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.8+label%3ACherryPickApproved full diff: golang/go@go1.17.7...go1.17.8 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit e781cf5) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
20.10_backport_update_go_1.17
branch
from
5b6bcac
to
09d6fcd
Compare
|
Removed the revert-commits |
tianon
approved these changes
Apr 12, 2022
cpuguy83
approved these changes
Apr 12, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
first rolling back the branch to where we left off from master:revert [20.10] update to go 1.16.15 to address CVE-2022-24921 #43326revert [20.10] Update Go to 1.16.14 #43243revert [20.10] update Go to 1.16.13 #43153revert [20.10] update Go to 1.16.12 #43077revert [20.10] update Go to 1.16.11 #43063revert [20.10] Update Go to 1.16.10 #42989revert [20.10] Update Go to 1.16.9 #42923revert fa78afecherry-picks:
- A picture of a cute animal (not mandatory but encouraged)