New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.10 backport] update to go 1.17.8 #43468
[20.10 backport] update to go 1.17.8 #43468
Conversation
^^ I'm happy to remove the "revert" commits if people prefer not to have those. I usually do a revert first, to make sure we don't miss possibly "other changes" that were included in those commits, but understand it's a bit "noisy". |
I think it seems fine (better) to squash? |
some of the commit messages contain useful info, but that's for the cherry-picks, so I'm generally in favour of keeping those), but for the reverts, I'm fine with dropping. |
full diff: golang/sys@b64e53b...d19ff85 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit f0d3e90) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
…r Go 1.17) Go 1.17 requires golang.org/x/sys a76c4d0a0096537dc565908b53073460d96c8539 (May 8, 2021) or later, see golang/go#45702. While this seems to affect macOS only, let's update to the latest version. full diff: golang/sys@d19ff85...63515b4 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit d48c8b7) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Golang '.0' releases are released without a trailing .0 (i.e. go1.17 is equal to go1.17.0). For the base image, we want to specify the go version including their patch release (golang:1.17 is equivalent to go1.17.x), so adjust the script to also accept the trailing .0, because otherwise the download-URL is not found: hack/vendor.sh archive/tar update vendored copy of archive/tar downloading: https://golang.org/dl/go1.17.0.src.tar.gz curl: (22) The requested URL returned error: 404 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 9ed88a0) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit aa60630) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This includes additional fixes for CVE-2021-39293. go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip package, as well as bug fixes to the compiler, linker, the go command, and to the crypto/rand, embed, go/types, html/template, and net/http packages. See the Go 1.17.1 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.1+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 0050ddd) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.17.2 (released 2021-10-07) includes a security fix to the linker and misc/wasm directory, as well as bug fixes to the compiler, the runtime, the go command, and to the time and text/template packages. See the Go 1.17.2 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.2+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit e7fb0c8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the go command, the misc/wasm directory, and to the net/http and syscall packages. See the Go 1.17.3 milestone on our issue tracker for details. From the announcement e-mail: [security] Go 1.17.3 and Go 1.16.10 are released We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor releases include two security fixes following the security policy: - archive/zip: don't panic on (*Reader).Open Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument. Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team for reporting this issue. This is CVE-2021-41772 and Go issue golang.org/issue/48085. - debug/macho: invalid dynamic symbol table command can cause panic Malformed binaries parsed using Open or OpenFat can cause a panic when calling ImportedSymbols, due to an out-of-bounds slice operation. Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this issue. This is CVE-2021-41771 and Go issue golang.org/issue/48990. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit ce668d6) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime, and the go/types, net/http, and time packages. See the Go 1.17.4 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.4+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 6bb3891) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.17.5 (released 2021-12-09) includes security fixes to the syscall and net/http packages. See the Go 1.17.5 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.5+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit d620cb6) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.17.6 (released 2022-01-06) includes fixes to the compiler, linker, runtime, and the crypto/x509, net/http, and reflect packages. See the Go 1.17.6 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.6+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit f85ae52) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes security fixes for crypto/elliptic (CVE-2022-23806), math/big (CVE-2022-23772), and cmd/go (CVE-2022-23773). go1.17.7 (released 2022-02-10) includes security fixes to the crypto/elliptic, math/big packages and to the go command, as well as bug fixes to the compiler, linker, runtime, the go command, and the debug/macho, debug/pe, and net/http/httptest packages. See the Go 1.17.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.7+label%3ACherryPickApproved full diff: golang/go@go1.17.6...go1.17.7 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit cad6c8f) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Addresses [CVE-2022-24921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921) go1.17.8 (released 2022-03-03) includes a security fix to the regexp/syntax package, as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509, and net packages. See the Go 1.17.8 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.8+label%3ACherryPickApproved full diff: golang/go@go1.17.7...go1.17.8 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit e781cf5) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
5b6bcac
to
09d6fcd
Compare
Removed the revert-commits |
first rolling back the branch to where we left off from master:revert [20.10] update to go 1.16.15 to address CVE-2022-24921 #43326revert [20.10] Update Go to 1.16.14 #43243revert [20.10] update Go to 1.16.13 #43153revert [20.10] update Go to 1.16.12 #43077revert [20.10] update Go to 1.16.11 #43063revert [20.10] Update Go to 1.16.10 #42989revert [20.10] Update Go to 1.16.9 #42923revert fa78afecherry-picks:
- A picture of a cute animal (not mandatory but encouraged)