[20.10 backport] update to go 1.17.8 #43468
Merged
Commits on Apr 7, 2022
-
vendor: golang.org/x/sys d19ff857e887eacb631721f188c7d365c2331456
full diff: golang/sys@b64e53b...d19ff85 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit f0d3e90) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-
vendor: golang.org/x/sys 63515b42dcdf9544f4e6a02fd7632793fde2f72d (fo…
…r Go 1.17) Go 1.17 requires golang.org/x/sys a76c4d0a0096537dc565908b53073460d96c8539 (May 8, 2021) or later, see golang/go#45702. While this seems to affect macOS only, let's update to the latest version. full diff: golang/sys@d19ff85...63515b4 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit d48c8b7) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-
hack/vendor.sh: allow go version to be specified with .0
Golang '.0' releases are released without a trailing .0 (i.e. go1.17 is equal to go1.17.0). For the base image, we want to specify the go version including their patch release (golang:1.17 is equivalent to go1.17.x), so adjust the script to also accept the trailing .0, because otherwise the download-URL is not found: hack/vendor.sh archive/tar update vendored copy of archive/tar downloading: https://golang.org/dl/go1.17.0.src.tar.gz curl: (22) The requested URL returned error: 404 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 9ed88a0) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> -
-
vendor: update archive/tar to match Go 1.17.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit aa60630) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-
This includes additional fixes for CVE-2021-39293. go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip package, as well as bug fixes to the compiler, linker, the go command, and to the crypto/rand, embed, go/types, html/template, and net/http packages. See the Go 1.17.1 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.1+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 0050ddd) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-
go1.17.2 (released 2021-10-07) includes a security fix to the linker and misc/wasm directory, as well as bug fixes to the compiler, the runtime, the go command, and to the time and text/template packages. See the Go 1.17.2 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.2+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit e7fb0c8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-
go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the go command, the misc/wasm directory, and to the net/http and syscall packages. See the Go 1.17.3 milestone on our issue tracker for details. From the announcement e-mail: [security] Go 1.17.3 and Go 1.16.10 are released We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor releases include two security fixes following the security policy: - archive/zip: don't panic on (*Reader).Open Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument. Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence Team for reporting this issue. This is CVE-2021-41772 and Go issue golang.org/issue/48085. - debug/macho: invalid dynamic symbol table command can cause panic Malformed binaries parsed using Open or OpenFat can cause a panic when calling ImportedSymbols, due to an out-of-bounds slice operation. Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this issue. This is CVE-2021-41771 and Go issue golang.org/issue/48990. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit ce668d6) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-
go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime, and the go/types, net/http, and time packages. See the Go 1.17.4 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.4+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 6bb3891) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-
go1.17.5 (released 2021-12-09) includes security fixes to the syscall and net/http packages. See the Go 1.17.5 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.5+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit d620cb6) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-
go1.17.6 (released 2022-01-06) includes fixes to the compiler, linker, runtime, and the crypto/x509, net/http, and reflect packages. See the Go 1.17.6 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.6+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit f85ae52) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-
Includes security fixes for crypto/elliptic (CVE-2022-23806), math/big (CVE-2022-23772), and cmd/go (CVE-2022-23773). go1.17.7 (released 2022-02-10) includes security fixes to the crypto/elliptic, math/big packages and to the go command, as well as bug fixes to the compiler, linker, runtime, the go command, and the debug/macho, debug/pe, and net/http/httptest packages. See the Go 1.17.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.7+label%3ACherryPickApproved full diff: golang/go@go1.17.6...go1.17.7 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit cad6c8f) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-
update to go 1.17.8 to address CVE-2022-24921
Addresses [CVE-2022-24921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921) go1.17.8 (released 2022-03-03) includes a security fix to the regexp/syntax package, as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509, and net packages. See the Go 1.17.8 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.8+label%3ACherryPickApproved full diff: golang/go@go1.17.7...go1.17.8 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit e781cf5) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.