Commit Graph

11 Commits

Author SHA1 Message Date
Sebastiaan van Stijn
74b71c41ac update to go1.23.8 (fix CVE-2025-22871)
full diff: https://github.com/golang/go/compare/go1.23.7...go1.23.8
release notes: https://go.dev/doc/devel/release#go1.24.2

go1.23.8 (released 2025-04-01) includes security fixes to the net/http package,
as well as bug fixes to the runtime and the go command. See the Go 1.23.8
milestone on our issue tracker for details;

https://github.com/golang/go/issues?q=milestone%3AGo1.23.8+label%3ACherryPickApproved

From the mailing list:

Hello gophers,

We have just released Go versions 1.24.2 and 1.23.8, minor point releases.
These minor releases include 1 security fixes following the security policy:

- net/http: request smuggling through invalid chunked data
  The net/http package accepted data in the chunked transfer encoding
  containing an invalid chunk-size line terminated by a bare LF.
  When used in conjunction with a server or proxy which incorrectly
  interprets a bare LF in a chunk extension as part of the extension,
  this could permit request smuggling.
  The net/http package now rejects chunk-size lines containing a bare LF.
  Thanks to Jeppe Bonde Weikop for reporting this issue.
  This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2025-04-03 12:30:00 +02:00
Paweł Gronowski
5f912e4cf5 update to go1.23.7
- https://github.com/golang/go/issues?q=milestone%3AGo1.23.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.6...go1.23.7

These minor releases include 1 security fixes following the security policy:

net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs

Matching of hosts against proxy patterns could improperly treat an IPv6
zone ID as a hostname component. For example, when the NO_PROXY
environment variable was set to "*.example.com", a request to
"[::1%25.example.com]:80` would incorrectly match and not be proxied.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.7

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2025-03-04 22:57:35 +01:00
Paweł Gronowski
12756071f1 update to go1.23.6
This minor release include 1 security fix following the security policy:

- crypto/elliptic: timing sidechannel for P-256 on ppc64le

  Due to the usage of a variable time instruction in the assembly implementation
  of an internal function, a small number of bits of secret scalars are leaked on
  the ppc64le architecture. Due to the way this function is used, we do not
  believe this leakage is enough to allow recovery of the private key when P-256
  is used in any well known protocols.

This is CVE-2025-22866 and Go issue https://go.dev/issue/71383.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.6

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2025-02-04 20:27:27 +01:00
Sebastiaan van Stijn
bccd9cc6bc Merge pull request #49313 from vvoland/gha-relbranches
gha: Adjust release branches
2025-01-20 17:39:48 +01:00
Paweł Gronowski
5e9ee1a849 gha: Adjust release branches
Adjust all workflows to also run on branches like `27.x`

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2025-01-20 16:34:14 +01:00
Sebastiaan van Stijn
ae0fda655b update to go1.23.5 (fix CVE-2024-45341, CVE-2024-45336)
go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and
net/http packages, as well as bug fixes to the compiler, the runtime, and the
net package. See the Go 1.23.5 milestone on our issue tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.23.5+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.4...go1.23.5

Hello gophers,

We have just released Go versions 1.23.5 and 1.22.11, minor point releases.

These minor releases include 2 security fixes following the security policy:

- crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints

  A certificate with a URI which has a IPv6 address with a zone ID may
  incorrectly satisfy a URI name constraint that applies to the certificate
  chain.

  Certificates containing URIs are not permitted in the web PKI, so this
  only affects users of private PKIs which make use of URIs.

  Thanks to Juho Forsén of Mattermost for reporting this issue.

  This is CVE-2024-45341 and Go issue https://go.dev/issue/71156.

- net/http: sensitive headers incorrectly sent after cross-domain redirect

  The HTTP client drops sensitive headers after following a cross-domain redirect.
  For example, a request to a.com/ containing an Authorization header which is
  redirected to b.com/ will not send that header to b.com.

  In the event that the client received a subsequent same-domain redirect, however,
  the sensitive headers would be restored. For example, a chain of redirects from
  a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization
  header to b.com/2.

  Thanks to Kyle Seely for reporting this issue.

  This is CVE-2024-45336 and Go issue https://go.dev/issue/70530.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2025-01-20 15:47:35 +01:00
Sebastiaan van Stijn
52d7e407b7 update to go1.23.4
go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime,
the trace command, and the syscall package. See the Go 1.23.4 milestone on
our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.23.4+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.3...go1.23.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-12-04 10:02:48 +01:00
Paweł Gronowski
20818454c4 update to go1.23.3
- https://github.com/golang/go/issues?q=milestone%3AGo1.23.3+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.2...go1.23.3

go1.23.3 (released 2024-11-06) includes fixes to the linker, the
runtime, and the net/http, os, and syscall packages. See the Go 1.23.3
milestone on our issue tracker for details.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-11-07 13:22:47 +01:00
Akihiro Suda
1bb5f8bb67 update to go1.23.2
vendor.mod still allows go1.22.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-10-22 00:04:58 +09:00
Sebastiaan van Stijn
ca4c68ab95 update to go1.22.8
go1.22.8 (released 2024-10-01) includes fixes to cgo, and the maps and syscall
packages. See the Go 1.22.8 milestone on our issue tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.22.8+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.22.7...go1.22.8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-03 13:12:30 +02:00
Sebastiaan van Stijn
450200b4a6 gha: add CodeQL Analysis workflow
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-19 11:02:34 +02:00