-
Notifications
You must be signed in to change notification settings - Fork 900
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to go1.22.3 due to CVE #5681
Comments
I don't think there's much to do here. #5684 already bumped this in master. https://github.com/crossplane/crossplane/blob/release-1.14/go.mod#L3 - Appears unaffected. We'll need to make sure 1.16 gets released (crossplane/release#9) with a patched version of Go. I expect Renovate will bump the release-1.16 branch. |
Trying to make sure this gets taken care of before v1.16 goes out today. @phisco I haven't seen a PR for this If that's the case, we should probably update the release steps to add the release branch to |
Yes, that's because we forgot to update the branch list: crossplane/.github/renovate.json5 Line 15 in 0d0473e
I was sure we had a step for it. |
We do, but it's misplaced: https://github.com/crossplane/release/blob/e6d04f89834b298c68b9fbda8b240fc372a03da0/.github/ISSUE_TEMPLATE/release.md?plain=1#L63 It should be in the code freeze section. |
I'll do the following:
|
What happened?
go1.22.3 fixes two critical security issues regarding the DNS resolution and code compilation on Darwin. See golang/go#67119 and golang/go#66754.
CVE: GHSA-5fq7-4mxc-535h
Google Group Announcement: https://groups.google.com/g/golang-announce/c/wkkO4P9stm0
How can we reproduce it?
n.a.
What environment did it happen in?
All Crossplane versions running
go < 1.21.10
andgo < 1.22.3
.The text was updated successfully, but these errors were encountered: