[23.0 backport] update go to go1.20.6 #4434
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## 23.0 #4434 +/- ##
==========================================
- Coverage 59.04% 59.01% -0.03%
==========================================
Files 288 286 -2
Lines 24823 24817 -6
==========================================
- Hits 14656 14646 -10
- Misses 9280 9284 +4
Partials 887 887 |
thaJeztah
force-pushed
the
23.0_backport_update_go_1.20
branch
from
05b0e00
to
834cacf
Compare
Reverting 23.0-specific commits before backporting the 1.20 update. This reverts commit a483dfd. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Reverting 23.0-specific commits before backporting the 1.20 update. This reverts commit c769f20. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Reverting 23.0-specific commits before backporting the 1.20 update. This reverts commit 5cd7710. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit a798282) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.3 (released 2023-04-04) includes security fixes to the go/parser, html/template, mime/multipart, net/http, and net/textproto packages, as well as bug fixes to the compiler, the linker, the runtime, and the time package. See the Go 1.20.3 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.3+label%3ACherryPickApproved full diff: golang/go@go1.20.2...go1.20.3 Further details from the announcement on the mailing list: We have just released Go versions 1.20.3 and 1.19.8, minor point releases. These minor releases include 4 security fixes following the security policy: - go/parser: infinite loop in parsing Calling any of the Parse functions on Go source code which contains `//line` directives with very large line numbers can cause an infinite loop due to integer overflow. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2023-24537 and Go issue https://go.dev/issue/59180. - html/template: backticks not treated as string delimiters Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contained a Go template action within a Javascript template literal, the contents of the action could be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, we've decided to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. Template.Parse will now return an Error when it encounters templates like this, with a currently unexported ErrorCode with a value of 12. This ErrorCode will be exported in the next major release. Users who rely on this behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue. This is CVE-2023-24538 and Go issue https://go.dev/issue/59234. - net/http, net/textproto: denial of service from excessive memory allocation HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs. Certain unusual patterns of input data could cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. Header parsing now correctly allocates only the memory required to hold parsed headers. Thanks to Jakob Ackermann (@das7pad) for discovering this issue. This is CVE-2023-24534 and Go issue https://go.dev/issue/58975. - net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm could undercount the amount of memory consumed, leading it to accept larger inputs than intended. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. ReadForm could allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, mime/multipart.Reader now imposes the following limits on the size of parsed forms: Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. Thanks to Jakob Ackermann for discovering this issue. This is CVE-2023-24536 and Go issue https://go.dev/issue/59153. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 591bead) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.4 (released 2023-05-02) includes three security fixes to the html/template package, as well as bug fixes to the compiler, the runtime, and the crypto/subtle, crypto/tls, net/http, and syscall packages. See the Go 1.20.4 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved release notes: https://go.dev/doc/devel/release#go1.20.4 full diff: golang/go@go1.20.3...go1.20.4 from the announcement: > These minor releases include 3 security fixes following the security policy: > > - html/template: improper sanitization of CSS values > > Angle brackets (`<>`) were not considered dangerous characters when inserted > into CSS contexts. Templates containing multiple actions separated by a '/' > character could result in unexpectedly closing the CSS context and allowing > for injection of unexpected HMTL, if executed with untrusted input. > > Thanks to Juho Nurminen of Mattermost for reporting this issue. > > This is CVE-2023-24539 and Go issue https://go.dev/issue/59720. > > - html/template: improper handling of JavaScript whitespace > > Not all valid JavaScript whitespace characters were considered to be > whitespace. Templates containing whitespace characters outside of the character > set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain > actions may not be properly sanitized during execution. > > Thanks to Juho Nurminen of Mattermost for reporting this issue. > > This is CVE-2023-24540 and Go issue https://go.dev/issue/59721. > > - html/template: improper handling of empty HTML attributes > > Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") > executed with empty input could result in output that would have unexpected > results when parsed due to HTML normalization rules. This may allow injection > of arbitrary attributes into tags. > > Thanks to Juho Nurminen of Mattermost for reporting this issue. > > This is CVE-2023-29400 and Go issue https://go.dev/issue/59722. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit fd0621d) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and runtime packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved full diff: golang/go@go1.20.4...go1.20.5 These minor releases include 3 security fixes following the security policy: - cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29402 and Go issue https://go.dev/issue/60167. - runtime: unexpected behavior of setuid/setgid binaries The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers. Thanks to Vincent Dehors from Synacktiv for reporting this issue. This is CVE-2023-29403 and Go issue https://go.dev/issue/60272. - cmd/go: improper sanitization of LDFLAGS The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 3b8d5da) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.6 (released 2023-07-11) includes a security fix to the net/http package, as well as bug fixes to the compiler, cgo, the cover tool, the go command, the runtime, and the crypto/ecdsa, go/build, go/printer, net/mail, and text/template packages. See the Go 1.20.6 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.20.6+label%3ACherryPickApproved Full diff: golang/go@go1.20.5...go1.20.6 These minor releases include 1 security fixes following the security policy: net/http: insufficient sanitization of Host header The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. Thanks to Bartek Nowotarski for reporting this issue. Includes security fixes for [CVE-2023-29406 ][1] and Go issue https://go.dev/issue/60374 [1]: GHSA-f8f7-69v5-w4vx Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 680fafd) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
23.0_backport_update_go_1.20
branch
from
834cacf
to
1fe3a6f
Compare
|
@laurazard @neersighted ptal |
neersighted
approved these changes
Jul 17, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
depends on:
reverts:
Reverting 23.0-specific commits before backporting the 1.20 update.
backports:
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)