Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go-version: bump to 1.18.9 #12153

Merged
merged 1 commit into from
Dec 12, 2022
Merged

go-version: bump to 1.18.9 #12153

merged 1 commit into from
Dec 12, 2022

Conversation

lbajolet-hashicorp
Copy link
Contributor

The go 1.18.9 version fixes a vulnerability GO-2022-1144, which concerns the net/http and golang.org/x/net packages.

These are used in the codebase, and therefore automated tools report the generated binaries as vulnerable to this.

Note that while Packer is indeed vulnerable to this, this is a DoS attack. This is therefore unlikely to impact Packer severely, especially as it requires a deliberate attempt to provoke an OOM/excessive GC cycles.

Nonetheless, since this vulnerability is fixed with go 1.18.9, we bump the version used to build/test the tools to this version.

Verified

This commit was signed with the committer’s verified signature.
hegerdes Henrik Gerdes
The go 1.18.9 version fixes a vulnerability GO-2022-1144, which concerns
the net/http and golang.org/x/net packages.

These are used in the codebase, and therefore automated tools report the
generated binaries as vulnerable to this.

Note that while Packer is indeed vulnerable to this, this is a DoS
attack. This is therefore unlikely to impact Packer severely, especially
as it requires a deliberate attempt to provoke an OOM/excessive GC
cycles.

Nonetheless, since this vulnerability is fixed with go 1.18.9, we bump
the version used to build/test the tools to this version.
@lbajolet-hashicorp lbajolet-hashicorp requested a review from a team as a code owner December 12, 2022 19:16
Copy link
Contributor

@nywilken nywilken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nywilken nywilken merged commit 0aa2df1 into main Dec 12, 2022
@nywilken nywilken deleted the bump_go1.18.9 branch December 12, 2022 19:38
@nywilken nywilken added this to the 1.8.5 milestone Dec 12, 2022
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants