sync: Go 1.21 with QUIC support #208
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* sync: merge with upstream tag/go-1.21rc3 (#11) * fix: all tests pass * impl: UQUIC Transport * deps: bump up min Go version * new: uquic * fix: add QUICTransportParameter --------- Co-authored-by: Russ Cox <rsc@golang.org> Co-authored-by: Filippo Valsorda <filippo@golang.org> Co-authored-by: Filippo Valsorda <hi@filippo.io> Co-authored-by: Katie Hockman <katie@golang.org> Co-authored-by: Ainar Garipov <gugl.zadolbal@gmail.com> Co-authored-by: Brad Fitzpatrick <bradfitz@golang.org> Co-authored-by: fenos <fabri.feno@gmail.com> Co-authored-by: Bryan C. Mills <bcmills@google.com> Co-authored-by: Josh Bleecher Snyder <josharian@gmail.com> Co-authored-by: Olivier Poitrey <rs@netflix.com> Co-authored-by: Ville Skyttä <ville.skytta@iki.fi> Co-authored-by: Alex Harford <alex.harford@saucelabs.com> Co-authored-by: Johan Jansson <johan.jansson@iki.fi> Co-authored-by: Ziheng Liu <lzhfromustc@gmail.com> Co-authored-by: Chris Le Roy <brompwnie@users.noreply.github.com> Co-authored-by: Brad Fitzpatrick <brad@danga.com> Co-authored-by: Dmitri Shuralyov <dmitshur@golang.org> Co-authored-by: Roland Shoemaker <rolandshoemaker@gmail.com> Co-authored-by: Daniel <cpu@letsencrypt.org> Co-authored-by: Chen.Zhidong <njutczd@gmail.com> Co-authored-by: Cherry Zhang <cherryyz@google.com> Co-authored-by: Luca Spiller <luca@stackednotion.com> Co-authored-by: Thom Wiggers <thom@thomwiggers.nl> Co-authored-by: cch123 <buaa.cch@gmail.com> Co-authored-by: Johan Brandhorst <johan.brandhorst@gmail.com> Co-authored-by: Roland Shoemaker <roland@golang.org> Co-authored-by: John Bampton <jbampton@gmail.com> Co-authored-by: Matt T. Proud <matt.proud@gmail.com> Co-authored-by: Naman Gera <namangera15@gmail.com> Co-authored-by: vinckr <vincent@ory.sh> Co-authored-by: Sofía Celi <cherenkovd69@gmail.com> Co-authored-by: Watson Ladd <watson@cloudflare.com> Co-authored-by: Agniva De Sarker <agnivade@yahoo.co.in> Co-authored-by: Heschi Kreinick <heschi@google.com> Co-authored-by: Chressie Himpel <chressie@google.com> Co-authored-by: Dan Kortschak <dan@kortschak.io> Co-authored-by: Nicolas Hillegeer <aktau@google.com> Co-authored-by: Ian Lance Taylor <iant@golang.org> Co-authored-by: Lasse Folger <lassefolger@google.com> Co-authored-by: Daniel Martí <mvdan@mvdan.cc> Co-authored-by: David Taylor <tinystatemachine@gmail.com> Co-authored-by: Tatiana Bradley <tatiana@golang.org> Co-authored-by: cuiweixie <cuiweixie@gmail.com> Co-authored-by: Cuong Manh Le <cuong.manhle.vn@gmail.com> Co-authored-by: Ludi Rehak <ludi317@gmail.com> Co-authored-by: Mike Faraponov <mikefaraponov@gmail.com> Co-authored-by: Abirdcfly <fp544037857@gmail.com> Co-authored-by: cui fliter <imcusg@gmail.com> Co-authored-by: Gabor Tanz <gabor.tanz@swisscom.com> Co-authored-by: Tobias Klauser <tklauser@distanz.ch> Co-authored-by: Anit Gandhi <agandhi@digitalocean.com> Co-authored-by: Tero Saarni <tero.saarni@gmail.com> Co-authored-by: Sebastiaan van Stijn <github@gone.nl> Co-authored-by: Damien Neil <dneil@google.com> Co-authored-by: Monis Khan <i@monis.app> Co-authored-by: Marten Seemann <martenseemann@gmail.com>
Go 1.19 will fail to build or pass the test once we bump up to the new version.
|
We will now merge Go 1.21rc4, since it introduces a fix for a CVE caused by unrestrained certificate sizes. |
…209) * [release-branch.go1.21] crypto/tls: restrict RSA keys in certificates to <= 8192 bits Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Thanks to Mateusz Poliwczak for reporting this issue. Fixes CVE-2023-29409 Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1912161 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> (cherry picked from commit d865c715d92887361e4bd5596e19e513f27781b7) Reviewed-on: https://go-review.googlesource.com/c/go/+/515056 Run-TryBot: David Chase <drchase@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
replace old build status badge with new ones, bump up required version noted in docs, update developer contact to reflect current status.
|
Commit 0c5e48e actually merges Go 1.21rc4 -- that is the only change since rc3. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: Go 1.21 is still unstable and this PR is based on
Go 1.21rc3Go 1.21rc4, which is the latest release candidate.We will hold until stable version of Go 1.21 is released.We will merge ASAP to address the CVE.