Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[23.0 backport] update to go1.20.7 #4477

Merged
merged 1 commit into from
Aug 2, 2023

Commits on Aug 1, 2023

  1. update to go1.20.7

    Includes a fix for CVE-2023-29409
    
    go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
    package, as well as bug fixes to the assembler and the compiler. See the
    Go 1.20.7 milestone on our issue tracker for details:
    
    - https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
    - full diff: golang/go@go1.20.6...go1.20.7
    
    From the mailing list announcement:
    
    [security] Go 1.20.7 and Go 1.19.12 are released
    
    Hello gophers,
    
    We have just released Go versions 1.20.7 and 1.19.12, minor point releases.
    
    These minor releases include 1 security fixes following the security policy:
    
    - crypto/tls: restrict RSA keys in certificates to <= 8192 bits
    
      Extremely large RSA keys in certificate chains can cause a client/server
      to expend significant CPU time verifying signatures. Limit this by
      restricting the size of RSA keys transmitted during handshakes to <=
      8192 bits.
    
      Based on a survey of publicly trusted RSA keys, there are currently only
      three certificates in circulation with keys larger than this, and all
      three appear to be test certificates that are not actively deployed. It
      is possible there are larger keys in use in private PKIs, but we target
      the web PKI, so causing breakage here in the interests of increasing the
      default safety of users of crypto/tls seems reasonable.
    
      Thanks to Mateusz Poliwczak for reporting this issue.
    
    View the release notes for more information:
    https://go.dev/doc/devel/release#go1.20.7
    
    Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    (cherry picked from commit 6517db9)
    Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    thaJeztah committed Aug 1, 2023
    Configuration menu
    Copy the full SHA
    8a62233 View commit details
    Browse the repository at this point in the history