Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[27.x backport] update to go1.22.7 #1068

Merged
merged 1 commit into from
Sep 6, 2024
Merged

Conversation

vvoland
Copy link
Contributor

@vvoland vvoland commented Sep 5, 2024

These minor releases include 3 security fixes following the security policy:

  • go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

    This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

  • encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

    This is a follow-up to CVE-2022-30635.

    Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue.

    This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

  • go/build/constraint: stack exhaustion in Parse

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

    This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.7

(cherry picked from commit d6a07d0)

- Description for the changelog

Update Go runtime to 1.22.7

- https://github.com/golang/go/issues?q=milestone%3AGo1.22.7+label%3ACherryPickApproved
- full diff: golang/go@go1.22.6...go1.22.7

These minor releases include 3 security fixes following the security policy:

- go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

    This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

- encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

    This is a follow-up to CVE-2022-30635.

    Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue.

    This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

- go/build/constraint: stack exhaustion in Parse

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

    This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.7

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit d6a07d0)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland vvoland self-assigned this Sep 5, 2024
@vvoland vvoland changed the title update to go1.22.7 [27.x backport] update to go1.22.7 Sep 5, 2024
@thaJeztah thaJeztah closed this Sep 6, 2024
@thaJeztah thaJeztah reopened this Sep 6, 2024
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vvoland vvoland merged commit abe478c into docker:27.x Sep 6, 2024
7 of 12 checks passed
renovate bot added a commit to earthly/dind that referenced this pull request Sep 9, 2024
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [docker/docker](https://redirect.github.com/docker/docker) | patch |
`27.2.0` -> `27.2.1` |

---

### Release Notes

<details>
<summary>docker/docker (docker/docker)</summary>

###
[`v27.2.1`](https://redirect.github.com/moby/moby/releases/tag/v27.2.1)

[Compare
Source](https://redirect.github.com/docker/docker/compare/v27.2.0-rc.1...v27.2.1)

#### 27.2.1

For a full list of pull requests and changes in this release, refer to
the relevant GitHub milestones:

- [docker/cli, 27.2.1
milestone](https://redirect.github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A27.2.1)
- [moby/moby, 27.2.1
milestone](https://redirect.github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A27.2.1)

##### Bug fixes and enhancements

- containerd image store: Fix non-container images being hidden in the
`docker images` output.
[moby/moby#48402](https://redirect.github.com/moby/moby/pull/48402)
- containerd image store: Improve `docker pull` error message when the
image platform doesn't match.
[moby/moby#48415](https://redirect.github.com/moby/moby/pull/48415)
- CLI: Fix issue causing login to not remove repository names from
passed in registry addresses, resulting in credentials being stored
under the wrong key.
[docker/cli#5385](https://redirect.github.com/docker/cli/pull/5385)
- CLI: Fix issue that will sometimes cause the browser-login flow to
fail if the CLI process is suspended and then resumed while waiting for
the user to authenticate.
[docker/cli#5376](https://redirect.github.com/docker/cli/pull/5376)
- CLI: `docker login` now returns an error instead of hanging if called
non-interactively with `--password` or `--password-stdin` but without
`--user`.
[docker/cli#5402](https://redirect.github.com/docker/cli/pull/5402)

##### Packaging updates

- Update `runc` to
[v1.1.14](https://redirect.github.com/opencontainers/runc/releases/tag/v1.1.14),
which contains a fix for
[CVE-2024-45310](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv).
[moby/moby#48426](https://redirect.github.com/moby/moby/pull/48426)
- Update Go runtime to 1.22.7.
[moby/moby#48433](https://redirect.github.com/moby/moby/pull/48433),
[docker/cli#5411](https://redirect.github.com/docker/cli/pull/5411),
[docker/docker-ce-packaging#1068](https://redirect.github.com/docker/docker-ce-packaging/pull/1068)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge
- At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/earthly/dind).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot added a commit to earthly/dind that referenced this pull request Sep 9, 2024
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [docker/docker](https://redirect.github.com/docker/docker) | patch |
`27.2.0` -> `27.2.1` |

---

### Release Notes

<details>
<summary>docker/docker (docker/docker)</summary>

###
[`v27.2.1`](https://redirect.github.com/moby/moby/releases/tag/v27.2.1)

[Compare
Source](https://redirect.github.com/docker/docker/compare/v27.2.0-rc.1...v27.2.1)

#### 27.2.1

For a full list of pull requests and changes in this release, refer to
the relevant GitHub milestones:

- [docker/cli, 27.2.1
milestone](https://redirect.github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A27.2.1)
- [moby/moby, 27.2.1
milestone](https://redirect.github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A27.2.1)

##### Bug fixes and enhancements

- containerd image store: Fix non-container images being hidden in the
`docker image ls` output.
[moby/moby#48402](https://redirect.github.com/moby/moby/pull/48402)
- containerd image store: Improve `docker pull` error message when the
image platform doesn't match.
[moby/moby#48415](https://redirect.github.com/moby/moby/pull/48415)
- CLI: Fix issue causing `docker login` to not remove repository names
from passed in registry addresses, resulting in credentials being stored
under the wrong key.
[docker/cli#5385](https://redirect.github.com/docker/cli/pull/5385)
- CLI: Fix issue that will sometimes cause the browser-login flow to
fail if the CLI process is suspended and then resumed while waiting for
the user to authenticate.
[docker/cli#5376](https://redirect.github.com/docker/cli/pull/5376)
- CLI: `docker login` now returns an error instead of hanging if called
non-interactively with `--password` or `--password-stdin` but without
`--user`.
[docker/cli#5402](https://redirect.github.com/docker/cli/pull/5402)

##### Packaging updates

- Update `runc` to
[v1.1.14](https://redirect.github.com/opencontainers/runc/releases/tag/v1.1.14),
which contains a fix for
[CVE-2024-45310](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv).
[moby/moby#48426](https://redirect.github.com/moby/moby/pull/48426)
- Update Go runtime to 1.22.7.
[moby/moby#48433](https://redirect.github.com/moby/moby/pull/48433),
[docker/cli#5411](https://redirect.github.com/docker/cli/pull/5411),
[docker/docker-ce-packaging#1068](https://redirect.github.com/docker/docker-ce-packaging/pull/1068)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge
- At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/earthly/dind).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants