Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump go version to 1.19.3 to address security fixes #14678

Merged
merged 1 commit into from
Nov 2, 2022
Merged

bump go version to 1.19.3 to address security fixes #14678

merged 1 commit into from
Nov 2, 2022

Conversation

ahrtr
Copy link
Member

@ahrtr ahrtr commented Nov 2, 2022 

# govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.

Vulnerability #1: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      tools/etcd-dump-logs/main.go:340:18: go.etcd.io/etcd/v3/tools/etcd-dump-logs.listEntriesType calls os/exec.Cmd.Start
      tools/etcd-dump-metrics/install_linux.go:53:86: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.install calls os/exec.Cmd.Run

  Found in: os/exec@go1.19.2
  Fixed in: os/exec@go1.19.3
  More info: https://pkg.go.dev/vuln/GO-2022-1095

Vulnerability #2: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to
  maliciously set environment variables on Windows. In
  syscall.StartProcess and os/exec.Cmd, invalid environment
  variable values containing NUL values are not properly checked
  for. A malicious environment variable value can exploit this
  behavior to set a value for a different environment variable.
  For example, the environment variable string "A=B\x00C=D" sets
  the variables "A=B" and "C=D".

  Call stacks in your code:
      tools/etcd-dump-logs/main.go:340:18: go.etcd.io/etcd/v3/tools/etcd-dump-logs.listEntriesType calls os/exec.Cmd.Start, which eventually calls syscall.StartProcess

  Found in: syscall@go1.19.2
  Fixed in: syscall@go1.19.3
  More info: https://pkg.go.dev/vuln/GO-2022-1095

FYI. https://groups.google.com/g/golang-announce/c/dRtDK7WS78g

Signed-off-by: Benjamin Wang wachao@vmware.com

cc @mitake @ptabor @serathius @spzala

@ahrtr ahrtr mentioned this pull request Nov 2, 2022
Merged
@ahrtr
Copy link
Member Author

ahrtr commented Nov 2, 2022

We can ignore the Release workflow failure for now. It can be resolved automatically after merging this PR.

fuweid
fuweid approved these changes Nov 2, 2022
View reviewed changes
Copy link
Member

@fuweid fuweid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM(nb)

@serathius serathius merged commit e25090f into etcd-io:main Nov 2, 2022
@caixiangibm caixiangibm mentioned this pull request Nov 24, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serathius serathius serathius approved these changes

@fuweid fuweid fuweid approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ahrtr @serathius @fuweid