Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: go #1539

Closed
dongsupark opened this issue Sep 6, 2024 · 0 comments · Fixed by flatcar/scripts#2317
Closed

update: go #1539

dongsupark opened this issue Sep 6, 2024 · 0 comments · Fixed by flatcar/scripts#2317
Assignees
@tormath1
Labels
advisory security advisory security security concerns

Comments

@dongsupark
Copy link
Member

Name: go
CVEs: CVE-2024-34155, CVE-2024-34156, CVE-2024-34158
CVSSs: n/a, n/a, n/a
Action Needed: update to >= 1.23.1 or >= 1.22.7

Summary:

  • CVE-2024-34155: go/parser: stack exhaustion in all Parse* functions. Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
  • CVE-2024-34156: encoding/gob: stack exhaustion in Decoder.Decode. Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
  • CVE-2024-34158: go/build/constraint: stack exhaustion in Parse. Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

See also https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc.

As Flatcar has only Go 1.21, which is already EOL, these CVEs are blocked until Go could be updated to 1.22+.

refmap.gentoo: TBD
@dongsupark dongsupark added security security concerns advisory security advisory advisory/upstream-blocked blocked by upstream projects labels Sep 6, 2024
@dongsupark dongsupark moved this from 📝 Needs Triage to ⏳ Long Term in Flatcar tactical, release planning, and roadmap Sep 6, 2024
@tormath1 tormath1 self-assigned this Sep 16, 2024
This was referenced Sep 16, 2024
Closed
Merged
@github-actions github-actions bot mentioned this issue Sep 22, 2024
Closed
@dongsupark dongsupark removed the advisory/upstream-blocked blocked by upstream projects label Sep 23, 2024
@dongsupark dongsupark moved this from ⏳ Long Term to ⚒️ In Progress in Flatcar tactical, release planning, and roadmap Sep 23, 2024
@dongsupark dongsupark moved this from ⚒️ In Progress to ✅ Testing / in Review in Flatcar tactical, release planning, and roadmap Sep 30, 2024
@github-project-automation github-project-automation bot moved this from ✅ Testing / in Review to Implemented in Flatcar tactical, release planning, and roadmap Oct 2, 2024
@github-actions github-actions bot mentioned this issue Oct 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tormath1 tormath1

Labels
advisory security advisory security security concerns
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

upgrade Go, Runc, Docker and Containerd flatcar/scripts
2 participants
@dongsupark @tormath1