Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of [NET-4865] security: Update Go version to 1.20.6 into release/1.14.x #18193

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #18190 to be assessed for backporting due to the inclusion of the label backport/1.14.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@zalimeni
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.


This resolves CVE-2023-29406 for uses of the net/http standard library.

Note that until the follow-up to #18124 is done, the version of Go used in those impacted tests will need to remain on 1.20.5.

See related PR for golang.org/x/net dependencies: #18186

Description

Resolves CVE and brings us up to the latest version of Go.

Testing & Reproduction steps

Tests should continue to pass.

Links

https://nvd.nist.gov/vuln/detail/CVE-2023-29406
https://go-review.googlesource.com/c/go/+/506996
https://go-review.googlesource.com/c/net/+/506995

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/net-4865-bump-go-cve/constantly-frank-hare branch 2 times, most recently from fc04a2b to 3f8cb58 Compare July 19, 2023 21:02
@hashicorp-cla
Copy link

hashicorp-cla commented Jul 19, 2023

CLA assistant check
All committers have signed the CLA.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@vercel vercel bot temporarily deployed to Preview – consul-ui-staging July 19, 2023 21:06 Inactive
@vercel vercel bot temporarily deployed to Preview – consul July 19, 2023 21:06 Inactive
@zalimeni zalimeni force-pushed the backport/zalimeni/net-4865-bump-go-cve/constantly-frank-hare branch from 33e6a40 to 772a270 Compare July 19, 2023 21:10
This resolves [CVE-2023-29406]
(https://nvd.nist.gov/vuln/detail/CVE-2023-29406) for uses of the
`net/http` standard library.

Note that until the follow-up to #18124 is done, the version of Go used
in those impacted tests will need to remain on 1.20.5.

Manual backport of 93f3209.
@zalimeni zalimeni force-pushed the backport/zalimeni/net-4865-bump-go-cve/constantly-frank-hare branch from 772a270 to 1c42fa5 Compare July 19, 2023 21:12
@zalimeni zalimeni marked this pull request as ready for review July 19, 2023 21:12
@zalimeni zalimeni requested a review from a team July 19, 2023 21:12
@zalimeni zalimeni requested a review from a team as a code owner July 19, 2023 21:12
@zalimeni zalimeni requested review from modrake and dlaguerta and removed request for a team July 19, 2023 21:12
@zalimeni zalimeni enabled auto-merge (squash) July 19, 2023 21:12
@zalimeni zalimeni disabled auto-merge July 19, 2023 21:12
@zalimeni zalimeni enabled auto-merge (squash) July 19, 2023 21:12
@zalimeni zalimeni merged commit 378d122 into release/1.14.x Jul 19, 2023
@zalimeni zalimeni deleted the backport/zalimeni/net-4865-bump-go-cve/constantly-frank-hare branch July 19, 2023 21:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants