Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[27.x backport] update to go1.22.7 #5411

Merged
merged 1 commit into from
Sep 6, 2024
Merged

Conversation

vvoland
Copy link
Collaborator

@vvoland vvoland commented Sep 5, 2024

These minor releases include 3 security fixes following the security policy:

  • go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

    This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

  • encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

    This is a follow-up to CVE-2022-30635.

    Thanks to Md Sakib Anwar of The Ohio State University ([email protected]) for reporting this issue.

    This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

  • go/build/constraint: stack exhaustion in Parse

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

    This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1

- Description for the changelog

Update Go runtime to 1.22.7

- https://github.com/golang/go/issues?q=milestone%3AGo1.22.7+label%3ACherryPickApproved
- full diff: golang/go@go1.22.6...go1.22.7

These minor releases include 3 security fixes following the security policy:

- go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

    This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

- encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

    This is a follow-up to CVE-2022-30635.

    Thanks to Md Sakib Anwar of The Ohio State University ([email protected]) for reporting this issue.

    This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

- go/build/constraint: stack exhaustion in Parse

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

    This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1

Signed-off-by: Paweł Gronowski <[email protected]>
(cherry picked from commit 3bf39d2)
Signed-off-by: Paweł Gronowski <[email protected]>
@codecov-commenter
Copy link

codecov-commenter commented Sep 5, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 59.77%. Comparing base (41e61c4) to head (3db9538).
Report is 5 commits behind head on 27.x.

Additional details and impacted files
@@           Coverage Diff           @@
##             27.x    #5411   +/-   ##
=======================================
  Coverage   59.77%   59.77%           
=======================================
  Files         345      345           
  Lines       23405    23405           
=======================================
  Hits        13990    13990           
  Misses       8445     8445           
  Partials      970      970           

Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit b5290d4 into docker:27.x Sep 6, 2024
112 of 191 checks passed
renovate bot added a commit to earthly/dind that referenced this pull request Sep 9, 2024
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [docker/docker](https://redirect.github.com/docker/docker) | patch |
`27.2.0` -> `27.2.1` |

---

### Release Notes

<details>
<summary>docker/docker (docker/docker)</summary>

###
[`v27.2.1`](https://redirect.github.com/moby/moby/releases/tag/v27.2.1)

[Compare
Source](https://redirect.github.com/docker/docker/compare/v27.2.0-rc.1...v27.2.1)

#### 27.2.1

For a full list of pull requests and changes in this release, refer to
the relevant GitHub milestones:

- [docker/cli, 27.2.1
milestone](https://redirect.github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A27.2.1)
- [moby/moby, 27.2.1
milestone](https://redirect.github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A27.2.1)

##### Bug fixes and enhancements

- containerd image store: Fix non-container images being hidden in the
`docker images` output.
[moby/moby#48402](https://redirect.github.com/moby/moby/pull/48402)
- containerd image store: Improve `docker pull` error message when the
image platform doesn't match.
[moby/moby#48415](https://redirect.github.com/moby/moby/pull/48415)
- CLI: Fix issue causing login to not remove repository names from
passed in registry addresses, resulting in credentials being stored
under the wrong key.
[docker/cli#5385](https://redirect.github.com/docker/cli/pull/5385)
- CLI: Fix issue that will sometimes cause the browser-login flow to
fail if the CLI process is suspended and then resumed while waiting for
the user to authenticate.
[docker/cli#5376](https://redirect.github.com/docker/cli/pull/5376)
- CLI: `docker login` now returns an error instead of hanging if called
non-interactively with `--password` or `--password-stdin` but without
`--user`.
[docker/cli#5402](https://redirect.github.com/docker/cli/pull/5402)

##### Packaging updates

- Update `runc` to
[v1.1.14](https://redirect.github.com/opencontainers/runc/releases/tag/v1.1.14),
which contains a fix for
[CVE-2024-45310](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv).
[moby/moby#48426](https://redirect.github.com/moby/moby/pull/48426)
- Update Go runtime to 1.22.7.
[moby/moby#48433](https://redirect.github.com/moby/moby/pull/48433),
[docker/cli#5411](https://redirect.github.com/docker/cli/pull/5411),
[docker/docker-ce-packaging#1068](https://redirect.github.com/docker/docker-ce-packaging/pull/1068)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge
- At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/earthly/dind).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot added a commit to earthly/dind that referenced this pull request Sep 9, 2024
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [docker/docker](https://redirect.github.com/docker/docker) | patch |
`27.2.0` -> `27.2.1` |

---

### Release Notes

<details>
<summary>docker/docker (docker/docker)</summary>

###
[`v27.2.1`](https://redirect.github.com/moby/moby/releases/tag/v27.2.1)

[Compare
Source](https://redirect.github.com/docker/docker/compare/v27.2.0-rc.1...v27.2.1)

#### 27.2.1

For a full list of pull requests and changes in this release, refer to
the relevant GitHub milestones:

- [docker/cli, 27.2.1
milestone](https://redirect.github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A27.2.1)
- [moby/moby, 27.2.1
milestone](https://redirect.github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A27.2.1)

##### Bug fixes and enhancements

- containerd image store: Fix non-container images being hidden in the
`docker image ls` output.
[moby/moby#48402](https://redirect.github.com/moby/moby/pull/48402)
- containerd image store: Improve `docker pull` error message when the
image platform doesn't match.
[moby/moby#48415](https://redirect.github.com/moby/moby/pull/48415)
- CLI: Fix issue causing `docker login` to not remove repository names
from passed in registry addresses, resulting in credentials being stored
under the wrong key.
[docker/cli#5385](https://redirect.github.com/docker/cli/pull/5385)
- CLI: Fix issue that will sometimes cause the browser-login flow to
fail if the CLI process is suspended and then resumed while waiting for
the user to authenticate.
[docker/cli#5376](https://redirect.github.com/docker/cli/pull/5376)
- CLI: `docker login` now returns an error instead of hanging if called
non-interactively with `--password` or `--password-stdin` but without
`--user`.
[docker/cli#5402](https://redirect.github.com/docker/cli/pull/5402)

##### Packaging updates

- Update `runc` to
[v1.1.14](https://redirect.github.com/opencontainers/runc/releases/tag/v1.1.14),
which contains a fix for
[CVE-2024-45310](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv).
[moby/moby#48426](https://redirect.github.com/moby/moby/pull/48426)
- Update Go runtime to 1.22.7.
[moby/moby#48433](https://redirect.github.com/moby/moby/pull/48433),
[docker/cli#5411](https://redirect.github.com/docker/cli/pull/5411),
[docker/docker-ce-packaging#1068](https://redirect.github.com/docker/docker-ce-packaging/pull/1068)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge
- At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/earthly/dind).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants