Skip to content

[21.11] backport go 1.16.13 to stable to fix CVE-2021-44716#156939

Merged
vcunat merged 4 commits intoNixOS:staging-next-21.11from
fkautz:bump-go-1.16.13-r1
Jan 27, 2022
Merged

[21.11] backport go 1.16.13 to stable to fix CVE-2021-44716#156939
vcunat merged 4 commits intoNixOS:staging-next-21.11from
fkautz:bump-go-1.16.13-r1

Conversation

@fkautz
Copy link
Member

@fkautz fkautz commented Jan 27, 2022

Fixed CVE-2021-44716 and other non-api breaking fixes.

(cherry picked from commit d50b6bf)

Motivation for this change

Go 1.16.12 fixed https://nvd.nist.gov/vuln/detail/CVE-2021-44716
Go 1.16.13 fixed other internal issues including:

  • x/net/http2: http.Server.WriteTimeout does not fire if the http2 stream's window is out of space. [1.16 backport]
  • cmd/link: does not set section type of .init_array correctly [1.16 backport] (was breaking lld support)
Things done

Bumps the golang 1.16 version to the latest stable release (1.16.13).

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

zowoq added 4 commits January 26, 2022 18:25
@zowoq @fkautz
go_1_16: 1.16.9 -> 1.16.10
227e9f6 
(cherry picked from commit cc8cade)
@zowoq @fkautz
go_1_16: 1.16.10 -> 1.16.11
2a69b46 
(cherry picked from commit 2100043)
@zowoq @fkautz
go_1_16: 1.16.11 -> 1.16.12
2ca8a68 
(cherry picked from commit 5d33b51)
@zowoq @fkautz
go_1_16: 1.16.12 -> 1.16.13
4825271 
(cherry picked from commit d50b6bf)
@github-actions github-actions bot added the 6.topic: golang Go is a high-level general purpose programming language that is statically typed and compiled. label Jan 27, 2022
@fkautz fkautz mentioned this pull request Jan 27, 2022
Closed
13 tasks
@fkautz
Copy link
Member Author

fkautz commented Jan 27, 2022

This is pointing to the corrected branch based on comments by @zowoq. Also CCing @vcunat since they were CC'd in the previous one.

@ofborg ofborg bot added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 1001-2500 This PR causes many rebuilds on Darwin and should most likely target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches. labels Jan 27, 2022
@vcunat vcunat merged commit 61d3a18 into NixOS:staging-next-21.11 Jan 27, 2022
@vcunat
Copy link
Member

vcunat commented Jan 27, 2022

Looks good. Merged early to avoid wasting builds. There will still time before it reaches 21.11 anyway.

@FliegendeWurst FliegendeWurst mentioned this pull request Jan 27, 2022
Closed
2 tasks
@FliegendeWurst FliegendeWurst added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jan 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kalbasit kalbasit Awaiting requested review from kalbasit kalbasit is a code owner

@Mic92 Mic92 Awaiting requested review from Mic92 Mic92 is a code owner

@zowoq zowoq Awaiting requested review from zowoq zowoq is a code owner

@mdlayher mdlayher Awaiting requested review from mdlayher

@cstrahan cstrahan Awaiting requested review from cstrahan

@c00w c00w Awaiting requested review from c00w

@Frostman Frostman Awaiting requested review from Frostman

@rvolosatovs rvolosatovs Awaiting requested review from rvolosatovs

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: golang Go is a high-level general purpose programming language that is statically typed and compiled. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 1001-2500 This PR causes many rebuilds on Darwin and should most likely target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fkautz @vcunat @FliegendeWurst @zowoq