Skip to content

[release/1.7] Update to go1.22.7, go1.23.1#10679

Merged
mxpv merged 1 commit intocontainerd:release/1.7from
thaJeztah:1.7_update_go1.22.7
Sep 6, 2024
Merged

[release/1.7] Update to go1.22.7, go1.23.1#10679
mxpv merged 1 commit intocontainerd:release/1.7from
thaJeztah:1.7_update_go1.22.7

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Sep 6, 2024

These minor releases include 3 security fixes following the security policy:

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.7

@thaJeztah
update to go1.22.7, go1.23.1
19d678f 
- https://github.com/golang/go/issues?q=milestone%3AGo1.27.7+label%3ACherryPickApproved
- full diff: golang/go@go1.22.6...go1.22.7

These minor releases include 3 security fixes following the security policy:

- go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains
    deeply nested literals can cause a panic due to stack exhaustion.

    This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

- encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested
    structures can cause a panic due to stack exhaustion.

    This is a follow-up to CVE-2022-30635.

    Thanks to Md Sakib Anwar of The Ohio State University for reporting
    this issue.

    This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

- go/build/constraint: stack exhaustion in Parse

    Calling Parse on a "// +build" build tag line with deeply nested
    expressions can cause a panic due to stack exhaustion.

    This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.7

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@dosubot dosubot Bot added area/toolchain Build and Release Toolchain area/github_actions Pull requests that update GitHub Actions code go Pull requests that update Go code labels Sep 6, 2024
@thaJeztah thaJeztah self-assigned this Sep 6, 2024
@mxpv mxpv merged commit c62aa06 into containerd:release/1.7 Sep 6, 2024
@thaJeztah thaJeztah deleted the 1.7_update_go1.22.7 branch September 6, 2024 18:44
@samuelkarp samuelkarp changed the title [release/1.7] update to go1.22.7, go1.23.1 [release/1.7] Update to go1.22.7, go1.23.1 Sep 6, 2024
@samuelkarp samuelkarp mentioned this pull request Sep 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mxpv mxpv mxpv approved these changes

@akhilerm akhilerm akhilerm approved these changes

Assignees

@thaJeztah thaJeztah

Labels

area/github_actions Pull requests that update GitHub Actions code area/toolchain Build and Release Toolchain go Pull requests that update Go code impact/changelog size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@thaJeztah @mxpv @akhilerm @samuelkarp @k8s-ci-robot