[release/1.2] Update Golang 1.12.16, x/crypto (CVE-2020-0601, CVE-2020-7919) by thaJeztah · Pull Request #3988 · containerd/containerd

thaJeztah · 2020-01-28T17:56:07Z

Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)

full diff: golang/go@go1.12.15...go1.12.16

go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the
CVE-2020-0601 certificate verification bypass on Windows. The other affects only
32-bit architectures.

https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved

X.509 certificate validation bypass on Windows 10
A Windows vulnerability allows attackers to spoof valid certificate chains when
the system root store is in use. These releases include a mitigation for Go
applications, but it’s strongly recommended that affected users install the
Windows security update to protect their system.
This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1

full diff: golang/crypto@4979611...69ecbb4

Includes golang/crypto@69ecbb4
(forward-port of golang/crypto@8b5121b),
which fixes CVE-2020-7919:

Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

full diff: golang/go@go1.12.15...go1.12.16 go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the CVE-2020-0601 certificate verification bypass on Windows. The other affects only 32-bit architectures. https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved - X.509 certificate validation bypass on Windows 10 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. These releases include a mitigation for Go applications, but it’s strongly recommended that affected users install the Windows security update to protect their system. This issue is CVE-2020-0601 and Go issue golang.org/issue/36834. - Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte. Signed-off-by: Sebastiaan van Stijn <[email protected]>

…0884e1 full diff: golang/crypto@4979611...69ecbb4 Includes golang/crypto@69ecbb4 (forward-port of golang/crypto@8b5121b), which fixes CVE-2020-7919: Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. Signed-off-by: Sebastiaan van Stijn <[email protected]>

fuweid · 2020-01-29T08:43:16Z

    --- FAIL: TestContainersCreateUpdateDelete/UpdateExtensionsNotInFieldpath (0.00s)
        containers_test.go:733: timestamp for updatedat not after createdat: 2020-01-28 18:06:33.7195316 +0000 UTC <= 2020-01-28 18:06:33.7195316 +0000 UTC

retrying...

codecov-io · 2020-01-29T08:54:31Z

Codecov Report

Merging #3988 into release/1.2 will not change coverage.
The diff coverage is n/a.

@@             Coverage Diff              @@
##           release/1.2    #3988   +/-   ##
============================================
  Coverage        44.19%   44.19%           
============================================
  Files              100      100           
  Lines            10847    10847           
============================================
  Hits              4794     4794           
  Misses            5313     5313           
  Partials           740      740

Flag	Coverage Δ
#linux	`47.87% <ø> (ø)`	⬆️
#windows	`41% <ø> (ø)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7276974...1bc2590. Read the comment docs.

fuweid

LGTM

estesp

LGTM

thaJeztah added 2 commits January 28, 2020 18:52

thaJeztah mentioned this pull request Jan 28, 2020

[release/1.2] Prepare v1.2.12 release #3984

Merged

fuweid approved these changes Jan 29, 2020

View reviewed changes

estesp approved these changes Jan 29, 2020

View reviewed changes

estesp merged commit 92b40b6 into containerd:release/1.2 Jan 29, 2020

thaJeztah deleted the 1.2_bump_golang_1.12.16 branch January 29, 2020 09:16

thaJeztah mentioned this pull request Feb 26, 2020

[release/1.2 backport] Update to Golang 1.13.8 #4060

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[release/1.2] Update Golang 1.12.16, x/crypto (CVE-2020-0601, CVE-2020-7919)#3988

[release/1.2] Update Golang 1.12.16, x/crypto (CVE-2020-0601, CVE-2020-7919)#3988
estesp merged 2 commits intocontainerd:release/1.2from
thaJeztah:1.2_bump_golang_1.12.16

thaJeztah commented Jan 28, 2020

Uh oh!

fuweid commented Jan 29, 2020

Uh oh!

codecov-io commented Jan 29, 2020

Uh oh!

fuweid left a comment

Uh oh!

estesp left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

thaJeztah commented Jan 28, 2020

Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)

vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1

Uh oh!

fuweid commented Jan 29, 2020

Uh oh!

codecov-io commented Jan 29, 2020

Codecov Report

Uh oh!

fuweid left a comment

Choose a reason for hiding this comment

Uh oh!

estesp left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants