update go to go1.20.5, go1.19.10 #8714
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thaJeztah
added
the
cherry-picked/1.7.x
Member
Author
|
Hm... looks like some architectures went AWOL in the package repositories / mirrors? http://azure.archive.ubuntu.com/ubuntu/dists/jammy-backports/main/ /cc @cpuguy83 |
Member
|
Last I checked the Azure mirror only had amd64? |
Member
Author
|
Yes, looks like that's the case indeed. I didn't change anything in that area though, so wondering if something started to configure mirrors by default, or if there's something in CI in this repo doing so (didn't dig yet) |
Member
Author
|
Didn't see anything at a glance in this repository, so perhaps GHA sets up mirrors (which could make sense if they only expect amd64) GHA itself doesn't set a mirror, so I'm guessing it's set on the workers containerd/.github/workflows/nightly.yml Lines 44 to 52 in ad9d1a8 |
Member
|
/test pull-containerd-node-e2e |
kzys
approved these changes
Jun 21, 2023
Member
|
/retest |
mxpv
approved these changes
Jun 21, 2023
estesp
approved these changes
Jun 21, 2023
Member
|
Should we switch to an upstream mirror temporarily, or is there any way to follow-up with Azure's distro mirror team to understand why the other architectures aren't being mirrored? |
Member
|
It probably doesn't make sense to expect the Azure mirror to have s390x since Azure (tmk) only supports amd64 and arm64 at this point. |
Member
Author
|
I think Sam found that these arches were also missing now in upstream Ubuntu (but I haven't verified that). If that's not the case, I can ask the GHA people if they indeed switched config (to now use a mirror by default) |
Member
Author
|
Looking at 
But 
I do notice that the steps to add the containerd/.github/workflows/nightly.yml Lines 46 to 47 in ad9d1a8 First one looks to be passing (and hits But for the Details |
thaJeztah
force-pushed
the
update_go_1.20.5
branch
from
d154eda to
500d259
Compare
Member
Author
|
Rebased to get a fresh run of CI (and apparently other PRs were merged with green, so wondering if something was fixed to fix the nightly builds) |
Member
Author
|
AAAAAH! I was wondering why the nightly build fails on my PRs, but other PRs pass. Then I noticed that And this is the reason; containerd/.github/workflows/nightly.yml Lines 1 to 7 in 81bc6ce It only runs;
So yes, the nightly builds are broken on master just as well; here's the last scheduled build; The last successful build was last month (May 13, 2023); https://github.com/containerd/containerd/actions/workflows/nightly.yml?page=3 
Those logs show that the workers at the time already had the azure mirror configured, and do already show errors for other architectures; Full logs: logs_30980.zip Builds started failing on May 14, 2023; because the Full logs: |
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and runtime packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved full diff: golang/go@go1.20.4...go1.20.5 These minor releases include 3 security fixes following the security policy: - cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29402 and Go issue https://go.dev/issue/60167. - runtime: unexpected behavior of setuid/setgid binaries The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers. Thanks to Vincent Dehors from Synacktiv for reporting this issue. This is CVE-2023-29403 and Go issue https://go.dev/issue/60272. - cmd/go: improper sanitization of LDFLAGS The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
update_go_1.20.5
branch
from
500d259 to
e9f63f6
Compare
Member
Author
|
Member
Author
|
Cirrus CI / Vagrant BOX:rockylinux/[email protected] failing during setting up Vagrant. Wondering if we can avoid failing if there's a lock; |
Member
Author
|
kzys
approved these changes
Jul 5, 2023
Member
Author
|
Looks like this is the cause of the failures since May 13; https://launchpad.net/~ubuntu-toolchain-r/+archive/ubuntu/test/+build/26045019 
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and runtime packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved
full diff: golang/go@go1.20.4...go1.20.5
These minor releases include 3 security fixes following the security policy:
cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.