Skip to content

[master] update to go 1.16.15 to address CVE-2022-24921 #631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thaJeztah merged 1 commit into from
Mar 7, 2022
Merged

[master] update to go 1.16.15 to address CVE-2022-24921 #631

thaJeztah merged 1 commit into from
Mar 7, 2022

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Mar 4, 2022

Addresses CVE-2022-24921

go1.16.15 (released 2022-03-03) includes a security fix to the regexp/syntax package,
as well as bug fixes to the compiler, runtime, the go command, and to the net package.
See the Go 1.16.15 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.15+label%3ACherryPickApproved

full diff: golang/go@go1.16.14...go1.16.15

@thaJeztah
update to go 1.16.15 to address CVE-2022-24921
00a815f 
Addresses [CVE-2022-24921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921)

go1.16.15 (released 2022-03-03) includes a security fix to the regexp/syntax package,
as well as bug fixes to the compiler, runtime, the go command, and to the net package.
See the Go 1.16.15 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.15+label%3ACherryPickApproved

full diff: golang/go@go1.16.14...go1.16.15

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this pull request Mar 4, 2022
Merged
@thaJeztah
Copy link
Member Author

thaJeztah commented Mar 4, 2022 

+ go build -o build/docker-linux-arm64 -tags ' pkcs11' -ldflags ' -w -X "github.com/docker/cli/cli/version.GitCommit=ab7cc48" -X "github.com/docker/cli/cli/version.BuildTime=2022-03-04T15:54:30Z" -X "github.com/docker/cli/cli/version.Version=0.0.0-20220304144818-ab7cc48" -X "github.com/docker/cli/cli/version.PlatformName=Docker Engine - Community"' -buildmode=pie github.com/docker/cli/cmd/docker
+ DISABLE_WARN_OUTSIDE_CONTAINER=1
+ make manpages
  scripts/docs/generate-man.sh
+ cp -r . /tmp/docker-cli-docsgen.wT3h05ub1Y/
+ cd /tmp/docker-cli-docsgen.wT3h05ub1Y
+ ./scripts/vendor init
+ go mod edit -modfile=vendor.mod -require=github.com/cpuguy83/go-md2man/[email protected]
+ cp man/tools.go .
+ ./scripts/vendor update
+ go mod tidy -modfile=vendor.mod
  go: github.com/theupdateframework/[email protected] requires
  github.com/docker/[email protected]: invalid pseudo-version: git fetch --unshallow -f origin in /go/pkg/mod/cache/vcs/48fbd2dfabec81f4c93170677bfc89087d4bec07a2d08f6ca5ce3d17962677ee: exit status 128:
  fatal: git fetch-pack: expected shallow list
  make: *** [manpages] Error 1
  error: Bad exit status from /var/tmp/rpm-tmp.E46oL1 (%build)

@thaJeztah
Copy link
Member Author

thaJeztah commented Mar 4, 2022

Did they break go modules (AGAIN1!) with CentOS versions of git ? 😠

@thaJeztah
Copy link
Member Author

thaJeztah commented Mar 4, 2022

Kicked CI again; hopefully it's just a once-off (or we may need to add workarounds again to make it work 😞)

@thaJeztah
Copy link
Member Author

thaJeztah commented Mar 4, 2022

I'm guessing this could be related to golang/go@02e5505 (addressing golang/go#51331), but not sure what the previous "regression" was, because so far things continued to work, and this may have actually broken something....

@thaJeztah
Copy link
Member Author

thaJeztah commented Mar 4, 2022

/cc @crazy-max

@crazy-max crazy-max mentioned this pull request Mar 4, 2022
Closed
@thaJeztah
Copy link
Member Author

thaJeztah commented Mar 7, 2022

Opened #635 to fix / work around the go modules issue

@thaJeztah thaJeztah merged commit 1fb6e36 into docker:master Mar 7, 2022
@thaJeztah thaJeztah deleted the bump_go_1.16.15 branch March 7, 2022 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndeloof ndeloof ndeloof approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thaJeztah @ndeloof