From 0794b1ce74d37623d50f5e52cb289a48e8558d18 Mon Sep 17 00:00:00 2001 From: Michael Zalimeni Date: Mon, 16 Oct 2023 15:36:22 -0400 Subject: [PATCH] Update Go version to 1.20.10 This resolves [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) / [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) (`net/http`). --- .changelog/19225.txt | 9 +++++++++ .github/workflows/build.yml | 22 +++++++++++----------- build-support/docker/Build-Go.dockerfile | 2 +- 3 files changed, 21 insertions(+), 12 deletions(-) create mode 100644 .changelog/19225.txt diff --git a/.changelog/19225.txt b/.changelog/19225.txt new file mode 100644 index 000000000000..d4c4d156d454 --- /dev/null +++ b/.changelog/19225.txt @@ -0,0 +1,9 @@ +```release-note:security +Upgrade Go to 1.20.10. +This resolves vulnerability [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) +/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)(`net/http`). +``` +```release-note:security +Update `golang.org/x/net` to v0.17.0 to address [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) +/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)(`x/net/http2`). +``` diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a6bade292ea6..5aade8fadfd6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -85,15 +85,15 @@ jobs: strategy: matrix: include: - - {go: "1.20.8", goos: "linux", goarch: "386"} - - {go: "1.20.8", goos: "linux", goarch: "amd64"} - - {go: "1.20.8", goos: "linux", goarch: "arm"} - - {go: "1.20.8", goos: "linux", goarch: "arm64"} - - {go: "1.20.8", goos: "freebsd", goarch: "386"} - - {go: "1.20.8", goos: "freebsd", goarch: "amd64"} - - {go: "1.20.8", goos: "windows", goarch: "386"} - - {go: "1.20.8", goos: "windows", goarch: "amd64"} - - {go: "1.20.8", goos: "solaris", goarch: "amd64"} + - {go: "1.20.10", goos: "linux", goarch: "386"} + - {go: "1.20.10", goos: "linux", goarch: "amd64"} + - {go: "1.20.10", goos: "linux", goarch: "arm"} + - {go: "1.20.10", goos: "linux", goarch: "arm64"} + - {go: "1.20.10", goos: "freebsd", goarch: "386"} + - {go: "1.20.10", goos: "freebsd", goarch: "amd64"} + - {go: "1.20.10", goos: "windows", goarch: "386"} + - {go: "1.20.10", goos: "windows", goarch: "amd64"} + - {go: "1.20.10", goos: "solaris", goarch: "amd64"} fail-fast: true name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build @@ -182,7 +182,7 @@ jobs: strategy: matrix: include: - - {go: "1.20.8", goos: "linux", goarch: "s390x"} + - {go: "1.20.10", goos: "linux", goarch: "s390x"} fail-fast: true name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build @@ -233,7 +233,7 @@ jobs: matrix: goos: [ darwin ] goarch: [ "amd64", "arm64" ] - go: [ "1.20.8" ] + go: [ "1.20.10" ] fail-fast: true name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build diff --git a/build-support/docker/Build-Go.dockerfile b/build-support/docker/Build-Go.dockerfile index c0186842fb76..884bc4894af3 100644 --- a/build-support/docker/Build-Go.dockerfile +++ b/build-support/docker/Build-Go.dockerfile @@ -1,7 +1,7 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -ARG GOLANG_VERSION=1.20.8 +ARG GOLANG_VERSION=1.20.10 FROM golang:${GOLANG_VERSION} WORKDIR /consul