go 1.17.7

[jidicula]

Created with brew bump-formula-pr.

resource blocks may require updates.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. To keep this pull request open, add a help wanted or in progress label.

[iMichka]

Fix for terraform-rover: #95105

[iMichka]

Fix for revive #95106

[iMichka]

Fix for jd: #95107

[chenrui333]

I have checked out the branch and installed 1.17.7 in my local, cql and httpx seems not an issue in my local run. IMO, I think we can make a new run and see if we can merge the PR.

[gonzaloserrano]

Any chance for the new build run to happen?

[gonzaloserrano]

7 formula failed to build, and all look to me to non-go related errors:

• akamai: some 404 getting a resource that I could not reproduce in local env
• awsweeper: terraform issues Minitest::Assertion: Expected /Error:\ failed\ to\ configure\ provider\ \(name=aws/ to match "\nfailed to install provider (aws): 2 problems:\n\n- registry.terraform.io: This version of Terraform has an outdated GPG key and is unable to verify new provider releases. Please upgrade Terraform to at least 0.12.31 to receive new provider updates.
• cassowari: Formula reports different sha256: 385232478b8552d56429fbe2584950bfbe42e3b611919a31075366a143aae9a9
• cf-tool: depends on gopsutil that does not fully support M1s yet cpu.Info() errors on Apple Silicon M1 (darwin/arm64) shirou/gopsutil#1000 (comment)
• dvm: dvm-helper dockerArch issue, does not build with prev go versions and looks unmaintained because it has not not even correct import paths?
• mpdviz: also super old, unmaintaned project which has an unmtainanted forked dependency that does not support arm64 src/github.com/lucy/termbox-go/api.go:57:17: undefined: syscall_IGNBR
• perkeep: depends on go 1.12 that's not supported anymore in brew https://github.com/Homebrew/homebrew-core/blob/master/Formula/perkeep.rb#L37 FormulaUnavailableError: No available formula with the name "go@1.12". Did you mean go@1.16, go@1.15, go@1.14 or go@1.13?
• pilosa: like cf-tool, also depends on gopsutil
• virgil: no arm64 compatibility ld: symbol(s) not found for architecture arm64

So I think upgrading the go version is a good call.

[iMichka]

Thanks for the list. That's only for the ARM part, more might pop up on Intel or Linux.

Unless this release fixes a CVE and there is an emergency, we should focus on fixing all of these. We can't just stay forever with broken builds. We have a policy in place, and we should try to follow it.

Here a patches for:
perkeep: #95740
cassowary: #95741
mpdviz: #95742

[jidicula]

@iMichka not sure if these count as emergencies, but here are the CVEs fixed in Go 1.17.7:

• CVE-2022-23806 and crypto/elliptic: IsOnCurve returns true for invalid field elements golang/go#50974
• CVE-2022-23772 and cmd/go: do not treat branches with semantic-version names as releases golang/go#35671
• CVE-2022-23773 and cmd/go: do not treat branches with semantic-version names as releases golang/go#35671

---

Announcement:

Hello gophers,

We have just released Go versions 1.17.7 and 1.16.14, minor point releases.

These minor releases include three security fixes following the security policy:

• crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

  Some big.Int values that are not valid field elements (negative or overflowing)
  might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
  may cause a panic or an invalid curve operation. Note that Unmarshal will never
  return such values.

  Thanks to Guido Vranken for reporting this.

  This is CVE-2022-23806 and https://go.dev/issue/50974.

• math/big: prevent large memory consumption in Rat.SetString

  An attacker can cause unbounded memory growth in a program using (*Rat).SetString
  due to an unhandled overflow.

  Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
  (@odeke_et) for reporting it.

  This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

• cmd/go: prevent branches from materializing into versions

  A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
  can be considered a valid version by the go command. Materializing versions from
  branches might be unexpected and bypass ACLs that limit the creation of tags but not
  branches.

  This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

View the release notes for more information:
https://go.dev/doc/devel/release.html#go1.17.minor

You can download binary and source distributions from the Go web site:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
"git checkout go1.17.7" and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Cherry and Alex for the Go team

[iMichka]

• terraform-rover: terraform-rover: fix checksum #95105
• revive revive: fix checksum #95106
• jd jd: fix checksum #95107
• awsweeper awsweeper 0.12.0 #93299
• cassowary cassowary: fix source url #95741
• cf-tool cf-tool: depends on x86_64 #95800
• dvm dvm: depends on x86_64 #95803
• mpdviz mpdviz: deprecate #95742
• perkeep perkeep: migrate to go #95740
• pilosa pilosa: deprecate #95805
• virgil virgil fails to build on ARM mac VirgilSecurity/virgil-cli#58, virgil: depend on x86_64 #96009

[stefanb]

This should be tried again now that everything was fixed and virgil marked as depending on x86_64 in #96009

[iMichka]

Yes. We also fixed goproxy: #96014

[carlocab]

Let's ship this when CI finishes.

[BrewTestBot]

@iMichka has triggered a merge.

[iMichka]

At least I got some tests green ...