Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: updates to go1.22.1 #1260

Merged
merged 2 commits into from
Mar 11, 2024
Merged

chore: updates to go1.22.1 #1260

merged 2 commits into from
Mar 11, 2024

Conversation

staheri14
Copy link
Contributor

@staheri14 staheri14 commented Mar 8, 2024
edited
Loading

In order to fix the go vulnerabilities that are fixed in the new patch:

Vulnerability #1: GO-2024-2610
    Errors returned from JSON marshaling may break template escaping in
    html/template
  More info: https://pkg.go.dev/vuln/GO-2024-2610
  Standard library
    Found in: html/template@go1.22
    Fixed in: html/template@go1.22.1
    Example traces found:
      #1: test/fuzz/rpc/jsonrpc/server/handler.go:30:15: server.Fuzz calls http.ServeMux.ServeHTTP, which eventually calls template.Template.Execute
      #2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate

Vulnerability #2: GO-2024-2600
    Incorrect forwarding of sensitive headers and cookies on HTTP redirect in
    net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2600
  Standard library
    Found in: net/http@go1.22
    Fixed in: net/http@go1.22.1
    Example traces found:
      #1: rpc/jsonrpc/client/http_json_client.go:213:34: client.Client.Call calls http.Client.Do
      #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get
      #3: p2p/upnp/upnp.go:205:20: upnp.getServiceURL calls http.Get

Vulnerability #3: GO-2024-2599
    Memory exhaustion in multipart form parsing in net/textproto and net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2599
  Standard library
    Found in: net/textproto@go1.22
    Fixed in: net/textproto@go1.22.1
    Example traces found:
      #1: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls textproto.Reader.ReadLine
      #2: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls textproto.Reader.ReadMIMEHeader

Vulnerability #4: GO-2024-2598
    Verify panics on certificates with an unknown public key algorithm in
    crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2024-2598
  Standard library
    Found in: crypto/x509@go1.22
    Fixed in: crypto/x509@go1.22.1
    Example traces found:
      #1: libs/autofile/group.go:479:30: autofile.GroupReader.Read calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify

Your code is affected by 4 vulnerabilities from the Go standard library.

@staheri14 staheri14 self-assigned this Mar 8, 2024
@staheri14 staheri14 mentioned this pull request Mar 8, 2024
Closed
rootulp
rootulp reviewed Mar 8, 2024
View reviewed changes
Copy link
Collaborator

@rootulp rootulp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we please bump in all the other places (README, CI, Dockerfiles)

Ref: https://github.com/search?q=repo%3Acelestiaorg%2Fcelestia-core+1.22&type=code

@staheri14 staheri14 requested a review from rootulp March 8, 2024 23:45
@staheri14 staheri14 merged commit 10325da into main Mar 11, 2024
18 checks passed
@staheri14 staheri14 deleted the sanaz/update-to-go1.22.1 branch March 11, 2024 22:02
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rootulp rootulp rootulp approved these changes

@evan-forbes evan-forbes evan-forbes approved these changes

@cmwaters cmwaters Awaiting requested review from cmwaters

@rach-id rach-id Awaiting requested review from rach-id

@ninabarbakadze ninabarbakadze Awaiting requested review from ninabarbakadze

Assignees

@staheri14 staheri14

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@staheri14 @rootulp @evan-forbes