Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppVeyor: update to go 1.12.8 (CVE-2019-9512, CVE-2019-9514) #3531

Merged
merged 1 commit into from
Aug 14, 2019
Merged

AppVeyor: update to go 1.12.8 (CVE-2019-9512, CVE-2019-9514) #3531

merged 1 commit into from
Aug 14, 2019

Conversation

thaJeztah
Copy link
Member

go1.12.8 (released 2019/08/13) includes security fixes to the net/http and net/url packages.
See the Go 1.12.8 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.12.8

  • net/http: Denial of Service vulnerabilities in the HTTP/2 implementation
    net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted
    clients could be remotely made to allocate an unlimited amount of memory, until the program
    crashes. Servers will now close connections if the send queue accumulates too many control
    messages.
    The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
    Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.
    This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.
    net/url: parsing validation issue
  • url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary
    suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses
    in certain applications. Note that URLs with invalid, not numeric ports will now return an error
    from url.Parse.
    The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
    Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering
    and reporting this issue.

@thaJeztah
AppVeyor: update to go 1.12.8 (CVE-2019-9512, CVE-2019-9514)
1b389b3 
go1.12.8 (released 2019/08/13) includes security fixes to the net/http and net/url packages.
See the Go 1.12.8 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.12.8

- net/http: Denial of Service vulnerabilities in the HTTP/2 implementation
  net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted
  clients could be remotely made to allocate an unlimited amount of memory, until the program
  crashes. Servers will now close connections if the send queue accumulates too many control
  messages.
  The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
  Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.
  This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.
  net/url: parsing validation issue
- url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary
  suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses
  in certain applications. Note that URLs with invalid, not numeric ports will now return an error
  from url.Parse.
  The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
  Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering
  and reporting this issue.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was referenced Aug 14, 2019
Merged
Merged
@jterry75 jterry75 mentioned this pull request Aug 14, 2019
Merged
@theopenlab-ci
Copy link

theopenlab-ci bot commented Aug 14, 2019

Build succeeded.

@jterry75 jterry75 mentioned this pull request Aug 14, 2019
Merged
@fuweid
Copy link
Member

fuweid commented Aug 14, 2019

and also fix the issue: #3481

@thaJeztah
Copy link
Member Author

and also fix the issue: #3481

I can add closes #3481 here; I guess it would still need packages to be built with Go 1.12.8 though (I'm working on updating packaging scripts for Docker's containerd.io package)

@codecov-io
Copy link

Codecov Report

Merging #3531 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #3531   +/-   ##
=======================================
  Coverage   44.94%   44.94%           
=======================================
  Files         115      115           
  Lines       12790    12790           
=======================================
  Hits         5748     5748           
  Misses       6170     6170           
  Partials      872      872
Flag Coverage Δ
#linux 48.77% <ø> (ø) ⬆️
#windows 40.18% <ø> (-0.02%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b77e25d...1b389b3. Read the comment docs.

@crosbymichael
Copy link
Member

LGTM

@crosbymichael crosbymichael merged commit 074b759 into containerd:master Aug 14, 2019
@thaJeztah thaJeztah deleted the bump_golang_1.12.8 branch August 14, 2019 18:15
@tao12345666333 tao12345666333 mentioned this pull request Aug 16, 2019
Merged
@AkihiroSuda AkihiroSuda mentioned this pull request Dec 14, 2019
Closed
16 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@thaJeztah @fuweid @codecov-io @crosbymichael @AkihiroSuda