Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump Golang 1.11.3 (CVE-2018-16875) #283

Merged
merged 1 commit into from Dec 17, 2018

Conversation

Projects
None yet
3 participants
@thaJeztah
Copy link
Member

commented Dec 14, 2018

Follow up to #281 for master; moby/moby master now uses Golang 1.11, so master should probably be on this version

go1.11.3 (released 2018/12/14)

  • crypto/x509: CPU denial of service in chain validation golang/go#29233
  • cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
  • cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

@Scukerman

This comment has been minimized.

Copy link

commented Dec 14, 2018

you have a typo: go1.11.3 <---- (released 2018/12/14)

@thaJeztah thaJeztah force-pushed the thaJeztah:bump_golang_1.11.3 branch from 985d53d to 6b8b8fe Dec 14, 2018

@thaJeztah

This comment has been minimized.

Copy link
Member Author

commented Dec 14, 2018

whoops; fixed the typo 😂

Bump Golang 1.11.3 (CVE-2018-16875)
go1.11.3 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

@thaJeztah thaJeztah force-pushed the thaJeztah:bump_golang_1.11.3 branch from 6b8b8fe to 517a30b Dec 14, 2018

@thaJeztah thaJeztah changed the title [WIP] Bump Golang 1.11.3 (CVE-2018-16875) Bump Golang 1.11.3 (CVE-2018-16875) Dec 14, 2018

@thaJeztah

This comment has been minimized.

Copy link
Member Author

commented Dec 14, 2018

Rebased, now that #281 was merged

@seemethere @andrewhsu PTAL

@seemethere

This comment has been minimized.

Copy link
Member

commented Dec 17, 2018

We might just need to update this to read for golang:1.11.4 now that that's released.

Currently waiting on docker-library/official-images#5197

@thaJeztah

This comment has been minimized.

Copy link
Member Author

commented Dec 17, 2018

@seemethere let's get to 1.11.3 first (which is only the security fix), after that we can bump upstream moby/moby to 1.11.4 (which has quite a few more changes). I'd like to give it a full run of the moby/moby CI to check if there's no regressions

@seemethere seemethere merged commit 62508a7 into docker:master Dec 17, 2018

1 of 2 checks passed

unir Automatic merge is pending, 1 more approval(s) needed
continuous-integration/jenkins/pr-head This commit looks good
Details

@thaJeztah thaJeztah deleted the thaJeztah:bump_golang_1.11.3 branch Dec 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.