Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Golang 1.11.3 (CVE-2018-16875) #14

Merged
merged 1 commit into from
Dec 14, 2018
Merged

Bump Golang 1.11.3 (CVE-2018-16875) #14

merged 1 commit into from
Dec 14, 2018

Conversation

thaJeztah
Copy link
Member

go1.11.13 (released 2018/12/14)

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn github@gone.nl

@thaJeztah
Bump Golang 1.11.3 (CVE-2018-16875)
639c177 
go1.11.13 (released 2018/12/14)

- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
Copy link
Member Author

ping @seemethere @andrewhsu PTAL

@thaJeztah thaJeztah mentioned this pull request Dec 14, 2018
Merged
@thaJeztah thaJeztah merged commit f7c106a into docker:master Dec 14, 2018
@thaJeztah thaJeztah deleted the bump_golang_1.11.3 branch December 14, 2018 00:14
@theckman
Copy link

@thaJeztah be aware, there's a bit of an issue with the release that may want you to delay:

golang/go#29241

@thaJeztah
Copy link
Member Author

@theckman thanks! I saw the issue, so we'll have to check if we run into that during our builds (not sure if we use go get ... during our builds 😅)

@theckman
Copy link

@thaJeztah It's possibly I misunderstand but I think the risk would be anyone who uses the resulting Docker image for building running in to it, not necessarily during the build of the image itself.

@thaJeztah
Copy link
Member Author

Gotcha; yes, for other uses of this image that may be an issue. This image is primarily created for building the docker/cli (although it's not used for the actual releases).

I'll updated again as soon as a new golang patch release is available 👍

@thaJeztah
Copy link
Member Author

Go 1.11.4 bump coming in #17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seemethere seemethere seemethere approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@thaJeztah @theckman @seemethere