Bump Go version to 1.21.5 to address CVE-2023-39326

[sharathsivakumar]

What would you like to be added?

The Go team has pre-announced release of 1.21.5 on December 5. This is a security release and fixes the CVE:

• CVE-2023-39326

This issue has been created to work on etcd fixes in anticipation of the upcoming go release.

Why is this needed?

To make sure that CVE-2023-39326 is addressed and fixed.

[sharathsivakumar]

cc: @jmhbnz @ahrtr @serathius

[ahrtr]

1.21.5 and 1.20.12 are not available yet.

[sharathsivakumar]

@ahrtr True. They are likely to be available on December 5. This issue is in anticipation of the changes required once 1.21.5 and 1.20.15 are available.

[jmhbnz]

1.21.5 and 1.20.12 has now dropped: https://go.dev/doc/devel/release#go1.21.0

go1.21.5 (released 2023-12-05) includes security fixes to the go command, and the net/http and path/filepath packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rand, net, os, and syscall packages. See the Go 1.21.5 milestone on our issue tracker for details

Let's update asap given security fixes, completion tracking below:

• main Update go version to 1.21.5 #17073
• release-3.5 (1.20.12) [3.5] Update go version to 1.20.12 #17077
• release-3.4 (1.20.12) [3.4] Update go version to 1.20.12 #17076
• etcd-io CHANGELOG Update release-3.4 and 3.5 Changelog for go bump to 1.20.12 #17080
• etcd-io/bbolt master Update go version to 1.21.5 bbolt#630
• etcd-io/raft main Update go to 1.21.5 raft#115

[ivanvc]

Hey @jmhbnz, I can work on bbolt and raft (I'm currently working on another PR on etcd and want to finish that before committing to anything in that repo).

[jmhbnz]

I can work on bbolt and raft (I'm currently working on another PR on etcd and want to finish that before committing to anything in that repo).

That would be great thanks @ivanvc. Added you to the assignees for this issue 🙏🏻

[ivanvc]

@jmhbnz I can also update the release-3.5 and release-3.4 branches.

[jmhbnz]

@jmhbnz I can also update the release-3.5 and release-3.4 branches.

Thanks @ivanvc would you be able to raise raft one please?

New contributor @jonasrdl raised the pr for main so let's see if they are interested in raising the backport to release-3.4 and release-3.5 branches seeing as it is their change.

[ivanvc]

Thanks @ivanvc would you be able to raise raft one please?

Yes, I'm currently working on it.

[jonasrdl]

New contributor @jonasrdl raised the pr for main so let's see if they are interested in raising the backport to release-3.4 and release-3.5 branches seeing as it is their change.

Sure, I'll do release-3.4 and release-3.5.

[jmhbnz]

Closing - All updates completed and changelog updated, thanks to everyone that helped 🙏🏻