Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.10 backport] update to go1.19.7 #45242

Merged
merged 1 commit into from Mar 30, 2023
Merged

[20.10 backport] update to go1.19.7 #45242

merged 1 commit into from Mar 30, 2023

Conversation

neersighted
Copy link
Member

Includes a security fix for crypto/elliptic (CVE-2023-24532).

go1.19.7 (released 2023-03-07) includes a security fix to the crypto/elliptic
package, as well as bug fixes to the linker, the runtime, and the crypto/x509
and syscall packages. See the Go 1.19.7 milestone on our issue tracker for
details.

https://go.dev/doc/devel/release#go1.19.minor

From the announcement:

We have just released Go versions 1.20.2 and 1.19.7, minor point releases.

These minor releases include 1 security fixes following the security policy:

  • crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results
    >
    > The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an
    > incorrect result if called with some specific unreduced scalars (a scalar larger
    > than the order of the curve).
    >
    > This does not impact usages of crypto/ecdsa or crypto/ecdh.

This is CVE-2023-24532 and Go issue https://go.dev/issue/58647.

@neersighted neersighted force-pushed the go1.19.7/20.10 branch 2 times, most recently from f8c56a6 to fa186b3 Compare March 30, 2023 18:51
@thaJeztah @neersighted
update to go1.19.7
9aa5d55 
Includes a security fix for crypto/elliptic (CVE-2023-24532).

> go1.19.7 (released 2023-03-07) includes a security fix to the crypto/elliptic
> package, as well as bug fixes to the linker, the runtime, and the crypto/x509
> and syscall packages. See the Go 1.19.7 milestone on our issue tracker for
> details.

https://go.dev/doc/devel/release#go1.19.minor

From the announcement:

> We have just released Go versions 1.20.2 and 1.19.7, minor point releases.
>
> These minor releases include 1 security fixes following the security policy:
>
> - crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results
    >
    >   The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an
    >   incorrect result if called with some specific unreduced scalars (a scalar larger
    >   than the order of the curve).
    >
    >   This does not impact usages of crypto/ecdsa or crypto/ecdh.
>
> This is CVE-2023-24532 and Go issue https://go.dev/issue/58647.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c48f7fd)
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
@thaJeztah
Copy link
Member

Failure is a known flaky;

=== RUN   TestDockerSuite/TestStartReturnCorrectExitCode
    docker_cli_start_test.go:209: assertion failed: expected an error, got nil
    --- FAIL: TestDockerSuite/TestStartReturnCorrectExitCode (0.88s)

thaJeztah
thaJeztah approved these changes Mar 30, 2023
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit d2bc43a into moby:20.10 Mar 30, 2023
1 of 2 checks passed
@thaJeztah thaJeztah added this to the 20.10.24 milestone Mar 30, 2023
@thaJeztah thaJeztah mentioned this pull request Mar 31, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees
No one assigned
Labels
area/packaging impact/changelog status/2-code-review
Projects
None yet
Milestone
20.10.24
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@neersighted @thaJeztah