-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update to go 1.19.1 to address CVE-2022-27664, CVE-2022-32190
From the mailing list: We have just released Go versions 1.19.1 and 1.18.6, minor point releases. These minor releases include 2 security fixes following the security policy: - net/http: handle server errors after sending GOAWAY A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service. Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this. This is CVE-2022-27664 and Go issue https://go.dev/issue/54658. - net/url: JoinPath does not strip relative path components in all circumstances JoinPath and URL.JoinPath would not remove `../` path components appended to a relative path. For example, `JoinPath("https://go.dev", "../go")` returned the URL `https://go.dev/../go`, despite the JoinPath documentation stating that `../` path elements are cleaned from the result. Thanks to q0jt for reporting this issue. This is CVE-2022-32190 and Go issue https://go.dev/issue/54385. Release notes: go1.19.1 (released 2022-09-06) includes security fixes to the net/http and net/url packages, as well as bug fixes to the compiler, the go command, the pprof command, the linker, the runtime, and the crypto/tls and crypto/x509 packages. See the Go 1.19.1 milestone on the issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Loading branch information
Showing
5 changed files
with
9 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
ARG GO_VERSION=1.19 | ||
ARG GO_VERSION=1.19.1 | ||
|
||
FROM golang:${GO_VERSION}-alpine AS base | ||
ENV GO111MODULE=off | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters