From 90f69126829bc6aae630af5e44c82cc5a93a6e07 Mon Sep 17 00:00:00 2001
From: Vasily Nemkov <V.Nemkov@gmail.com>
Date: Tue, 11 Apr 2023 16:22:53 +0200
Subject: [PATCH 1/3] Bumped Go version to get some CVE fixes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Lots of high-severity CVE were fixed in 1.19.8:

pkg:golang/stdlib@1.19.5

    ✗ HIGH CVE-2022-41725 [Uncontrolled Resource Consumption]
      https://dso.docker.com/cve/CVE-2022-41725
      Affected range : <1.19.6
      Fixed version  : 1.19.6
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    ✗ HIGH CVE-2022-41724 [Uncontrolled Resource Consumption]
      https://dso.docker.com/cve/CVE-2022-41724
      Affected range : <1.19.6
      Fixed version  : 1.19.6
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    ✗ HIGH CVE-2022-41723 [Uncontrolled Resource Consumption]
      https://dso.docker.com/cve/CVE-2022-41723
      Affected range : <1.19.6
      Fixed version  : 1.19.6
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    ✗ HIGH CVE-2022-41722 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
      https://dso.docker.com/cve/CVE-2022-41722
      Affected range : <1.19.6
      Fixed version  : 1.19.6
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    ✗ MEDIUM CVE-2023-24532 [Incorrect Calculation]
      https://dso.docker.com/cve/CVE-2023-24532
      Affected range : <1.19.7
      Fixed version  : 1.19.7
      CVSS Score     : 5.3
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    ✗ UNSPECIFIED CVE-2023-24538 [Improper Control of Generation of Code ('Code Injection')]
      https://dso.docker.com/cve/CVE-2023-24538
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    ✗ UNSPECIFIED CVE-2023-24537 [Loop with Unreachable Exit Condition ('Infinite Loop')]
      https://dso.docker.com/cve/CVE-2023-24537
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    ✗ UNSPECIFIED CVE-2023-24536 [Uncontrolled Resource Consumption]
      https://dso.docker.com/cve/CVE-2023-24536
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    ✗ UNSPECIFIED CVE-2023-24534 [Uncontrolled Resource Consumption]
      https://dso.docker.com/cve/CVE-2023-24534
      Affected range : <1.19.8
      Fixed version  : 1.19.8
---
 docker/packager/binary/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/packager/binary/Dockerfile b/docker/packager/binary/Dockerfile
index 818472a52d55..edad920313c4 100644
--- a/docker/packager/binary/Dockerfile
+++ b/docker/packager/binary/Dockerfile
@@ -53,7 +53,7 @@ RUN arch=${TARGETARCH:-amd64} \
   && dpkg -i /tmp/nfpm.deb \
   && rm /tmp/nfpm.deb
 
-ARG GO_VERSION=1.18.3
+ARG GO_VERSION=1.19.8
 # We need go for clickhouse-diagnostics
 RUN arch=${TARGETARCH:-amd64} \
   && curl -Lo /tmp/go.tgz "https://go.dev/dl/go${GO_VERSION}.linux-${arch}.tar.gz" \

From fb8124dfeabf81fed4e06da9656ccf4a3b5afa07 Mon Sep 17 00:00:00 2001
From: Vasily Nemkov <V.Nemkov@gmail.com>
Date: Wed, 12 Apr 2023 12:38:24 +0200
Subject: [PATCH 2/3] Do not install clickhouse-diagnostics

Due to large number of CVEs that popup in golang runtime
---
 packages/clickhouse-common-static.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/packages/clickhouse-common-static.yaml b/packages/clickhouse-common-static.yaml
index 3167e78dbc3e..429d3fbcb678 100644
--- a/packages/clickhouse-common-static.yaml
+++ b/packages/clickhouse-common-static.yaml
@@ -33,8 +33,9 @@ deb:
 contents:
 - src: root/usr/bin/clickhouse
   dst: /usr/bin/clickhouse
-- src: root/usr/bin/clickhouse-diagnostics
-  dst: /usr/bin/clickhouse-diagnostics
+# Excluded due to CVEs in go runtime that popup constantly
+# - src: root/usr/bin/clickhouse-diagnostics
+#   dst: /usr/bin/clickhouse-diagnostics
 - src: root/usr/bin/clickhouse-extract-from-config
   dst: /usr/bin/clickhouse-extract-from-config
 - src: root/usr/bin/clickhouse-library-bridge

From ab55b6a84935dcb220056f095bac94798f1b3dec Mon Sep 17 00:00:00 2001
From: Vasily Nemkov <V.Nemkov@gmail.com>
Date: Thu, 13 Apr 2023 10:43:16 +0200
Subject: [PATCH 3/3] Updated version to v22.8.15.25.altinitystable

---
 cmake/autogenerated_versions.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cmake/autogenerated_versions.txt b/cmake/autogenerated_versions.txt
index 0f85d434350c..b79e759db3e7 100644
--- a/cmake/autogenerated_versions.txt
+++ b/cmake/autogenerated_versions.txt
@@ -7,9 +7,9 @@ SET(VERSION_MAJOR 22)
 SET(VERSION_MINOR 8)
 SET(VERSION_PATCH 15)
 
-SET(VERSION_TWEAK 24)
+SET(VERSION_TWEAK 25)
 SET(VERSION_FLAVOUR altinitystable)
 
-SET(VERSION_DESCRIBE v22.8.15.24.altinitystable)
-SET(VERSION_STRING 22.8.15.24.altinitystable)
-# end of autochange
\ No newline at end of file
+SET(VERSION_DESCRIBE v22.8.15.25.altinitystable)
+SET(VERSION_STRING 22.8.15.25.altinitystable)
+# end of autochange