[18.09] bump golang 1.12.10 (CVE-2019-16276) #2114
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a manual port of master commit 81b319a. go1.12.1 (released 2019/03/14) includes fixes to cgo, the compiler, the go command, and the fmt, net/smtp, os, path/filepath, sync, and text/template packages. See the Go 1.12.1 milestone on our issue tracker for details. For the relase notes of Go 1.12.0, see: https://golang.org/doc/go1.12 Signed-off-by: Kir Kolyshkin <[email protected]>
go1.12.2 (released 2019/04/05) includes fixes to the compiler, the go command, the runtime, and the doc, net, net/http/httputil, and os packages. See the Go 1.12.2 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.12.2 Full diff: golang/go@go1.12.1...go1.12.2 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit ed8733a) Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Jintao Zhang <[email protected]> (cherry picked from commit c55c801) Signed-off-by: Kir Kolyshkin <[email protected]>
go1.12.4 (released 2019/04/11) fixes an issue where using the prebuilt binary releases on older versions of GNU/Linux led to failures when linking programs that used cgo. Only Linux users who hit this issue need to update. See golang/go#31293 for details Full diff: golang/go@go1.12.3...go1.12.4 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit cf47bb2) Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Jintao Zhang <[email protected]> (cherry picked from commit c32d1de) Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Jintao Zhang <[email protected]> (cherry picked from commit 459099e) Signed-off-by: Kir Kolyshkin <[email protected]>
go1.12.7 (released 2019/07/08) includes fixes to cgo, the compiler, and the linker. See the Go 1.12.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.12.7 full diff: golang/go@go1.12.6...go1.12.7 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit b06f9e9) Signed-off-by: Kir Kolyshkin <[email protected]>
This allows overriding the version of Go without making modifications in the
source code, which can be useful to test against multiple versions.
For example:
make GO_VERSION=1.13beta1 -f docker.Makefile binary
Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 0d3022c)
Signed-off-by: Kir Kolyshkin <[email protected]>
go1.12.8 (released 2019/08/13) includes security fixes to the net/http and net/url packages. See the Go 1.12.8 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.12.8 - net/http: Denial of Service vulnerabilities in the HTTP/2 implementation net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages. The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606. Thanks to Jonathan Looney from Netflix for discovering and reporting these issues. This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2. net/url: parsing validation issue - url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse. The issue is CVE-2019-14809 and Go issue golang.org/issue/29098. Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering and reporting this issue. Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit bbd179f) Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Jintao Zhang <[email protected]> (cherry picked from commit d985604) Signed-off-by: Kir Kolyshkin <[email protected]>
full diff: golang/go@go1.12.9...go1.12.10 ``` Hi gophers, We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you're not sure which, choose Go 1.13.1). net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications. The issue is CVE-2019-16276 and Go issue golang.org/issue/34540. Thanks to Andrew Stucki, Adam Scarr (99designs.com), and Jan Masarik (masarik.sh) for discovering and reporting this issue. Downloads are available at https://golang.org/dl for all supported platforms. Alla prossima, Filippo on behalf of the Go team ``` From the patch: golang/go@6e6f4aa ``` net/textproto: don't normalize headers with spaces before the colon RFC 7230 is clear about headers with a space before the colon, like X-Answer : 42 being invalid, but we've been accepting and normalizing them for compatibility purposes since CL 5690059 in 2012. On the client side, this is harmless and indeed most browsers behave the same to this day. On the server side, this becomes a security issue when the behavior doesn't match that of a reverse proxy sitting in front of the server. For example, if a WAF accepts them without normalizing them, it might be possible to bypass its filters, because the Go server would interpret the header differently. Worse, if the reverse proxy coalesces requests onto a single HTTP/1.1 connection to a Go server, the understanding of the request boundaries can get out of sync between them, allowing an attacker to tack an arbitrary method and path onto a request by other clients, including authentication headers unknown to the attacker. This was recently presented at multiple security conferences: https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn net/http servers already reject header keys with invalid characters. Simply stop normalizing extra spaces in net/textproto, let it return them unchanged like it does for other invalid headers, and let net/http enforce RFC 7230, which is HTTP specific. This loses us normalization on the client side, but there's no right answer on the client side anyway, and hiding the issue sounds worse than letting the application decide. ``` Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 8743e36) Signed-off-by: Kir Kolyshkin <[email protected]>
Codecov Report
@@ Coverage Diff @@
## 18.09 #2114 +/- ##
=======================================
Coverage 54.28% 54.28%
=======================================
Files 291 291
Lines 19459 19459
=======================================
Hits 10563 10563
Misses 8215 8215
Partials 681 681 |
thaJeztah
approved these changes
Sep 28, 2019
Member
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM if green; left one comment for related changes
| FROM golang:1.11.13-alpine | ||
| ARG GO_VERSION=1.12.10 | ||
|
|
||
| FROM golang:${GO_VERSION}-alpine |
Member
There was a problem hiding this comment.
We may need changes in docker-ce-packaging to take the GO_VERSION into account
Contributor
Author
There was a problem hiding this comment.
I believe this is sufficient: docker/docker-ce-packaging#389
thaJeztah
added
impact/changelog
status/2-code-review
and removed
status/0-triage
labels
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backports of the following master commits to 18.09 branch:
and the manual port of
which had to be manual since in 18.09 we moved to a newer 1.11.x version
Clean cherry pick of everything that was cherry-picked