Update golang version for telemetry build in sonic-slave-buster to fix CVE-2021-33195#14637
Update golang version for telemetry build in sonic-slave-buster to fix CVE-2021-33195#14637qiluo-msft merged 1 commit intosonic-net:masterfrom FengPan-Frank:202012_cvefix
Conversation
…CVE-2021-33195 This will be merged into 202012 branch finally.
|
@qiluo-msft @ganglyu please help to review, thanks |
qiluo-msft
added
Request for 202012 Branch
Request for 202106 Branch
Request for 202111 Branch
|
@FengPan-Frank PR conflicts with 202205 branch |
|
@FengPan-Frank can you create separate PR for 202205 branch? |
https://github.com/sonic-net/sonic-buildimage/blob/202205/sonic-slave-bullseye/Dockerfile.j2#L384 @yxieca I confirmed that sonic-slave-bullseye has correct fix on 202205 branch, only build from sonic-slave-buster/sonic-slave-jessie need to be fixed. Thus I think we don't need to do this merge. |
|
@FengPan-Frank PR conflicts with 202012 branch |
Thanks! removed request flag. Does that mean we also don't need this change for 202211 branch either? |
Right, we should not need 202211 branch merge, either. |
…CVE-2021-33195 (sonic-net#14637) Update golang version for telemetry build in sonic-slave-buster to fix https://security-tracker.debian.org/tracker/CVE-2021-33195, this PR will be merged into 202012 branch finally. #### Why I did it Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. Now in 201911 and 202012 branch we're using 1.14.2 ##### Work item tracking - Microsoft ADO **(number only)**:17727291 #### How I did it Bump golang version into 1.15.15 which contains corresponding fix. #### How to verify it unit test to do sanity check.
|
Cherry-pick PR to 202211: #14777 |
mssonicbld
added
Included in 202211 Branch
and removed
Approved for 202211 Branch
Created PR to 202211 Branch
labels
|
Manually cherry-pick PR created: #14855 |
7 participants
Update golang version for telemetry build in sonic-slave-buster to fix https://security-tracker.debian.org/tracker/CVE-2021-33195, this PR will be merged into 202012 branch finally.
Why I did it
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. Now in 201911 and 202012 branch we're using 1.14.2
Work item tracking
How I did it
Bump golang version into 1.15.15 which contains corresponding fix.
How to verify it
unit test to do sanity check.
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)