Upgrade openssl/openssh/krb5/golang for Trixie support#78
Upgrade openssl/openssh/krb5/golang for Trixie support#78saiarcot895 merged 70 commits intosonic-net:mainfrom
Conversation
Dev/liuh/trixie bak
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| GOLANG_MAIN_VERSION = go1.19 | ||
| GOLANGT_TAG = go1.19.8 | ||
| GOLANG_VERSOIN = 1.19.8-2 | ||
| GOLANG_MAIN_VERSION = go1.24 |
There was a problem hiding this comment.
Can we use latest go 1.26.1? There is vulnerability issue.
I have a PR want to upgrade to golang 1.26.1 in sonic-buildimage repo.
https://pkg.go.dev/vuln/GO-2026-4337
before go1.24.13, from go1.25.0-0 before go1.25.7, from go1.26.0-rc.1 before go1.26.0-rc.3
There was a problem hiding this comment.
This would mean that the non-FIPS build of SONiC would be using an older golang; on the other hand, Debian hasn't updated golang in Trixie to address many CVEs, so we may need to do this.
Maybe we could upgrade to 1.24.13, so as to stay on the same major release? I'd rather do this as a separate PR though, this PR was meant to just add support for Trixie, and this actually should've been merged months ago.
There was a problem hiding this comment.
How can we confirm if SONiC image pass FIPS validation?
There was a problem hiding this comment.
@liushilongbuaa My understanding is that the current check is that if the symcrypt module gets loaded and used, then that is sufficient, so I'm using that as the baseline check here. I could be wrong though.
|
@qiluo-msft @saiarcot895 honest question, is the built-in fips 140 in go 1.24 good enough for our application https://go.dev/doc/security/fips140? |
|
I'm unsure on that. I know symcrypt is certified for FIPS 140, I don't know if Golang's FIPS 140 is certified as well. |
|
Just checked, it is not certified yet and will probably be painfully slow. |
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
8 participants
Supersedes #77.
Update OpenSSL, OpenSSH, KRB5, and Golang to the versions in Debian Trixie, and compile them with Symcrypt support.