From 7c101c27c3b19189e5dbf8ab957a7117bc6a652d Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 8 May 2023 11:57:11 -0600 Subject: [PATCH] security: update go version to 1.20.4 (#17240) * update go version to 1.20.3 * add changelog * rename changelog file to remove underscore * update to use 1.20.4 * update change log entry to reflect 1.20.4 --- .changelog/17240.txt | 12 ++++++++++++ .github/workflows/build.yml | 20 ++++++++++---------- build-support/docker/Build-Go.dockerfile | 2 +- 3 files changed, 23 insertions(+), 11 deletions(-) create mode 100644 .changelog/17240.txt diff --git a/.changelog/17240.txt b/.changelog/17240.txt new file mode 100644 index 000000000..59d120f74 --- /dev/null +++ b/.changelog/17240.txt @@ -0,0 +1,12 @@ +```release-note:security +Upgrade to use Go 1.20.4. +This resolves vulnerabilities [CVE-2023-24537](https://github.com/advisories/GHSA-9f7g-gqwh-jpf5)(`go/scanner`), +[CVE-2023-24538](https://github.com/advisories/GHSA-v4m2-x4rp-hv22)(`html/template`), +[CVE-2023-24534](https://github.com/advisories/GHSA-8v5j-pwr7-w5f8)(`net/textproto`) and +[CVE-2023-24536](https://github.com/advisories/GHSA-9f7g-gqwh-jpf5)(`mime/multipart`). +Also, `golang.org/x/net` has been updated to v0.7.0 to resolve CVEs [CVE-2022-41721 +](https://github.com/advisories/GHSA-fxg5-wq6x-vr4w +), [CVE-2022-27664](https://github.com/advisories/GHSA-69cg-p879-7622) and [CVE-2022-41723 +](https://github.com/advisories/GHSA-vvpx-j8f3-3w6h +.) +``` diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e67a3a55a..8f017a3f8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -82,15 +82,15 @@ jobs: strategy: matrix: include: - - {go: "1.20.1", goos: "linux", goarch: "386"} - - {go: "1.20.1", goos: "linux", goarch: "amd64"} - - {go: "1.20.1", goos: "linux", goarch: "arm"} - - {go: "1.20.1", goos: "linux", goarch: "arm64"} - - {go: "1.20.1", goos: "freebsd", goarch: "386"} - - {go: "1.20.1", goos: "freebsd", goarch: "amd64"} - - {go: "1.20.1", goos: "windows", goarch: "386"} - - {go: "1.20.1", goos: "windows", goarch: "amd64"} - - {go: "1.20.1", goos: "solaris", goarch: "amd64"} + - {go: "1.20.4", goos: "linux", goarch: "386"} + - {go: "1.20.4", goos: "linux", goarch: "amd64"} + - {go: "1.20.4", goos: "linux", goarch: "arm"} + - {go: "1.20.4", goos: "linux", goarch: "arm64"} + - {go: "1.20.4", goos: "freebsd", goarch: "386"} + - {go: "1.20.4", goos: "freebsd", goarch: "amd64"} + - {go: "1.20.4", goos: "windows", goarch: "386"} + - {go: "1.20.4", goos: "windows", goarch: "amd64"} + - {go: "1.20.4", goos: "solaris", goarch: "amd64"} fail-fast: true name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build @@ -179,7 +179,7 @@ jobs: matrix: goos: [ darwin ] goarch: [ "amd64", "arm64" ] - go: [ "1.20.1" ] + go: [ "1.20.4" ] fail-fast: true name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build diff --git a/build-support/docker/Build-Go.dockerfile b/build-support/docker/Build-Go.dockerfile index 1fad3b7e7..8ab8e8cb9 100644 --- a/build-support/docker/Build-Go.dockerfile +++ b/build-support/docker/Build-Go.dockerfile @@ -1,7 +1,7 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 -ARG GOLANG_VERSION=1.20.1 +ARG GOLANG_VERSION=1.20.4 FROM golang:${GOLANG_VERSION} WORKDIR /consul