Skip to content

Commit

Permalink
update to go1.20.11, test go1.21.4
Browse files Browse the repository at this point in the history
go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath
package, as well as bug fixes to the linker and the net/http package. See the
Go 1.20.11 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.11+label%3ACherryPickApproved
- full diff: golang/go@go1.20.10...go1.20.11

from the security mailing:

[security] Go 1.21.4 and Go 1.20.11 are released

Hello gophers,

We have just released Go versions 1.21.4 and 1.20.11, minor point releases.

These minor releases include 2 security fixes following the security policy:

- path/filepath: recognize `\??\` as a Root Local Device path prefix.

  On Windows, a path beginning with `\??\` is a Root Local Device path equivalent
  to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to
  access arbitrary locations on the system. For example, the path `\??\c:\x`
  is equivalent to the more common path c:\x.

  The filepath package did not recognize paths with a `\??\` prefix as special.

  Clean could convert a rooted path such as `\a\..\??\b` into
  the root local device path `\??\b`. It will now convert this
  path into `.\??\b`.

  `IsAbs` did not report paths beginning with `\??\` as absolute.
  It now does so.

  VolumeName now reports the `\??\` prefix as a volume name.

  `Join(`\`, `??`, `b`)` could convert a seemingly innocent
  sequence of path elements into the root local device path
  `\??\b`. It will now convert this to `\.\??\b`.

  This is CVE-2023-45283 and https://go.dev/issue/63713.

- path/filepath: recognize device names with trailing spaces and superscripts

  The `IsLocal` function did not correctly detect reserved names in some cases:

  - reserved names followed by spaces, such as "COM1 ".
  - "COM" or "LPT" followed by a superscript 1, 2, or 3.

  `IsLocal` now correctly reports these names as non-local.

  This is CVE-2023-45284 and https://go.dev/issue/63713.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
  • Loading branch information
thaJeztah committed Dec 5, 2023
1 parent 2206522 commit 1ec1ae2
Show file tree
Hide file tree
Showing 9 changed files with 10 additions and 10 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build-test-images.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
steps:
- uses: actions/setup-go@v3
with:
go-version: "1.20.10"
go-version: "1.20.11"

- uses: actions/checkout@v3
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ on:
env:
# Go version we currently use to build containerd across all CI.
# Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions.
GO_VERSION: "1.20.10"
GO_VERSION: "1.20.11"

permissions: # added using https://github.com/step-security/secure-workflows
contents: read
Expand Down Expand Up @@ -207,7 +207,7 @@ jobs:
strategy:
matrix:
os: [ubuntu-20.04, macos-12, windows-2019, windows-2022]
go-version: ["1.20.10", "1.21.3"]
go-version: ["1.20.11", "1.21.4"]
steps:
- uses: actions/setup-go@v3
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:

- uses: actions/setup-go@v3
with:
go-version: 1.20.10
go-version: 1.20.11

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/images.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
steps:
- uses: actions/setup-go@v3
with:
go-version: "1.20.10"
go-version: "1.20.11"

- uses: actions/checkout@v3
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/nightly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ on:
- ".github/workflows/nightly.yml"

env:
GO_VERSION: "1.20.10"
GO_VERSION: "1.20.11"

permissions: # added using https://github.com/step-security/secure-workflows
contents: read
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ on:
name: Release

env:
GO_VERSION: "1.20.10"
GO_VERSION: "1.20.11"

permissions: # added using https://github.com/step-security/secure-workflows
contents: read
Expand Down
2 changes: 1 addition & 1 deletion Vagrantfile
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ EOF
config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-golang"
sh.env = {
'GO_VERSION': ENV['GO_VERSION'] || "1.20.10",
'GO_VERSION': ENV['GO_VERSION'] || "1.20.11",
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
Expand Down
2 changes: 1 addition & 1 deletion contrib/Dockerfile.test
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
# docker run --privileged containerd-test
# ------------------------------------------------------------------------------

ARG GOLANG_VERSION=1.20.10
ARG GOLANG_VERSION=1.20.11
ARG GOLANG_IMAGE=golang

FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang
Expand Down
2 changes: 1 addition & 1 deletion script/setup/prepare_env_windows.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
# lived test environment.
Set-MpPreference -DisableRealtimeMonitoring:$true

$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.20.10"; make = ""; nssm = "" }
$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.20.11"; make = ""; nssm = "" }

Write-Host "Downloading chocolatey package"
curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'
Expand Down

0 comments on commit 1ec1ae2

Please sign in to comment.