Includes a fix for CVE-2023-29409
go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:
- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7
From the mailing list announcement:
[security] Go 1.20.7 and Go 1.19.12 are released
Hello gophers,
We have just released Go versions 1.20.7 and 1.19.12, minor point releases.
These minor releases include 1 security fixes following the security policy:
- crypto/tls: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause a client/server
to expend significant CPU time verifying signatures. Limit this by
restricting the size of RSA keys transmitted during handshakes to <=
8192 bits.
Based on a survey of publicly trusted RSA keys, there are currently only
three certificates in circulation with keys larger than this, and all
three appear to be test certificates that are not actively deployed. It
is possible there are larger keys in use in private PKIs, but we target
the web PKI, so causing breakage here in the interests of increasing the
default safety of users of crypto/tls seems reasonable.
Thanks to Mateusz Poliwczak for reporting this issue.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit dd350284df)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/docker/cli/compare/v24.0.2...v24.0.4
notable changes:
- ssh: fix error on commandconn close, add ping and default
- commandconn: return original error while closing
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit cc718b3444)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 9e7a6df485...36ef4d8c0d
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ff2c8da803)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 4e3ac2762d...02993c407b
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e094296f37)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This should help reduce any unexpected config conflict between workers.
Signed-off-by: Justin Chadwell <me@jedevc.com>
(cherry picked from commit 6f394a0691)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This means that we can run our docker-container tests in parallel again,
which can help speed up our test runs by a *significant* amount.
Signed-off-by: Justin Chadwell <me@jedevc.com>
(cherry picked from commit 601056f3a7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
#7 [internal] load metadata for docker.io/library/golang:1.20.6-buster
#7 ERROR: docker.io/library/golang:1.20.6-buster: not found
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 1123bfed10)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
A temporary workaround for "http: invalid Host header" introduced in
go 1.20.6.
Signed-off-by: Justin Chadwell <me@jedevc.com>
(cherry picked from commit c4bec05466)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
client: define a "dummy" hostname to use for local connections
fixes "http: invalid Host header" errors when compiling with go1.20.6
or go1.19.11
full diff: https://github.com/docker/docker/compare/v24.0.2...36e9e796c6fc
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 8a3a646c61)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Although a builder from the store cannot be created unless
it has a valid name, this is not the case for a Docker context.
We should skip name validation when checking a node from the
store and fall back to finding one from Docker context instead.
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit b1c5449428)
We need to resolve the strip the cwd:// prefix before attempting to
resolve the dockerfile. Otherwise, we'll get the cwd:// prefix in the
dockerfile name, which isn't stripped out later.
Signed-off-by: Justin Chadwell <me@jedevc.com>
(cherry picked from commit 431732f5d1)
Sebastiaan van Stijn