Commit Graph

28 Commits

Author SHA1 Message Date
CrazyMax 11cf38bd97
update to go 1.23
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-11-20 11:20:18 +01:00
CrazyMax f65631546d
dockerfile: update go-mod-outdated to v0.9.0
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-07-03 15:37:28 +02:00
Tonis Tiigi cbe7901667
update Go to 1.22
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2024-07-02 22:27:43 -07:00
CrazyMax 25f8011825
pin to go 1.21
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-02-28 13:18:42 +01:00
Sebastiaan van Stijn 61dff684ad
update to go1.21.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-12 23:28:24 +01:00
CrazyMax fc7144f61d
update to go 1.21.3
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-10-18 03:21:44 +02:00
Sebastiaan van Stijn 957044825f
update to go1.20.8
go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
package, as well as bug fixes to the compiler, the go command, the runtime,
and the crypto/tls, go/types, net/http, and path/filepath packages. See the
Go 1.20.8 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.8+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.7...go1.20.8

From the security mailing:

[security] Go 1.21.1 and Go 1.20.8 are released

Hello gophers,

We have just released Go versions 1.21.1 and 1.20.8, minor point releases.

These minor releases include 4 security fixes following the security policy:

- cmd/go: go.mod toolchain directive allows arbitrary execution
  The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
  execute scripts and binaries relative to the root of the module when the "go"
  command was executed within the module. This applies to modules downloaded using
  the "go" command from the module proxy, as well as modules downloaded directly
  using VCS software.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

- html/template: improper handling of HTML-like comments within script contexts
  The html/template package did not properly handle HMTL-like "<!--" and "-->"
  comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
  cause the template parser to improperly interpret the contents of <script>
  contexts, causing actions to be improperly escaped. This could be leveraged to
  perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

- html/template: improper handling of special tags within script contexts
  The html/template package did not apply the proper rules for handling occurrences
  of "<script", "<!--", and "</script" within JS literals in <script> contexts.
  This may cause the template parser to improperly consider script contexts to be
  terminated early, causing actions to be improperly escaped. This could be
  leveraged to perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.

- crypto/tls: panic when processing post-handshake message on QUIC connections
  Processing an incomplete post-handshake message for a QUIC connection caused a panic.

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-11 15:53:03 +02:00
Sebastiaan van Stijn dd350284df
update to go1.20.7
Includes a fix for CVE-2023-29409

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

- crypto/tls: restrict RSA keys in certificates to <= 8192 bits

  Extremely large RSA keys in certificate chains can cause a client/server
  to expend significant CPU time verifying signatures. Limit this by
  restricting the size of RSA keys transmitted during handshakes to <=
  8192 bits.

  Based on a survey of publicly trusted RSA keys, there are currently only
  three certificates in circulation with keys larger than this, and all
  three appear to be test certificates that are not actively deployed. It
  is possible there are larger keys in use in private PKIs, but we target
  the web PKI, so causing breakage here in the interests of increasing the
  default safety of users of crypto/tls seems reasonable.

  Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-02 00:06:05 +02:00
CrazyMax 7f2293308b
update go to 1.20.6
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-07-17 10:30:00 +02:00
Justin Chadwell c4ad930e2a
Merge pull request #1644 from crazy-max/update-frontend
Dockerfile: align frontend version
2023-02-23 11:00:13 +00:00
CrazyMax 132fababb0
Dockerfile: align frontend version
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-02-22 17:47:48 +01:00
CrazyMax 376b73f078
update to go 1.20
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-02-22 14:37:50 +01:00
CrazyMax 7eb266de69
go.mod: bump to Go 1.19
Go 1.20 will be there soon, I think it's time to move our go.mod to
latest stable. We can then remove the compat in our vendor.Dockerfile

Downstream projects like compose or github.com/linuxkit/linuxkit should
not be affected.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-26 16:08:09 +01:00
CrazyMax 3509a1a7ff
Dockerfile: update to go 1.19
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-08-11 02:10:19 +02:00
Sebastiaan van Stijn 35b238ee82
vendor: vendor with -compat=1.17
This might break compatibility with projects using this module that
are still on go1.16, which is EOL, so probably ok to ignore:

    github.com/docker/buildx/store imports
        github.com/gofrs/flock tested by
        github.com/gofrs/flock.test imports
        gopkg.in/check.v1 loaded from gopkg.in/check.v1@v1.0.0-20200227125254-8fa46927fb4f,
        but go 1.16 would select v1.0.0-20201130134442-10cb98267c6c

    To upgrade to the versions selected by go 1.16:
        go mod tidy -go=1.16 && go mod tidy -go=1.17
    If reproducibility with go 1.16 is not needed:
        go mod tidy -compat=1.17
    For other options, see:
        https://golang.org/doc/modules/pruning

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-10 20:33:20 +02:00
Tonis Tiigi 0b9d426175 Dockerfile: update to go 1.18
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2022-04-27 17:22:31 -07:00
CrazyMax 824cb42fe0
dockerfile: update frontend to 1.4
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-03-10 02:11:19 +01:00
CrazyMax 08bb626304
chore: use no-cache-filter for outdated stage
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-03-10 02:11:19 +01:00
CrazyMax 3ccb883d95
chore: invalidate cache for outdated run stage
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-01-13 14:09:47 +01:00
CrazyMax 1a56de8e68
update go to 1.17.2
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-10-16 15:00:31 +02:00
CrazyMax df521e4e96
Mod outdated
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-09-04 18:57:48 +02:00
CrazyMax 6cfef7fa36
Bake workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-09-03 22:50:05 +02:00
CrazyMax 45c678ad26
Go 1.17
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-09-02 23:11:10 +02:00
CrazyMax dc6ada9b50
Update Dockerfile references to use 1.3
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-08-17 08:41:15 +02:00
Tonis Tiigi 905be6431b Dockerfile: update to go1.16
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2021-02-16 23:42:59 -08:00
Silvin Lubecki 960107d00f Bump golang to 1.13 in Dockerfiles
Signed-off-by: Silvin Lubecki <silvin.lubecki@docker.com>
2020-03-04 18:37:46 +01:00
Tonis Tiigi b008ef8ecf hack: update vendor dockerfile
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-03-23 23:04:14 -07:00
Tonis Tiigi 4f2cc0e220 hack: base build scripts
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-03-22 13:31:08 -07:00