Update Golang 1.13.7, golang.org/x/crypto (CVE-2020-0601, CVE-2020-7919) #3089
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Ah, dang, they're strict here! |
d032acf to
4e84cb4
Compare
|
@dmcgowan @manishtomar PTAL I'll prepare a similar PR for the 2.7 branch as well (that one doesn't yet have go mod, so the vendoring will be slightly different) |
|
argh.. go mod 😞 |
|
I have a feeling I'm doing something wrong, or it's just go modules that's messing with me. Running the steps from the GO111MODULE=on go mod tidy
GO111MODULE=on go mod vendorAnd that's updating many dependencies Let's see what CI says 🤷♂ |
|
Arghh.. so CI and my machine don't agree. Just re-tried this inside a fresh GO111MODULE=on go mod tidy && GO111MODULE=on go mod vendor && git status
Refresh index: 100% (2160/2160), done.
On branch bump_golang_1.13.7
Your branch is up to date with 'origin/bump_golang_1.13.7'.
nothing to commit, working tree cleanBut CI shows a diff again (partial diff below); - Checking for unused packages in vendor...
diff --git a/go.mod b/go.mod
index 2865879..d12a5b8 100644
--- a/go.mod
+++ b/go.mod
@@ -24,6 +24,7 @@ require (
github.com/gorilla/handlers v1.4.2
github.com/gorilla/mux v1.7.3
github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
+ github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
github.com/mitchellh/mapstructure v1.1.2
github.com/ncw/swift v1.0.49
github.com/opencontainers/go-digest v1.0.0-rc1
@@ -36,6 +37,7 @@ require (
github.com/yvasiyarov/newrelic_platform_go v0.0.0-20160601141957-9c099fbc30e9 // indirect
golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+ golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9 // indirect
google.golang.org/api v0.15.0
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15
gopkg.in/yaml.v2 v2.2.8
diff --git a/go.sum b/go.sum
index 8e7f332..2800860 100644
--- a/go.sum
+++ b/go.sum
@@ -153,6 +153,8 @@ github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALr
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -308,6 +310,8 @@ golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200113162924-86b910548bc1 h1:gZpLHxUX5BdYLA08Lj4YCJNN/jk7KtquiArPoeX0WvA=
golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9 h1:1/DFK4b7JH8DmkqhUk48onnSfrPzImPoVxuomtbT2nk=
+golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= |
|
Trying the same situation on master, and at least part of the problem is that CI was still on Go 1.12.x, and updating Go 1.13.x breaks go mod vendoring; it will pick different files of dependencies git reset --hard HEAD
HEAD is now at a8371794 Merge pull request #3072 from fermayo/fix-TestRegistryAsCacheMutationAPIs
docker run -it --rm \
-w /go/src/github.com/docker/distribution \
-v $(pwd):/go/src/github.com/docker/distribution golang:1.13.7-alpine \
sh -c 'apk add --no-cache git && GO111MODULE=on go mod tidy && GO111MODULE=on go mod vendor && git status'
Changes not staged for commit:
(use "git add/rm <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
deleted: vendor/golang.org/x/sys/unix/mkasm_darwin.go
deleted: vendor/golang.org/x/sys/unix/mkpost.go
deleted: vendor/golang.org/x/sys/unix/mksyscall.go
deleted: vendor/golang.org/x/sys/unix/mksyscall_aix_ppc.go
deleted: vendor/golang.org/x/sys/unix/mksyscall_aix_ppc64.go
deleted: vendor/golang.org/x/sys/unix/mksyscall_solaris.go
deleted: vendor/golang.org/x/sys/unix/mksysctl_openbsd.go
deleted: vendor/golang.org/x/sys/unix/mksysnum.go
deleted: vendor/golang.org/x/sys/unix/types_aix.go
deleted: vendor/golang.org/x/sys/unix/types_darwin.go
deleted: vendor/golang.org/x/sys/unix/types_dragonfly.go
deleted: vendor/golang.org/x/sys/unix/types_freebsd.go
deleted: vendor/golang.org/x/sys/unix/types_netbsd.go
deleted: vendor/golang.org/x/sys/unix/types_openbsd.go
deleted: vendor/golang.org/x/sys/unix/types_solaris.go
deleted: vendor/golang.org/x/text/unicode/bidi/gen.go
deleted: vendor/golang.org/x/text/unicode/bidi/gen_ranges.go
deleted: vendor/golang.org/x/text/unicode/bidi/gen_trieval.go
deleted: vendor/golang.org/x/text/unicode/norm/maketables.go
deleted: vendor/golang.org/x/text/unicode/norm/triegen.go
modified: vendor/modules.txtgit reset --hard HEAD
HEAD is now at a8371794 Merge pull request #3072 from fermayo/fix-TestRegistryAsCacheMutationAPIs
docker run -it --rm \
-w /go/src/github.com/docker/distribution \
-v $(pwd):/go/src/github.com/docker/distribution golang:1.12.16-alpine \
sh -c 'apk add --no-cache git && GO111MODULE=on go mod tidy && GO111MODULE=on go mod vendor && git status'
Refresh index: 100% (1559/1559), done.
On branch master
Your branch is up to date with 'origin/master'.
nothing to commit, working tree clean |
|
trying to figure out why but not sure if those would explain all the other deps to be updated |
70280f8 to
64d5166
Compare
|
ok, no idea why, but trying bumping the I did first do a revendor in an intermediate commit (to take the Go 1.12 -> Go 1.13 bump in travis into account). Fingers crossed 🤞 |
|
Still producing a different result in travis 😠 `- Checking for unused packages in vendor...
diff --git a/go.mod b/go.mod
index c19cf7c..7f53f82 100644
--- a/go.mod
+++ b/go.mod
@@ -24,6 +24,7 @@ require (
github.com/gorilla/mux v1.7.2
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7 // indirect
+ github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
github.com/kr/pretty v0.1.0 // indirect
github.com/marstr/guid v1.1.0 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
@@ -48,7 +49,7 @@ require (
golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d
golang.org/x/net v0.0.0-20190619014844-b5b0513f8c1b // indirect
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
- golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed // indirect
+ golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9 // indirect
google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff
google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8
google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a // indirectAnd unable to get that result; docker run -it --rm \
-w /go/src/github.com/docker/distribution \
-v $(pwd):/go/src/github.com/docker/distribution golang:1.13.7-alpine3.11 \
sh -c 'apk add --no-cache bash git && ./script/validate/vendor'
- Checking for unused packages in vendor...
$ git status
On branch bump_golang_1.13.7
Your branch is up to date with 'origin/bump_golang_1.13.7'.
nothing to commit, working tree clean |
|
Tried adding Also; no difference docker run -it --rm \
-e GOOS=linux \
-e CGO_ENABLED=1 \
-w /go/src/github.com/docker/distribution \
-v $(pwd):/go/src/github.com/docker/distribution golang:1.13.7 \
sh -c './script/validate/vendor'
- Checking for unused packages in vendor...
$ git status
On branch bump_golang_1.13.7
Your branch is up to date with 'origin/bump_golang_1.13.7'.
nothing to commit, working tree cleanTried putting the source outside of GOPATH (same result); docker run -it --rm \
-w /foobar \
-v $(pwd):/foobar golang:1.13.7 \
sh -c './script/validate/vendor' |
|
ok, that last commit fixed the vendoring issue; installing the dev tools updated the However, |
full diff: golang/go@go1.13.4...go1.13.7 go1.13.7 (released 2020/01/28) includes two security fixes. One mitigates the CVE-2020-0601 certificate verification bypass on Windows. The other affects only 32-bit architectures. https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved - X.509 certificate validation bypass on Windows 10 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. These releases include a mitigation for Go applications, but it’s strongly recommended that affected users install the Windows security update to protect their system. This issue is CVE-2020-0601 and Go issue golang.org/issue/36834. - Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
…CVE-2020-7919) Includes golang/crypto@69ecbb4 (forward-port of golang/crypto@8b5121b), which fixes CVE-2020-7919: - Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cd0f5b6 to
9b6a019
Compare
Codecov Report
@@ Coverage Diff @@
## master #3089 +/- ##
=======================================
Coverage 60.74% 60.74%
=======================================
Files 102 102
Lines 8077 8077
=======================================
Hits 4906 4906
Misses 2519 2519
Partials 652 652
Continue to review full report at Codecov.
|
|
@dmcgowan @manishtomar this is green now; PTAL I'll do an update after this one to update to Go 1.13.8 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update Golang 1.13.7 (CVE-2020-0601, CVE-2020-7919)
full diff: golang/go@go1.13.4...go1.13.7
go1.13.7 (released 2020/01/28) includes two security fixes. One mitigates
the CVE-2020-0601 certificate verification bypass on Windows. The other affects
only 32-bit architectures.
https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved
A Windows vulnerability allows attackers to spoof valid certificate chains when
the system root store is in use. These releases include a mitigation for Go
applications, but it’s strongly recommended that affected users install the
Windows security update to protect their system.
This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.
Dockerfile: update to alpine 3.11
vendor: update golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d (CVE-2020-7919)
Includes golang/crypto@69ecbb4
(forward-port of golang/crypto@8b5121b),
which fixes CVE-2020-7919:
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.