Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update to go1.20.7 #4474

Merged
merged 1 commit into from
Aug 2, 2023
Merged

update to go1.20.7 #4474

merged 1 commit into from
Aug 2, 2023

Conversation

thaJeztah
Copy link
Member

Includes a fix for CVE-2023-29409

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls package, as well as bug fixes to the assembler and the compiler. See the Go 1.20.7 milestone on our issue tracker for details:

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

  • crypto/tls: restrict RSA keys in certificates to <= 8192 bits

    Extremely large RSA keys in certificate chains can cause a client/server
    to expend significant CPU time verifying signatures. Limit this by
    restricting the size of RSA keys transmitted during handshakes to <=
    8192 bits.

    Based on a survey of publicly trusted RSA keys, there are currently only
    three certificates in circulation with keys larger than this, and all
    three appear to be test certificates that are not actively deployed. It
    is possible there are larger keys in use in private PKIs, but we target
    the web PKI, so causing breakage here in the interests of increasing the
    default safety of users of crypto/tls seems reasonable.

    Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

Includes a fix for CVE-2023-29409

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: golang/go@go1.20.6...go1.20.7

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

- crypto/tls: restrict RSA keys in certificates to <= 8192 bits

  Extremely large RSA keys in certificate chains can cause a client/server
  to expend significant CPU time verifying signatures. Limit this by
  restricting the size of RSA keys transmitted during handshakes to <=
  8192 bits.

  Based on a survey of publicly trusted RSA keys, there are currently only
  three certificates in circulation with keys larger than this, and all
  three appear to be test certificates that are not actively deployed. It
  is possible there are larger keys in use in private PKIs, but we target
  the web PKI, so causing breakage here in the interests of increasing the
  default safety of users of crypto/tls seems reasonable.

  Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@codecov-commenter
Copy link

Codecov Report

Merging #4474 (6517db9) into master (bb0e232) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #4474   +/-   ##
=======================================
  Coverage   59.39%   59.39%           
=======================================
  Files         288      288           
  Lines       24782    24782           
=======================================
  Hits        14720    14720           
  Misses       9175     9175           
  Partials      887      887           

@thaJeztah thaJeztah merged commit 06de1f8 into docker:master Aug 2, 2023
74 checks passed
@thaJeztah thaJeztah deleted the update_go1.20.7 branch August 2, 2023 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants