update: go #1539

dongsupark · 2024-09-06T07:53:27Z

Name: go
CVEs: CVE-2024-34155, CVE-2024-34156, CVE-2024-34158
CVSSs: n/a, n/a, n/a
Action Needed: update to >= 1.23.1 or >= 1.22.7

Summary:

CVE-2024-34155: go/parser: stack exhaustion in all Parse* functions. Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-34156: encoding/gob: stack exhaustion in Decoder.Decode. Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34158: go/build/constraint: stack exhaustion in Parse. Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

As Flatcar has only Go 1.21, which is already EOL, these CVEs are blocked until Go could be updated to 1.22+.

refmap.gentoo: TBD

dongsupark added security security concerns advisory security advisory advisory/upstream-blocked blocked by upstream projects labels Sep 6, 2024

tormath1 self-assigned this Sep 16, 2024

This was referenced Sep 16, 2024

update: runc #1530

Closed

upgrade Go, Runc, Docker and Containerd flatcar/scripts#2317

Merged

github-actions bot mentioned this issue Sep 22, 2024

Monthly contributions report 2024-08-22 - 2024-09-21 #1547

Closed

dongsupark removed the advisory/upstream-blocked blocked by upstream projects label Sep 23, 2024

dongsupark closed this as completed in flatcar/scripts#2317 Oct 2, 2024

github-actions bot mentioned this issue Oct 22, 2024

Monthly contributions report 2024-09-22 - 2024-10-21 #1568

Open

Provide feedback