full diff: https://github.com/golang/go/compare/go1.23.7...go1.23.8
release notes: https://go.dev/doc/devel/release#go1.24.2
go1.23.8 (released 2025-04-01) includes security fixes to the net/http package,
as well as bug fixes to the runtime and the go command. See the Go 1.23.8
milestone on our issue tracker for details;
https://github.com/golang/go/issues?q=milestone%3AGo1.23.8+label%3ACherryPickApproved
From the mailing list:
Hello gophers,
We have just released Go versions 1.24.2 and 1.23.8, minor point releases.
These minor releases include 1 security fixes following the security policy:
- net/http: request smuggling through invalid chunked data
The net/http package accepted data in the chunked transfer encoding
containing an invalid chunk-size line terminated by a bare LF.
When used in conjunction with a server or proxy which incorrectly
interprets a bare LF in a chunk extension as part of the extension,
this could permit request smuggling.
The net/http package now rejects chunk-size lines containing a bare LF.
Thanks to Jeppe Bonde Weikop for reporting this issue.
This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We had a few "runaway jobs" in other repos, where the job got stuck, and kept
running for 6 hours (in one case even 24 hours, probably due some github
outage). Some of those jobs could not be terminated.
While running these actions on public repositories doesn't cost us, it's
still not desirable to have jobs running for that long (as they can still
hold up the queue).
This patch adds a blanket "1 hour" time-limit. We should look at tweaking
the limit to actually expected duration, but having a default at least is
a start.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- https://github.com/golang/go/issues?q=milestone%3AGo1.23.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.6...go1.23.7
These minor releases include 1 security fixes following the security policy:
net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
Matching of hosts against proxy patterns could improperly treat an IPv6
zone ID as a hostname component. For example, when the NO_PROXY
environment variable was set to "*.example.com", a request to
"[::1%25.example.com]:80` would incorrectly match and not be proxied.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.7
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Enables docker-ce builds for Fedora 42. This will be GA in a couple months, and like usual,
has a lifespan of two years.
The workarounds required for Go on ARM are still required on this version, so have
been left in. The comments are still relevant.
Signed-off-by: Robert Sturla <robertsturla@outlook.com>
This minor release include 1 security fix following the security policy:
- crypto/elliptic: timing sidechannel for P-256 on ppc64le
Due to the usage of a variable time instruction in the assembly implementation
of an internal function, a small number of bits of secret scalars are leaked on
the ppc64le architecture. Due to the way this function is used, we do not
believe this leakage is enough to allow recovery of the private key when P-256
is used in any well known protocols.
This is CVE-2025-22866 and Go issue https://go.dev/issue/71383.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.6
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
When splitting the docker CLI from the moby/moby repository, the dockerd
documentation and man-pages were moved to the CLI repository. This was a
bit of a bad choice, as now the documentation and code lived in separate
repositories, but when the CLI and dockerd packages were split, the man
page for dockerd ended up in the CLI package.
Starting with [moby@d6e9b5f], the dockerd man-page has been reintegrated
into the moby repository, which means that we can build the man-page
from that repository, and remove it from the CLI repository.
This patch updates the packing to do so:
Before this patch;
dpkg-deb -c docker-ce_0.0.0~20250124134141.b8879a4-1~ubuntu.24.04~noble_arm64.deb | grep -E '^-'
-rw-r--r-- root/root 642 2025-01-24 14:29 ./etc/default/docker
-rwxr-xr-x root/root 2946 2025-01-24 14:29 ./etc/init.d/docker
-rwxr-xr-x root/root 2741336 2025-01-24 19:54 ./usr/bin/docker-proxy
-rw-r--r-- root/root 1727 2025-01-24 14:29 ./usr/lib/systemd/system/docker.service
-rw-r--r-- root/root 295 2025-01-24 14:29 ./usr/lib/systemd/system/docker.socket
-rwxr-xr-x root/root 604336 2025-01-24 19:54 ./usr/libexec/docker/docker-init
-rw-r--r-- root/root 2248 2025-01-24 14:29 ./usr/share/doc/docker-ce/README.md
-rw-r--r-- root/root 168 2025-01-24 19:54 ./usr/share/doc/docker-ce/changelog.Debian.gz
rpm -qpl ./docker-ce-0.0.0~20250124134141.b8879a4-0.fc41.aarch64.rpm
/etc/docker
/usr/bin/docker-proxy
/usr/bin/dockerd
/usr/lib/systemd/system/docker.service
/usr/lib/systemd/system/docker.socket
/usr/libexec/docker/docker-init
With this patch:
dpkg-deb -c docker-ce_0.0.0~20250124134141.b8879a4-1~ubuntu.24.04~noble_arm64.deb | grep -E '^-'
-rw-r--r-- root/root 642 2025-01-24 14:29 ./etc/default/docker
-rwxr-xr-x root/root 2946 2025-01-24 14:29 ./etc/init.d/docker
-rwxr-xr-x root/root 2741336 2025-01-24 20:55 ./usr/bin/docker-proxy
-rwxr-xr-x root/root 79458592 2025-01-24 20:55 ./usr/bin/dockerd
-rw-r--r-- root/root 1727 2025-01-24 14:29 ./usr/lib/systemd/system/docker.service
-rw-r--r-- root/root 295 2025-01-24 14:29 ./usr/lib/systemd/system/docker.socket
-rwxr-xr-x root/root 604336 2025-01-24 20:55 ./usr/libexec/docker/docker-init
-rw-r--r-- root/root 2248 2025-01-24 14:29 ./usr/share/doc/docker-ce/README.md
-rw-r--r-- root/root 166 2025-01-24 20:55 ./usr/share/doc/docker-ce/changelog.Debian.gz
-rw-r--r-- root/root 6561 2025-01-24 20:55 ./usr/share/man/man8/dockerd.8.gz
rpm -qpl ./docker-ce-0.0.0~20250124134141.b8879a4-0.fc41.aarch64.rpm
/etc/docker
/usr/bin/docker-proxy
/usr/bin/dockerd
/usr/lib/systemd/system/docker.service
/usr/lib/systemd/system/docker.socket
/usr/libexec/docker/docker-init
/usr/share/man/man8/dockerd.8.gz
Given that the dockerd man-page was previously packaged as part of docker-ce-cli,
we need to add a "Replaces:" condition to the package, to prevent dpkg from
detecting it as a conflict when an older version of the docker-ce-cli package
was installed that contains the manpage;
Unpacking docker-ce (5:0.0.0~20250124134141.b8879a4-1~raspbian.12~bookworm) ...
dpkg: error processing archive ./deb/debbuild/raspbian-bookworm/docker-ce_0.0.0~20250124134141.b8879a4-1~raspbian.12~bookworm_armhf.deb (--install):
trying to overwrite '/usr/share/man/man8/dockerd.8.gz', which is also in package docker-ce-cli 5:0.0.0~20250124134141.b8879a4-1~raspbian.12~bookworm
From the [Debian manual][1]
> 7.6.1. Overwriting files in other packages
>
> It is usually an error for a package to contain files which are on the
> system in another package. However, if the overwriting package declares
> that it Replaces the one containing the file being overwritten, then dpkg
> will replace the file from the old package with that from the new. The
> file will no longer be listed as “owned” by the old package and will be
> taken over by the new package.
[1]: https://www.debian.org/doc/debian-policy/ch-relationships.html
[moby@d6e9b5f]: d6e9b5fe30
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
