update to go1.23.8 (fix CVE-2025-22871)
full diff: https://github.com/golang/go/compare/go1.23.7...go1.23.8
release notes: https://go.dev/doc/devel/release#go1.24.2
go1.23.8 (released 2025-04-01) includes security fixes to the net/http package,
as well as bug fixes to the runtime and the go command. See the Go 1.23.8
milestone on our issue tracker for details;
https://github.com/golang/go/issues?q=milestone%3AGo1.23.8+label%3ACherryPickApproved
From the mailing list:
Hello gophers,
We have just released Go versions 1.24.2 and 1.23.8, minor point releases.
These minor releases include 1 security fixes following the security policy:
- net/http: request smuggling through invalid chunked data
The net/http package accepted data in the chunked transfer encoding
containing an invalid chunk-size line terminated by a bare LF.
When used in conjunction with a server or proxy which incorrectly
interprets a bare LF in a chunk extension as part of the extension,
this could permit request smuggling.
The net/http package now rejects chunk-size lines containing a bare LF.
Thanks to Jeppe Bonde Weikop for reporting this issue.
This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2025/04/03 19:30:00Showing 12 changed files
- .github/workflows/.test.yml
- .github/workflows/.windows.yml
- .github/workflows/arm64.yml
- .github/workflows/buildkit.yml
- .github/workflows/codeql.yml
- .github/workflows/test.yml
- .golangci.yml
- Dockerfile
- Dockerfile.simple
- Dockerfile.windows
- hack/dockerfiles/generate-files.Dockerfile
- hack/dockerfiles/govulncheck.Dockerfile
| ... | ... |
@@ -40,7 +40,7 @@ linters: |
| 40 | 40 |
run: |
| 41 | 41 |
# prevent golangci-lint from deducting the go version to lint for through go.mod, |
| 42 | 42 |
# which causes it to fallback to go1.17 semantics. |
| 43 |
- go: "1.23.7" |
|
| 43 |
+ go: "1.23.8" |
|
| 44 | 44 |
concurrency: 2 |
| 45 | 45 |
# Only supported with go modules enabled (build flag -mod=vendor only valid when using modules) |
| 46 | 46 |
# modules-download-mode: vendor |
| ... | ... |
@@ -161,7 +161,7 @@ FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
|
| 161 | 161 |
# Use PowerShell as the default shell |
| 162 | 162 |
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] |
| 163 | 163 |
|
| 164 |
-ARG GO_VERSION=1.23.7 |
|
| 164 |
+ARG GO_VERSION=1.23.8 |
|
| 165 | 165 |
ARG GOTESTSUM_VERSION=v1.12.0 |
| 166 | 166 |
ARG GOWINRES_VERSION=v0.3.1 |
| 167 | 167 |
ARG CONTAINERD_VERSION=v1.7.27 |