8000 chore(deps): bump Go version to 1.23.5 by melekes · Pull Request #4888 · cometbft/cometbft · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

chore(deps): bump Go version to 1.23.5 #4888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 30, 2025
Merged

chore(deps): bump Go version to 1.23.5 #4888

merged 4 commits into from
Jan 30, 2025

Conversation

melekes
Copy link
Contributor
@melekes melekes commented Jan 28, 2025

due to sec vuln

Vulnerability #1: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in net/http
More info: https://pkg.go.dev/vuln/GO-2025-3420
Standard library
Found in: net/http@go1.23.1
Fixed in: net/http@go1.23.5
Example traces found:
Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34: client.Client.Call calls http.Client.Do
Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get
Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile calls http.Get

Vulnerability #2: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
More info: https://pkg.go.dev/vuln/GO-2025-3373
Standard library
Found in: crypto/x509@go1.23.1
Fixed in: crypto/x509@go1.23.5
Example traces found:
Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20: model.DB.Close calls badger.DB.Close, which eventually calls x509.CertPool.AppendCertsFromPEM
Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify
Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial calls websocket.Dialer.Dial, which eventually calls x509.Certificate.VerifyHostname
Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls x509.HostnameError.Error
Error: #5: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseCertificate
Error: #6: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseECPrivateKey
Error: #7: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS1PrivateKey
Error: #8: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS8PrivateKey

@melekes
chore(deps): bump Go version to 1.23.5
c7a02cf 
due to sec vuln

Vulnerability #1: GO-2025-3420
    Sensitive headers incorrectly sent after cross-domain redirect in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3420
  Standard library
    Found in: net/http@go1.23.1
    Fixed in: net/http@go1.23.5
    Example traces found:
Error:       #1: rpc/jsonrpc/client/http_json_client.go:231:34: client.Client.Call calls http.Client.Do
Error:       #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get
Error:       #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile calls http.Get

Vulnerability #2: GO-2025-3373
    Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-3373
  Standard library
    Found in: crypto/x509@go1.23.1
    Fixed in: crypto/x509@go1.23.5
    Example traces found:
Error:       #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20: model.DB.Close calls badger.DB.Close, which eventually calls x509.CertPool.AppendCertsFromPEM
Error:       #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify
Error:       #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial calls websocket.Dialer.Dial, which eventually calls x509.Certificate.VerifyHostname
Error:       #4: light/errors.go:483:84: light.errBadWitness.Error calls x509.HostnameError.Error
Error:       #5: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseCertificate
Error:       #6: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParseECPrivateKey
Error:       #7: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS1PrivateKey
Error:       #8: rpc/jsonrpc/server/http_server.go:166:19: server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually calls x509.ParsePKCS8PrivateKey
@melekes melekes requested review from a team as code owners January 28, 2025 14:21
@melekes melekes added the dependencies Dependency updates label Jan 28, 2025
@melekes melekes added the backport-to-v1.x Tell Mergify to backport the PR to v1.x label Jan 29, 2025
@melekes melekes self-assigned this Jan 30, 2025
@melekes melekes enabled auto-merge January 30, 2025 04:21
@melekes melekes added this pull request to the merge queue Jan 30, 2025
Merged via the queue into main with commit e4cbca8 Jan 30, 2025
34 checks passed
@melekes melekes deleted the fix-sec-vuln branch January 30, 2025 04:36
mergify bot pushed a commit that referenced this pull request Jan 30, 2025
@melekes @mergify
chore(deps): bump Go version to 1.23.5 (#4888)
1b89c5b 
due to sec vuln

Vulnerability #1: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in
net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3420
  Standard library
    Found in: net/http@go1.23.1
    Fixed in: net/http@go1.23.5
    Example traces found:
Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34:
client.Client.Call calls http.Client.Do
Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls
cobra.Command.Execute, which eventually calls http.Client.Get
Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile
calls http.Get

Vulnerability #2: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-3373
  Standard library
    Found in: crypto/x509@go1.23.1
    Fixed in: crypto/x509@go1.23.5
    Example traces found:
Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20:
model.DB.Close calls badger.DB.Close, which eventually calls
x509.CertPool.AppendCertsFromPEM
Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read
calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify
Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial
calls websocket.Dialer.Dial, which eventually calls
x509.Certificate.VerifyHostname
Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls
x509.HostnameError.Error
Error: #5: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseCertificate
Error: #6: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseECPrivateKey
Error: #7: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS1PrivateKey
Error: #8: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS8PrivateKey

(cherry picked from commit e4cbca8)

# Conflicts:
#	.golangci.yml
@mergify mergify bot mentioned this pull request Jan 30, 2025
Merged
mergify bot added a commit that referenced this pull request Jan 30, 2025
@mergify @melekes
chore(deps): bump Go version to 1.23.5 (backport #4888) (#4890)
d4a24c1 
due to sec vuln

Vulnerability #1: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in
net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3420
  Standard library
    Found in: net/http@go1.23.1
    Fixed in: net/http@go1.23.5
    Example traces found:
Error: #1: rpc/jsonrpc/client/http_json_client.go:231:34:
client.Client.Call calls http.Client.Do
Error: #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls
cobra.Command.Execute, which eventually calls http.Client.Get
Error: #3: cmd/cometbft/commands/debug/util.go:70:23: debug.dumpProfile
calls http.Get

Vulnerability #2: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-3373
  Standard library
    Found in: crypto/x509@go1.23.1
    Fixed in: crypto/x509@go1.23.5
    Example traces found:
Error: #1: abci/tutorials/abci-v2-forum-app/model/db.go:143:20:
model.DB.Close calls badger.DB.Close, which eventually calls
x509.CertPool.AppendCertsFromPEM
Error: #2: internal/autofile/group.go:468:30: autofile.GroupReader.Read
calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify
Error: #3: rpc/jsonrpc/client/ws_client.go:290:29: client.WSClient.dial
calls websocket.Dialer.Dial, which eventually calls
x509.Certificate.VerifyHostname
Error: #4: light/errors.go:483:84: light.errBadWitness.Error calls
x509.HostnameError.Error
Error: #5: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseCertificate
Error: #6: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParseECPrivateKey
Error: #7: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS1PrivateKey
Error: #8: rpc/jsonrpc/server/http_server.go:166:19:
server.ServeTLSWithShutdown calls http.Server.ServeTLS, which eventually
calls x509.ParsePKCS8PrivateKey
<hr>This is an automatic backport of pull request #4888 done by
[Mergify](https://mergify.com).

---------

Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
melekes added a commit that referenced this pull request Jan 30, 2025
@melekes
build(deps): bump Go version to 1.22.11
68fc81e 
due to sec vuln

Port of #4888
@melekes melekes mentioned this pull request Jan 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zrbecker zrbecker zrbecker approved these changes

Assignees

@melekes melekes

Labels
backport-to-v1.x Tell Mergify to backport the PR to v1.x dependencies Dependency updates
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@melekes @zrbecker
0