Tracking issue: Update to go1.11.5 and 1.10.8 #73238
Comments
k8s-ci-robot
added
area/security
sig/release
|
Patch Managers: |
|
sgtm - this will miss 1.11.7 (because that's slated to go out today), but we can get a 1.11.8 sometime soon with these fixes. |
golang issue golang/go#29903 K8S issue kubernetes/kubernetes#73238
**What this PR does / why we need it**: > We have just released Go 1.11.5 and Go 1.10.8 to address a recently reported security issue. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.5). > > This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. > > These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. > > The issue is CVE-2019-6486 and Go issue golang/go#29903. See the Go issue for more details. K8S issue kubernetes/kubernetes#73238 **Which issue(s) this PR fixes**: n/a **Special notes for your reviewer**: **Release note**: <!-- Write your release note: 1. Enter your release note in the below block. 2. If no release note is required, just write "NONE" within the block. Format of block header: <category> <target_group> Possible values: - category: improvement|noteworthy|action - target_group: user|operator --> ```improvement operator NONE ``` /cc @ThormaehlenFred
|
Just approved the cherrypick @cblecker. Thanks! |
|
Looks like all the updates have merged. Closing this out. Thank you everyone! |
|
@cblecker: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
FTR 1.13.3 cut today w/ this included. https://github.com/kubernetes/kubernetes/releases/tag/v1.13.3 |
|
1.12 release with this fix is not out yet? 1.12.5 updates go to 1.10.7, and was cut Jan 16th (based on release note), but this fix was merged 25th. |
Not yet, would be included in v1.12.6 (planned this week). |
|
It also looks like there has not yet been a 1.11 release with this fix. |
golang issue golang/go#29903 K8S issue kubernetes/kubernetes#73238
The go team has released go1.11.5 and 1.10.8 with a security fix.
https://groups.google.com/d/msg/golang-announce/mVeX35iXuSw/Flp8FX7QEAAJ
We should kick off upgrades of both the kubernetes build system, and our CI, as soon as possible.
Status:
cc: @ixdy @kubernetes/sig-testing @kubernetes/sig-release @kubernetes/product-security-team
/area security
/sig release
/priority critical-urgent
The text was updated successfully, but these errors were encountered: