Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

all: upgrade immediately to at least Go1.22.7 due to 3 high severity vulnerabilities: CVE-2024-34158, CVE-2024-34155 and CVE-2024-24791 #3033

Closed
odeke-em opened this issue Oct 27, 2024 · 3 comments · Fixed by #3767
Closed

all: upgrade immediately to at least Go1.22.7 due to 3 high severity vulnerabilities: CVE-2024-34158, CVE-2024-34155 and CVE-2024-24791 #3033

odeke-em opened this issue Oct 27, 2024 · 3 comments · Fixed by #3767
Assignees
@kristovatlas
Labels
security Security-sensitive issue
Milestone
🚀 Mainnet beta la...

Comments

@odeke-em
Copy link
Contributor

This code constraints itself to Go1.22.4 but there are some 3 critical vulnerabilities that were fixed in Go1.22.7

  1. "Stack exhaustion in Parse in go/build/constraint" https://pkg.go.dev/vuln/GO-2024-3107 at gnovm/pkg/gnolang/go2gno.go:77
  2. "Stack exhaustion in all Parse functions in go/parser" https://pkg.go.dev/vuln/GO-2024-3105 at gnovm/pkg/gnolang/go2gno.go:77 gnovm/pkg/gnolang/nodes.go:1137
  3. "Denial of service due to improper 100-continue handling in net/http" https://pkg.go.dev/vuln/GO-2024-2963 at tm2/pkg/p2p/upnp/upnp.go:275 tm2/pkg/p2p/upnp/upnp.go:201

Please upgrade ASAP. Kindly cc-ing @jaekwon
@kristovatlas kristovatlas self-assigned this Oct 29, 2024
@kristovatlas kristovatlas added the security Security-sensitive issue label Oct 29, 2024
@kristovatlas
Copy link
Contributor

Thanks for the report, @odeke-em. We're looking into it.

@kristovatlas
Copy link
Contributor

@jaekwon wants to make sure that there haven't been any language updates between 1.22.4 and 1.22.7 that could break things before we bump the constraint.

@odeke-em
Copy link
Contributor Author

odeke-em commented Feb 3, 2025

@kristovatlas @jaekwon Go doesn't make radical language changes between same major version but point releases. The release notes for Go1.22.X are all posted here https://go.dev/doc/devel/release#go1.22.0 and they are security fixes

@Kouteki Kouteki mentioned this issue Feb 7, 2025
Open
@thehowl thehowl mentioned this issue Feb 17, 2025
Merged
thehowl added a commit that referenced this issue Feb 20, 2025
@thehowl
build: use go1.23.6 (#3767)
b04ca6c 
Seeing as Go is now at version 1.24, making this PR to bump to the
latest patch version of 1.23. This will also fix the CI on master.

Changes aside from go.mod concern updating a few methods in `txlog`
which were always intended to use 1.23 iterators, but couldn't until
now.

There is a language change (the aforementioned range funcs), but it
shouldn't impact existing code. Pinging those who I think could verify
this in the reviewers.

Fixes #3033.
@Kouteki Kouteki added this to the 🚀 Mainnet beta launch milestone Feb 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kristovatlas kristovatlas

Labels
security Security-sensitive issue
Projects
🧙‍♂️gno.land core team
Status: Done
Milestone
🚀 Mainnet beta launch
Development

Successfully merging a pull request may close this issue.

build: use go1.23.6 thehowl/gno
3 participants
@odeke-em @kristovatlas @Kouteki