Skip to content

[19.03] Update Golang 1.12.16, golang.org/x/crypto (CVE-2020-0601, CVE-2020-7919)#40433

Merged
cpuguy83 merged 2 commits intomoby:19.03from
thaJeztah:19.03_bump_golang_1.12.16
Jan 30, 2020
Merged

[19.03] Update Golang 1.12.16, golang.org/x/crypto (CVE-2020-0601, CVE-2020-7919)#40433
cpuguy83 merged 2 commits intomoby:19.03from
thaJeztah:19.03_bump_golang_1.12.16

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Jan 29, 2020

second commit was a clean cherry-pick of b606c8e, taken from #40429

Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)

full diff: golang/go@go1.12.15...go1.12.16

go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the
CVE-2020-0601 certificate verification bypass on Windows. The other affects only
32-bit architectures.

https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved

  • X.509 certificate validation bypass on Windows 10
    A Windows vulnerability allows attackers to spoof valid certificate chains when
    the system root store is in use. These releases include a mitigation for Go
    applications, but it’s strongly recommended that affected users install the
    Windows security update to protect their system.
    This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
  • Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
    On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
    functions of golang.org/x/crypto/cryptobyte can lead to a panic.
    The malformed certificate can be delivered via a crypto/tls connection to a
    client, or to a server that accepts client certificates. net/http clients can
    be made to crash by an HTTPS server, while net/http servers that accept client
    certificates will recover the panic and are unaffected.
    Thanks to Project Wycheproof for providing the test cases that led to the
    discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
    This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1 (CVE-2020-7919)

full diff: golang/crypto@88737f5...69ecbb4

Includes golang/crypto@69ecbb4
(forward-port of golang/crypto@8b5121b),
which fixes CVE-2020-7919:

  • Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
    On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
    functions of golang.org/x/crypto/cryptobyte can lead to a panic.
    The malformed certificate can be delivered via a crypto/tls connection to a
    client, or to a server that accepts client certificates. net/http clients can
    be made to crash by an HTTPS server, while net/http servers that accept client
    certificates will recover the panic and are unaffected.
    Thanks to Project Wycheproof for providing the test cases that led to the
    discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

@thaJeztah
[19.03] Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)
5f5c323 
full diff: golang/go@go1.12.15...go1.12.16

go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the
CVE-2020-0601 certificate verification bypass on Windows. The other affects only
32-bit architectures.

https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved

- X.509 certificate validation bypass on Windows 10
  A Windows vulnerability allows attackers to spoof valid certificate chains when
  the system root store is in use. These releases include a mitigation for Go
  applications, but it’s strongly recommended that affected users install the
  Windows security update to protect their system.
  This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
  On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
  functions of golang.org/x/crypto/cryptobyte can lead to a panic.
  The malformed certificate can be delivered via a crypto/tls connection to a
  client, or to a server that accepts client certificates. net/http clients can
  be made to crash by an HTTPS server, while net/http servers that accept client
  certificates will recover the panic and are unaffected.
  Thanks to Project Wycheproof for providing the test cases that led to the
  discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
  This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a03…
a6ae27c 
…0884e1

full diff: golang/crypto@88737f5...69ecbb4

Includes golang/crypto@69ecbb4
(forward-port of golang/crypto@8b5121b),
which fixes CVE-2020-7919:

- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
  On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
  functions of golang.org/x/crypto/cryptobyte can lead to a panic.
  The malformed certificate can be delivered via a crypto/tls connection to a
  client, or to a server that accepts client certificates. net/http clients can
  be made to crash by an HTTPS server, while net/http servers that accept client
  certificates will recover the panic and are unaffected.
  Thanks to Project Wycheproof for providing the test cases that led to the
  discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b606c8e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 19.03.6 milestone Jan 29, 2020
@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented Jan 29, 2020

@justincormack @tonistiigi @cpuguy83 PTAL

/cc @arkodg

opened as "draft" because I didn't know if we were still cherry-picking for 19.03.6

@thaJeztah thaJeztah marked this pull request as ready for review January 29, 2020 22:36
@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented Jan 29, 2020

(moved out of draft per discussion on slack)

@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented Jan 29, 2020

note: after this is merged, the docker/engine 19.03 branch will have to be synced manually

cpuguy83
cpuguy83 approved these changes Jan 30, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@cpuguy83 cpuguy83 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cpuguy83 cpuguy83 merged commit 6c0e676 into moby:19.03 Jan 30, 2020
@thaJeztah thaJeztah deleted the 19.03_bump_golang_1.12.16 branch January 30, 2020 20:15
tiborvass pushed a commit to tiborvass/docker that referenced this pull request Feb 4, 2020
@cpuguy83
Merge pull request moby#40433 from thaJeztah/19.03_bump_golang_1.12.16
e686f46 
[19.03] Update Golang 1.12.16, golang.org/x/crypto (CVE-2020-0601, CVE-2020-7919)
@tiborvass
Copy link
Copy Markdown
Contributor

tiborvass commented Feb 4, 2020

🚨🚨🚨 After force push, new merge commit is e686f46.

@thaJeztah thaJeztah mentioned this pull request Feb 27, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

@cpuguy83 cpuguy83 cpuguy83 approved these changes

+1 more reviewer

@arkodg arkodg arkodg approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

impact/changelog status/2-code-review

Projects

None yet

Milestone

19.03.6

Development

Successfully merging this pull request may close these issues.

5 participants

@thaJeztah @tiborvass @tonistiigi @cpuguy83 @arkodg