Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Go to 1.20.11 to mitigate against insecure Windows path parsing #12690

Merged
merged 1 commit into from
Nov 10, 2023
Merged

Bump Go to 1.20.11 to mitigate against insecure Windows path parsing #12690

merged 1 commit into from
Nov 10, 2023

Conversation

nywilken
Copy link
Contributor

@nywilken nywilken commented Nov 9, 2023

This change address CVE-2023-45283. There have been no reported issues
with Packer but we are bumping given its usage of the path/filepath pkg.

@nywilken
Bump Go to 1.20.11 to mitigate against insecure Windows path parsing
9ac3000 
This change address CVE-2023-45283. There have been no reported issues
with Packer but we are bumping given its usage of the path/filepath pkg.
@nywilken nywilken requested a review from a team as a code owner November 9, 2023 02:30
@nywilken nywilken added security Auto-pinning backport/1.9.x Backport PR changes to `release/1.9.x` labels Nov 9, 2023
lbajolet-hashicorp
lbajolet-hashicorp approved these changes Nov 10, 2023
View reviewed changes
Copy link
Contributor

@lbajolet-hashicorp lbajolet-hashicorp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@nywilken nywilken merged commit 4b1553c into main Nov 10, 2023
11 checks passed
@hc-github-team-packer hc-github-team-packer mentioned this pull request Nov 10, 2023
Merged
@Bjyothi2023
Copy link

Hi Team, we are seeing other vulnerabilities CVE-2023-39318, CVE-2023-39319 because of go version 1.20.7 in the packer current release 1.9.4 . I could see this MR got merged with the go version updated to 1.20.11.

I request you to please provide a new release with all these new changes on top of 1.9.4 so that we can use these new code changes and unblock our self.

Thanks in advance

@github-actions GitHub Actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lbajolet-hashicorp lbajolet-hashicorp lbajolet-hashicorp approved these changes

Assignees
No one assigned
Labels
backport/1.9.x Backport PR changes to `release/1.9.x` security Auto-pinning
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nywilken @Bjyothi2023 @lbajolet-hashicorp