From 9439d7a8235eef3b5cd2d8ff0e5ae93d01985222 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Fri, 10 Dec 2021 10:47:50 -0500 Subject: [PATCH 1/6] golang security update 1.17.5 --- .changelog/11662.txt | 3 +++ .circleci/config.yml | 8 ++++---- contributing/README.md | 2 +- scripts/release/mac-remote-build | 2 +- scripts/vagrant-linux-priv-go.sh | 2 +- 5 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 .changelog/11662.txt diff --git a/.changelog/11662.txt b/.changelog/11662.txt new file mode 100644 index 00000000000..6c6f02d2fc6 --- /dev/null +++ b/.changelog/11662.txt @@ -0,0 +1,3 @@ +```release-note:security +Updated to Go 1.17.5. Go 1.17.3 contained 2 CVEs. [CVE-2021-44717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44717) could allow a task on a Unix system with exhausted file handles to misdirect I/O. [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) could create unbounded memory growth in HTTP2 servers. Nomad servers do not use HTTP2. +``` diff --git a/.circleci/config.yml b/.circleci/config.yml index 88bb0d3e2d5..3ea45761685 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -512,7 +512,7 @@ executors: go: working_directory: /go/src/github.com/hashicorp/nomad docker: - - image: docker.mirror.hashicorp.services/golang:1.17.3 + - image: docker.mirror.hashicorp.services/golang:1.17.5 environment: <<: *common_envs GOPATH: /go @@ -524,7 +524,7 @@ executors: environment: &machine_env <<: *common_envs GOPATH: /home/circleci/go - GOLANG_VERSION: 1.17.3 + GOLANG_VERSION: 1.17.5 # uses a more recent image with unattended upgrades disabled properly # but seems to break docker builds @@ -541,7 +541,7 @@ executors: environment: <<: *common_envs GOPATH: /Users/distiller/go - GOLANG_VERSION: 1.17.3 + GOLANG_VERSION: 1.17.5 go-windows: machine: @@ -553,7 +553,7 @@ executors: GOPATH: c:\gopath GOBIN: c:\gopath\bin GOTESTSUM_PATH: c:\tmp\test-reports - GOLANG_VERSION: 1.17.3 + GOLANG_VERSION: 1.17.5 GOTESTSUM_VERSION: 0.4.2 VAULT_VERSION: 1.4.1 diff --git a/contributing/README.md b/contributing/README.md index 2401cf7456c..2a809305d91 100644 --- a/contributing/README.md +++ b/contributing/README.md @@ -30,7 +30,7 @@ A development environment is supplied via Vagrant to make getting started easier Developing without Vagrant --- -1. Install [Go 1.17.3+](https://golang.org/) *(Note: `gcc-go` is not supported)* +1. Install [Go 1.17.5+](https://golang.org/) *(Note: `gcc-go` is not supported)* 1. Clone this repo ```sh $ git clone https://github.com/hashicorp/nomad.git diff --git a/scripts/release/mac-remote-build b/scripts/release/mac-remote-build index 7027058bd02..bce57053578 100755 --- a/scripts/release/mac-remote-build +++ b/scripts/release/mac-remote-build @@ -56,7 +56,7 @@ REPO_PATH="${TMP_WORKSPACE}/gopath/src/github.com/hashicorp/nomad" mkdir -p "${TMP_WORKSPACE}/tmp" install_go() { - local go_version="1.17.3" + local go_version="1.17.5" local download= download="https://storage.googleapis.com/golang/go${go_version}.darwin-amd64.tar.gz" diff --git a/scripts/vagrant-linux-priv-go.sh b/scripts/vagrant-linux-priv-go.sh index 7efb21eb29d..6b066f02c92 100755 --- a/scripts/vagrant-linux-priv-go.sh +++ b/scripts/vagrant-linux-priv-go.sh @@ -3,7 +3,7 @@ set -o errexit function install_go() { - local go_version="1.17.3" + local go_version="1.17.5" local download="https://storage.googleapis.com/golang/go${go_version}.linux-amd64.tar.gz" if go version 2>&1 | grep -q "${go_version}"; then From 45a5b22b65cfd38e00684141bab293db3c179905 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Fri, 10 Dec 2021 14:06:14 -0500 Subject: [PATCH 2/6] docs: add 1.2.3 to changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93fd15af807..d795338f1b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +## 1.2.3 (December 13, 2021) + +SECURITY: + +* Updated to Go 1.17.5. Go 1.17.3 contained 2 CVEs. [CVE-2021-44717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44717) could allow a task on a Unix system with exhausted file handles to misdirect I/O. [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) could create unbounded memory growth in HTTP2 servers. Nomad servers do not use HTTP2. [[GH-11662](https://github.com/hashicorp/nomad/issues/11662)] + ## 1.2.2 (November 24, 2021) BUG FIXES: From a79efc8422082c4790046c3f5ad92c542592a54f Mon Sep 17 00:00:00 2001 From: Nomad Release bot Date: Fri, 10 Dec 2021 19:30:22 +0000 Subject: [PATCH 3/6] Generate files for 1.2.3 release --- version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version/version.go b/version/version.go index 7842503186d..62e2a27eb05 100644 --- a/version/version.go +++ b/version/version.go @@ -11,7 +11,7 @@ var ( GitDescribe string // The main version number that is being run at the moment. - Version = "1.2.2" + Version = "1.2.3" // A pre-release marker for the version. If this is "" (empty string) // then it means that it is a final release. Otherwise, this is a pre-release From 55e5c49b99a6fd2bf925e7fd98d95829776c331f Mon Sep 17 00:00:00 2001 From: Nomad Release Bot Date: Fri, 10 Dec 2021 20:10:08 +0000 Subject: [PATCH 4/6] Release v1.2.3 From 4d6658409a8eb670e0874fe57565fb835cafbd5d Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Mon, 13 Dec 2021 09:56:34 -0500 Subject: [PATCH 5/6] trigger Vercel pipeline From a6f6abbbeeb9dc495889e960a872b0a70207b743 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Mon, 13 Dec 2021 10:14:22 -0500 Subject: [PATCH 6/6] prepare for next release --- CHANGELOG.md | 12 ++++++++++++ GNUmakefile | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c20c02c9352..97ca63e6632 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -84,6 +84,12 @@ BUG FIXES: * server: Fixed a panic on arm64 platform when dispatching a job with a payload [[GH-11396](https://github.com/hashicorp/nomad/issues/11396)] * server: Fixed a panic that may occur when preempting multiple allocations on the same node [[GH-11346](https://github.com/hashicorp/nomad/issues/11346)] +## 1.1.9 (December 13, 2021) + +SECURITY: + +* Updated to Go 1.16.12. Earlier versions of Go contained 2 CVEs. [CVE-2021-44717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44717) could allow a task on a Unix system with exhausted file handles to misdirect I/O. [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) could create unbounded memory growth in HTTP2 servers. Nomad servers do not use HTTP2. [[GH-11662](https://github.com/hashicorp/nomad/issues/11662)] + ## 1.1.8 (November 19, 2021) SECURITY: @@ -343,6 +349,12 @@ BUG FIXES: * server: Fixed a panic that may arise on submission of jobs containing invalid service checks [[GH-10154](https://github.com/hashicorp/nomad/issues/10154)] * ui: Fixed the rendering of interstitial components shown after processing a dynamic application sizing recommendation. [[GH-10094](https://github.com/hashicorp/nomad/pull/10094)] +## 1.0.15 (December 13, 2021) + +SECURITY: + +* Updated to Go 1.16.12. Earlier versions of Go contained 2 CVEs. [CVE-2021-44717](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44717) could allow a task on a Unix system with exhausted file handles to misdirect I/O. [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) could create unbounded memory growth in HTTP2 servers. Nomad servers do not use HTTP2. [[GH-11662](https://github.com/hashicorp/nomad/issues/11662)] + ## 1.0.14 (November 19, 2021) SECURITY: diff --git a/GNUmakefile b/GNUmakefile index cdc685e5531..a68437e4511 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -32,7 +32,7 @@ PROTO_COMPARE_TAG ?= v1.0.3$(if $(findstring ent,$(GO_TAGS)),+ent,) # LAST_RELEASE is the git sha of the latest release corresponding to this branch. main should have the latest # published release, but backport branches should point to the parent tag (e.g. 1.0.8 in release-1.0.9 after 1.1.0 is cut). -LAST_RELEASE ?= v1.2.2 +LAST_RELEASE ?= v1.2.3 default: help