chore: update golang to 1.20.3 #1905
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Using go1.20.1 and [email protected] with
vulnerability data from https://vuln.go.dev (last modified 2023-04-05 21:13:07 +0000 UTC).
Scanning your code and 195 packages across 30 dependent modules for known vulnerabilities...
Your code is affected by 3 vulnerabilities from the Go standard library.
Vulnerability #1: GO-2023-1705
Multipart form parsing can consume large amounts of CPU and
memory when processing form inputs containing very large numbers
of parts. This stems from several causes: 1.
mime/multipart.Reader.ReadForm limits the total memory a parsed
multipart form can consume. ReadForm can undercount the amount
of memory consumed, leading it to accept larger inputs than
intended. 2. Limiting total memory does not account for
increased pressure on the garbage collector from large numbers
of small allocations in forms with many parts. 3. ReadForm can
allocate a large number of short-lived buffers, further
increasing pressure on the garbage collector. The combination of
these factors can permit an attacker to cause an program that
parses multipart forms to consume large amounts of CPU and
memory, potentially resulting in a denial of service. This
affects programs that use mime/multipart.Reader.ReadForm, as
well as form parsing in the net/http package with the Request
methods FormFile, FormValue, ParseMultipartForm, and
PostFormValue. With fix, ReadForm now does a better job of
estimating the memory consumption of parsed forms, and performs
many fewer short-lived allocations. In addition, the fixed
mime/multipart.Reader imposes the following limits on the size
of parsed forms: 1. Forms parsed with ReadForm may contain no
more than 1000 parts. This limit may be adjusted with the
environment variable GODEBUG=multipartmaxparts=. 2. Form parts
parsed with NextPart and NextRawPart may contain no more than
10,000 header fields. In addition, forms parsed with ReadForm
may contain no more than 10,000 header fields across all parts.
This limit may be adjusted with the environment variable
GODEBUG=multipartmaxheaders=.
More info: https://pkg.go.dev/vuln/GO-2023-1705
Standard library
Found in: mime/[email protected]
Fixed in: mime/[email protected]
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Vulnerability #2: GO-2023-1704
HTTP and MIME header parsing can allocate large amounts of
memory, even when parsing small inputs, potentially leading to a
denial of service. Certain unusual patterns of input data can
cause the common function used to parse HTTP and MIME headers to
allocate substantially more memory than required to hold the
parsed headers. An attacker can exploit this behavior to cause
an HTTP server to allocate large amounts of memory from a small
request, potentially leading to memory exhaustion and a denial
of service. With fix, header parsing now correctly allocates
only the memory required to hold parsed headers.
More info: https://pkg.go.dev/vuln/GO-2023-1704
Standard library
Found in: net/[email protected]
Fixed in: net/[email protected]
Vulnerability #3: GO-2023-1621
The ScalarMult and ScalarBaseMult methods of the P256 Curve may
return an incorrect result if called with some specific
unreduced scalars (a scalar larger than the order of the curve).
This does not impact usages of crypto/ecdsa or crypto/ecdh.
More info: https://pkg.go.dev/vuln/GO-2023-1621
Standard library
Found in: crypto/internal/[email protected]
Fixed in: crypto/internal/[email protected]