- https://github.com/golang/go/issues?q=milestone%3AGo1.21.10+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.21.9...go1.21.10
These minor releases include 2 security fixes following the security policy:
- cmd/go: arbitrary code execution during build on darwin On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. Thanks to Juho Forsén of Mattermost for reporting this issue. This is CVE-2024-24787 and Go issue https://go.dev/issue/67119.
- net: malformed DNS message can cause infinite loop A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. Thanks to long-name-let-people-remember-you on GitHub for reporting this issue, and to Mateusz Poliwczak for bringing the issue to our attention. This is CVE-2024-24788 and Go issue https://go.dev/issue/66754.
View the release notes for more information: https://go.dev/doc/devel/release#go1.22.3
**- Description for the changelog**
```markdown changelog Update Go runtime to 1.21.10 ```
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> (cherry picked from commit 6c97e0e0b5bdf173fb771eef4aa67441d53f546b) Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
vendor: bump google.golang.org/grpc to v1.56.3 and google.golang.org/protobuf to v1.33.0
These vulnerabilities were found by govulncheck:
Vulnerability #1: GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf More info: https://pkg.go.dev/vuln/GO-2024-2611 Module: google.golang.org/protobuf Found in: google.golang.org/protobuf@v1.28.1 Fixed in: google.golang.org/protobuf@v1.33.0 Example traces found: #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal
Vulnerability #2: GO-2023-2153 Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc More info: https://pkg.go.dev/vuln/GO-2023-2153 Module: google.golang.org/grpc Found in: google.golang.org/grpc@v1.50.1 Fixed in: google.golang.org/grpc@v1.56.3 Example traces found: #1: api/server/router/grpc/grpc.go:20:29: grpc.NewRouter calls grpc.NewServer #2: daemon/daemon.go:1477:23: daemon.Daemon.RawSysInfo calls sync.Once.Do, which eventually calls grpc.Server.Serve #3: daemon/daemon.go:1477:23: daemon.Daemon.RawSysInfo calls sync.Once.Do, which eventually calls transport.NewServerTransport