Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[27.x] update to go1.22.12 #5796

Merged
merged 1 commit into from
Feb 5, 2025
Merged

[27.x] update to go1.22.12 #5796

merged 1 commit into from
Feb 5, 2025

Conversation

vvoland
Copy link
Collaborator

@vvoland vvoland commented Feb 4, 2025

This minor release include 1 security fix following the security policy:

  • crypto/elliptic: timing sidechannel for P-256 on ppc64le

    Due to the usage of a variable time instruction in the assembly implementation
    of an internal function, a small number of bits of secret scalars are leaked on
    the ppc64le architecture. Due to the way this function is used, we do not
    believe this leakage is enough to allow recovery of the private key when P-256
    is used in any well known protocols.

This is CVE-2025-22866 and Go issue https://go.dev/issue/71383.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.12

- Description for the changelog

Update Go runtime to 1.22.12

@vvoland
update to go1.22.12
6ee2756 
- https://github.com/golang/go/issues?q=milestone%3AGo1.22.12+label%3ACherryPickApproved
- full diff: golang/go@go1.22.11...go1.22.12

This minor release include 1 security fix following the security policy:

- crypto/elliptic: timing sidechannel for P-256 on ppc64le

  Due to the usage of a variable time instruction in the assembly implementation
  of an internal function, a small number of bits of secret scalars are leaked on
  the ppc64le architecture. Due to the way this function is used, we do not
  believe this leakage is enough to allow recovery of the private key when P-256
  is used in any well known protocols.

This is CVE-2025-22866 and Go issue https://go.dev/issue/71383.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.12

Signed-off-by: Paweł Gronowski <[email protected]>
@vvoland vvoland added this to the 27.5.2 milestone Feb 4, 2025
@vvoland vvoland self-assigned this Feb 4, 2025
@codecov-commenter
Copy link

codecov-commenter commented Feb 4, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 58.58%. Comparing base (9f9e405) to head (6ee2756).
Report is 2 commits behind head on 27.x.

Additional details and impacted files 
@@           Coverage Diff           @@
##             27.x    #5796   +/-   ##
=======================================
  Coverage   58.58%   58.58%           
=======================================
  Files         346      346           
  Lines       29322    29322           
=======================================
  Hits        17178    17178           
  Misses      11171    11171           
  Partials      973      973

@vvoland vvoland closed this Feb 5, 2025
@vvoland vvoland reopened this Feb 5, 2025
thaJeztah
thaJeztah approved these changes Feb 5, 2025
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit 915f5cf into docker:27.x Feb 5, 2025
109 of 188 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees

@vvoland vvoland

Labels
area/dependencies impact/changelog status/2-code-review
Projects
None yet
Milestone
27.5.2
Development

Successfully merging this pull request may close these issues.
3 participants
@vvoland @codecov-commenter @thaJeztah