Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bumping go version to 1.22.5 #1433

Closed
1 task
staheri14 opened this issue Jul 26, 2024 · 0 comments · Fixed by #1434
Closed
1 task

Bumping go version to 1.22.5 #1433

staheri14 opened this issue Jul 26, 2024 · 0 comments · Fixed by #1434

Comments

@staheri14
Copy link
Contributor

staheri14 commented Jul 26, 2024
edited
Loading

Problem

The main branch of core is affected by a go vulnerability, whose log is provided below. Fixing the issue requires using go1.22.5.
The vulnerability message shows up in this PR as well.

Vulnerability #1: GO-2024-2963
    Denial of service due to improper 100-continue handling in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2963
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Example traces found:
Error:       #1: rpc/jsonrpc/client/http_json_client.go:213:34: client.Client.Call calls http.Client.Do
Error:       #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get
Error:       #3: p2p/upnp/upnp.go:205:20: upnp.getServiceURL calls http.Get
Error:       #4: pkg/trace/fileserver.go:109:28: trace.GetTable calls http.PostForm
Error:       #5: pkg/trace/fileserver.go:2[19](https://github.com/celestiaorg/celestia-core/actions/runs/9391599053/job/25864100579#step:5:20):26: trace.PushS3 calls s3.S3.PutObject, which eventually calls http.Transport.CloseIdleConnections
Error:       #6: pkg/trace/fileserver.go:[21](https://github.com/celestiaorg/celestia-core/actions/runs/9391599053/job/25864100579#step:5:22)9:26: trace.PushS3 calls s3.S3.PutObject, which eventually calls http.Transport.RoundTrip

Your code is affected by 1 vulnerability from the Go standard library.
This scan also found 1 vulnerability in packages you import and 1 vulnerability

Acceptance Criteria

  • Bump go version to go1.22.5 in the main branch (and v0.34.x-celestia).
@staheri14 staheri14 mentioned this issue Jul 26, 2024
Merged
@staheri14 staheri14 changed the title Bumping go version to 1.22.5 in the main branch Bumping go version to 1.22.5 Jul 27, 2024
mergify bot pushed a commit that referenced this issue Jul 29, 2024
@staheri14 @mergify
chore: upgrades go version to 1.22.5 in main (#1434)
c19dc58 
Closes #1433

(cherry picked from commit f03f8ec)

# Conflicts:
#	.github/workflows/check-generated.yml
#	.github/workflows/coverage.yml
#	.github/workflows/e2e-manual.yml
#	.github/workflows/e2e-nightly-34x.yml
#	.github/workflows/e2e.yml
#	.github/workflows/fuzz-nightly.yml
#	.github/workflows/govulncheck.yml
#	.github/workflows/pre-release.yml
#	.github/workflows/release-version.yml
#	.github/workflows/release.yml
#	.github/workflows/tests.yml
@mergify mergify bot mentioned this issue Jul 29, 2024
Closed
cmwaters pushed a commit that referenced this issue Jul 30, 2024
@staheri14 @cmwaters
chore: upgrades go version to 1.22.5 in main (#1434)
9c66ab4 
Closes #1433
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@staheri14