Backport of [NET-6650] Bump go version to 1.20.12 into release/1.2.x (#…

…3320) backport of commit 2e6715f Co-authored-by: Ronald Ekambi <[email protected]>
hashicorp · Dec 7, 2023 · 2964d02 · 2964d02
1 parent 318e6b4
commit 2964d02
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/.changelog/3312.txt b/.changelog/3312.txt
@@ -0,0 +1,7 @@
+```release-note:security
+Upgrade to use Go 1.20.12. This resolves CVEs
+[CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283): (`path/filepath`) recognize \??\ as a Root Local Device path prefix (Windows)
+[CVE-2023-45284](https://nvd.nist.gov/vuln/detail/CVE-2023-45285): recognize device names with trailing spaces and superscripts (Windows)
+[CVE-2023-39326](https://nvd.nist.gov/vuln/detail/CVE-2023-39326): (`net/http`) limit chunked data overhead
+[CVE-2023-45285](https://nvd.nist.gov/vuln/detail/CVE-2023-45285): (`cmd/go`) go get may unexpectedly fallback to insecure git 
+```
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.20.10
+1.20.12
diff --git a/control-plane/Dockerfile b/control-plane/Dockerfile
@@ -16,7 +16,7 @@
 
 # go-discover builds the discover binary (which we don't currently publish
 # either).
-FROM golang:1.19.2-alpine as go-discover
+FROM golang:1.20.12-alpine as go-discover
 RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@214571b6a5309addf3db7775f4ee8cf4d264fd5f
 
 # dev copies the binary from a local build