From 70343357180dc165f728645846cf9c5c4bf2dad9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Fri, 5 Apr 2024 11:55:19 -0300 Subject: [PATCH 1/2] - Updated to Go 1.21.9 to address CVE-2023-45288 (#5043) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs - Bump to v1.9.4 - Update CHANGELOG Signed-off-by: Agustín Martínez Fayó --- .github/workflows/pr_build.yaml | 2 +- .github/workflows/release_build.yaml | 2 +- .go-version | 2 +- CHANGELOG.md | 14 +++++++++ pkg/common/version/version.go | 2 +- pkg/server/datastore/sqlstore/migration.go | 4 +++ pkg/server/datastore/sqlstore/sqlstore.go | 32 ++++++++++---------- test/integration/suites/upgrade/versions.txt | 2 ++ 8 files changed, 40 insertions(+), 20 deletions(-) diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index f6a29a1180..a388d55955 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -6,7 +6,7 @@ on: types: - checks_requested env: - GO_VERSION: 1.22.1 + GO_VERSION: 1.22.2 permissions: contents: read diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index 4cf8575ca4..eab945af7c 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -4,7 +4,7 @@ on: tags: - 'v[0-9].[0-9]+.[0-9]+' env: - GO_VERSION: 1.22.1 + GO_VERSION: 1.22.2 jobs: cache-deps: name: cache-deps (linux) diff --git a/.go-version b/.go-version index 6245beecd3..6fee2fedb0 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.22.1 +1.22.2 diff --git a/CHANGELOG.md b/CHANGELOG.md index d18c7940b8..5af74028ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [1.9.3] - 2024-04-03 + +### Security + +- Updated to Go 1.21.9 to address CVE-2023-45288 +- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs + ## [1.9.2] - 2024-03-25 ### Added @@ -52,6 +59,13 @@ - X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (#4862) +## [1.8.9] - 2024-04-03 + +### Security + +- Updated to Go 1.21.9 to address CVE-2023-45288 +- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs + ## [1.8.8] - 2024-03-05 ### Security diff --git a/pkg/common/version/version.go b/pkg/common/version/version.go index d00f272fff..5ce27045c5 100644 --- a/pkg/common/version/version.go +++ b/pkg/common/version/version.go @@ -8,7 +8,7 @@ const ( // IMPORTANT: When updating, make sure to reconcile the versions list that // is part of the upgrade integration test. See // test/integration/suites/upgrade/README.md for details. - Base = "1.9.3" + Base = "1.9.4" ) var ( diff --git a/pkg/server/datastore/sqlstore/migration.go b/pkg/server/datastore/sqlstore/migration.go index 2b2b2f5462..a2fe473ff0 100644 --- a/pkg/server/datastore/sqlstore/migration.go +++ b/pkg/server/datastore/sqlstore/migration.go @@ -216,12 +216,16 @@ import ( // | v1.8.7 | | | // |---------| | | // | v1.8.8 | | | +// |---------| | | +// | v1.8.9 | | | // |*********|********|***************************************************************************| // | v1.9.0 | | | // |---------| | | // | v1.9.1 | | | // |---------| | | // | v1.9.2 | | | +// |---------| | | +// | v1.9.3 | | | // ================================================================================================ const ( diff --git a/pkg/server/datastore/sqlstore/sqlstore.go b/pkg/server/datastore/sqlstore/sqlstore.go index 096a59717d..ed98337554 100644 --- a/pkg/server/datastore/sqlstore/sqlstore.go +++ b/pkg/server/datastore/sqlstore/sqlstore.go @@ -64,6 +64,9 @@ const ( // PostgreSQL database type provided by an AWS service AWSPostgreSQL = "aws_postgres" + + // Maximum size for preallocation in a paginated request + maxResultPreallocation = 1000 ) // Configuration for the sql datastore implementation. @@ -1746,13 +1749,7 @@ func listAttestedNodesOnce(ctx context.Context, db *sqlDB, req *datastore.ListAt } defer rows.Close() - var nodes []*common.AttestedNode - if req.Pagination != nil { - nodes = make([]*common.AttestedNode, 0, req.Pagination.PageSize) - } else { - nodes = make([]*common.AttestedNode, 0, 64) - } - + nodes := make([]*common.AttestedNode, 0, calculateResultPreallocation(req.Pagination)) pushNode := func(node *common.AttestedNode) { if node != nil && node.SpiffeId != "" { nodes = append(nodes, node) @@ -2803,15 +2800,7 @@ func listRegistrationEntriesOnce(ctx context.Context, db queryContext, databaseT return nil, sqlError.Wrap(err) } defer rows.Close() - var entries []*common.RegistrationEntry - if req.Pagination != nil { - entries = make([]*common.RegistrationEntry, 0, req.Pagination.PageSize) - } else { - // start the slice off with a little capacity to avoid the first few - // reallocations - entries = make([]*common.RegistrationEntry, 0, 64) - } - + entries := make([]*common.RegistrationEntry, 0, calculateResultPreallocation(req.Pagination)) pushEntry := func(entry *common.RegistrationEntry) { // Due to previous bugs (i.e. #1191), there can be cruft rows related // to a deleted registration entries that are fetched with the list @@ -4783,3 +4772,14 @@ func isPostgresDbType(dbType string) bool { func isSQLiteDbType(dbType string) bool { return dbType == SQLite } + +func calculateResultPreallocation(pagination *datastore.Pagination) int32 { + switch { + case pagination == nil: + return 64 + case pagination.PageSize < maxResultPreallocation: + return pagination.PageSize + default: + return maxResultPreallocation + } +} diff --git a/test/integration/suites/upgrade/versions.txt b/test/integration/suites/upgrade/versions.txt index 926c682ab9..61b61456d9 100644 --- a/test/integration/suites/upgrade/versions.txt +++ b/test/integration/suites/upgrade/versions.txt @@ -7,6 +7,8 @@ 1.8.6 1.8.7 1.8.8 +1.8.9 1.9.0 1.9.1 1.9.2 +1.9.3 From fb50a1a52c145469bbc9d74d35e737950d73853d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 Apr 2024 14:27:25 -0300 Subject: [PATCH 2/2] Bump github.com/docker/docker from 25.0.4+incompatible to 26.0.0+incompatible (#5008) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 25.0.4+incompatible to 26.0.0+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v25.0.4...v26.0.0) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update the expected API version to 1.45 Signed-off-by: Agustín Martínez Fayó --------- Signed-off-by: dependabot[bot] Signed-off-by: Agustín Martínez Fayó Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Agustín Martínez Fayó --- go.mod | 3 ++- go.sum | 6 ++++-- pkg/agent/plugin/workloadattestor/docker/docker_test.go | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 224e1d5164..35ae269389 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( github.com/aws/smithy-go v1.20.1 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff/v4 v4.3.0 - github.com/docker/docker v25.0.4+incompatible + github.com/docker/docker v26.0.0+incompatible github.com/envoyproxy/go-control-plane v0.12.0 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa github.com/go-jose/go-jose/v3 v3.0.3 @@ -254,6 +254,7 @@ require ( github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect + github.com/moby/docker-image-spec v1.3.1 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect diff --git a/go.sum b/go.sum index 8a1b56066c..10fb956aa1 100644 --- a/go.sum +++ b/go.sum @@ -714,8 +714,8 @@ github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1x github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v25.0.4+incompatible h1:XITZTrq+52tZyZxUOtFIahUf3aH367FLxJzt9vZeAF8= -github.com/docker/docker v25.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU= +github.com/docker/docker v26.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8= github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= @@ -1207,6 +1207,8 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= +github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= diff --git a/pkg/agent/plugin/workloadattestor/docker/docker_test.go b/pkg/agent/plugin/workloadattestor/docker/docker_test.go index def003a521..a3055ac45b 100644 --- a/pkg/agent/plugin/workloadattestor/docker/docker_test.go +++ b/pkg/agent/plugin/workloadattestor/docker/docker_test.go @@ -194,7 +194,7 @@ func TestDockerConfigDefault(t *testing.T) { require.NotNil(t, p.docker) require.Equal(t, dockerclient.DefaultDockerHost, p.docker.(*dockerclient.Client).DaemonHost()) - require.Equal(t, "1.44", p.docker.(*dockerclient.Client).ClientVersion()) + require.Equal(t, "1.45", p.docker.(*dockerclient.Client).ClientVersion()) verifyConfigDefault(t, p.c) }