Bump Go to 1.22 and refresh dependencies for CVE-2023-39325#29
Merged
Conversation
Updates the `go` directive in go.mod from 1.19 (EOL since August 2023) to 1.22 so the shipped binary is built against a supported toolchain. Refreshes module dependencies to pull `golang.org/x/net` past v0.17.0, which fixes CVE-2023-39325 / GHSA-4374-p667-p6c8 (HTTP/2 Rapid Reset). The connectivity tool uses `net/http` against user-supplied HTTPS destinations, so this CVE made it possible for a hostile endpoint to DoS the client process. - go directive: 1.19 -> 1.22 - golang.org/x/net: v0.8.0 -> v0.35.0 (fixes CVE-2023-39325) - golang.org/x/sys: v0.6.0 -> v0.30.0 - golang.org/x/sync: v0.1.0 -> v0.11.0 - github.com/google/uuid: v1.3.0 -> v1.6.0 - github.com/prometheus-community/pro-bing: v0.1.0 -> v0.6.1 Versions pinned to the highest releases that still target `go 1.22`; newer x/net/x/sys/pro-bing releases require Go 1.23+ and would force another toolchain bump. gopacket is left at v1.1.19 — the project moved to gopacket/gopacket and migrating is out of scope here. Fixes #13 https://claude.ai/code/session_01WjHPSobuzrRkjwUgjAJWMk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
godirective ingo.modfrom1.19(EOL since August 2023) to1.22, so the binary shipped by.github/workflows/release.ymlis built against a supported toolchain.golang.org/x/netfromv0.8.0tov0.35.0, fixing CVE-2023-39325 / GHSA-4374-p667-p6c8 (HTTP/2 Rapid Reset). The connectivity tool callsnet/httpagainst user-supplied HTTPS destinations, so the unpatched dep allowed a malicious endpoint to DoS the client process.x/sys,x/sync,uuid,pro-bing).Dependency changes
godirective1.191.22golang.org/x/netv0.8.0v0.35.0(>= v0.17.0 CVE fix)golang.org/x/sysv0.6.0v0.30.0golang.org/x/syncv0.1.0v0.11.0github.com/google/uuidv1.3.0v1.6.0github.com/prometheus-community/pro-bingv0.1.0v0.6.1github.com/google/gopacketv1.1.19Versions were pinned to the highest releases that still target
go 1.22. Newerx/net(v0.36+),x/sys(v0.31+), andpro-bing(v0.7+) releases requirego 1.23+, which would force another toolchain bump and is out of scope here.gopacketis left atv1.1.19because upstream maintenance moved togopacket/gopacketand that migration would require code changes — out of scope for this PR (tracked separately).CI changes (e.g.
govulncheck) are intentionally not included in this PR; that's tracked as a separate medium-priority issue.Test Plan
go vet ./...passesgo build ./...passesgo test -race ./...— unit tests pass; the threeTestRouteToLoopback*tests inrouter_test.gofail in the sandbox because the runner has no loopback route (it routes127.0.0.0/8overeth0with source192.0.2.2). These failures are environmental and unrelated to the dep bump;TestRouteToPublic,TestLookupLoopbackIp,TestLookupPublicIp,TestLookupExample, andTestLookupInvalidHostnameall pass. CI should run on a runner with a normal loopback interface.go.sumshowsgolang.org/x/net v0.35.0(well above thev0.17.0CVE fix threshold).Fixes #13
https://claude.ai/code/session_01WjHPSobuzrRkjwUgjAJWMk
Generated by Claude Code