From 183d0f2be70048feb486486c920870bf31679395 Mon Sep 17 00:00:00 2001 From: Feng-msft Date: Mon, 17 Apr 2023 14:47:42 +0800 Subject: [PATCH] Update golang version for telemetry build in sonic-slave-buster to fix CVE-2021-33195 (#14637) Update golang version for telemetry build in sonic-slave-buster to fix https://security-tracker.debian.org/tracker/CVE-2021-33195, this PR will be merged into 202012 branch finally. #### Why I did it Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. Now in 201911 and 202012 branch we're using 1.14.2 ##### Work item tracking - Microsoft ADO **(number only)**:17727291 #### How I did it Bump golang version into 1.15.15 which contains corresponding fix. #### How to verify it unit test to do sanity check. --- sonic-slave-buster/Dockerfile.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2 index 78a777946e..de098fa72c 100644 --- a/sonic-slave-buster/Dockerfile.j2 +++ b/sonic-slave-buster/Dockerfile.j2 @@ -465,7 +465,7 @@ RUN apt-get install -y kernel-wedge {%- endif %} # For gobgp and telemetry build -RUN export VERSION=1.14.2 \ +RUN export VERSION=1.15.15 \ {%- if CONFIGURED_ARCH == "armhf" and CROSS_BUILD_ENVIRON != "y" %} && wget https://storage.googleapis.com/golang/go$VERSION.linux-armv6l.tar.gz \ && tar -C /usr/local -xzf go$VERSION.linux-armv6l.tar.gz \