chore: updates to go1.22.1 (#1260)

In order to fix the go vulnerabilities that are fixed in the new patch: ``` Vulnerability #1: GO-2024-2610 Errors returned from JSON marshaling may break template escaping in html/template More info: https://pkg.go.dev/vuln/GO-2024-2610 Standard library Found in: html/[email protected] Fixed in: html/[email protected] Example traces found: #1: test/fuzz/rpc/jsonrpc/server/handler.go:30:15: server.Fuzz calls http.ServeMux.ServeHTTP, which eventually calls template.Template.Execute #2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate Vulnerability #2: GO-2024-2600 Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http More info: https://pkg.go.dev/vuln/GO-2024-2600 Standard library Found in: net/[email protected] Fixed in: net/[email protected] Example traces found: #1: rpc/jsonrpc/client/http_json_client.go:213:34: client.Client.Call calls http.Client.Do #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get #3: p2p/upnp/upnp.go:205:20: upnp.getServiceURL calls http.Get Vulnerability #3: GO-2024-2599 Memory exhaustion in multipart form parsing in net/textproto and net/http More info: https://pkg.go.dev/vuln/GO-2024-2599 Standard library Found in: net/[email protected] Fixed in: net/[email protected] Example traces found: #1: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls textproto.Reader.ReadLine #2: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls textproto.Reader.ReadMIMEHeader Vulnerability #4: GO-2024-2598 Verify panics on certificates with an unknown public key algorithm in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2024-2598 Standard library Found in: crypto/[email protected] Fixed in: crypto/[email protected] Example traces found: #1: libs/autofile/group.go:479:30: autofile.GroupReader.Read calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify Your code is affected by 4 vulnerabilities from the Go standard library. ```
celestiaorg · Mar 11, 2024 · 10325da · 10325da
1 parent f781694
commit 10325da
Show file tree

Hide file tree

Showing 17 changed files with 20 additions and 20 deletions.
diff --git a/.github/workflows/check-generated.yml b/.github/workflows/check-generated.yml
@@ -43,7 +43,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
-          go-version: "1.22"
+          go-version: "1.22.1"
 
       - uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -12,7 +12,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v4
         with:
-          go-version: "1.22"
+          go-version: "1.22.1"
       - name: Create a file with all the pkgs
         run: go list ./... > pkgs.txt
       - name: Split pkgs into 4 files
@@ -48,7 +48,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
-          go-version: "1.22"
+          go-version: "1.22.1"
       - uses: actions/checkout@v3
       - uses: technote-space/get-diff-action@v6
         with:
@@ -70,7 +70,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
-          go-version: "1.22"
+          go-version: "1.22.1"
       - uses: actions/checkout@v3
       - uses: technote-space/get-diff-action@v6
         with:

diff --git a/.github/workflows/e2e-manual.yml b/.github/workflows/e2e-manual.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.22'
+          go-version: '1.22.1'
 
       - uses: actions/checkout@v3
 

diff --git a/.github/workflows/e2e-nightly-34x.yml b/.github/workflows/e2e-nightly-34x.yml
@@ -23,7 +23,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.22'
+          go-version: '1.22.1'
 
       - uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -14,7 +14,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.22'
+          go-version: '1.22.1'
       - uses: actions/checkout@v3
       - uses: technote-space/get-diff-action@v6
         with:

diff --git a/.github/workflows/fuzz-nightly.yml b/.github/workflows/fuzz-nightly.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.22'
+          go-version: '1.22.1'
 
       - uses: actions/checkout@v3
 

diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.22"
+          go-version: "1.22.1"
       - uses: actions/checkout@v3
       - uses: technote-space/get-diff-action@v6
         with:

diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml
@@ -18,7 +18,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.22'
+          go-version: '1.22.1'
 
       # Similar check to ./release-version.yml, but enforces this when pushing
       # tags. The ./release-version.yml check can be bypassed and is mainly

diff --git a/.github/workflows/release-version.yml b/.github/workflows/release-version.yml
@@ -15,7 +15,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.22'
+          go-version: '1.22.1'
 
       - name: Check version
         run: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,7 +16,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.22'
+          go-version: '1.22.1'
 
       - name: Generate release notes
         run: |

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -25,7 +25,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v4
         with:
-          go-version: "1.22"
+          go-version: "1.22.1"
       - uses: actions/checkout@v3
       - uses: technote-space/get-diff-action@v6
         with:
@@ -58,7 +58,7 @@ jobs:
   #   steps:
   #     - uses: actions/setup-go@v3
   #       with:
-  #         go-version: "1.22"
+  #         go-version: "1.22.1"
   #     - uses: actions/checkout@v3
   #     - uses: technote-space/get-diff-action@v6
   #       with:

diff --git a/DOCKER/Dockerfile b/DOCKER/Dockerfile
@@ -1,6 +1,6 @@
 # Use a build arg to ensure that both stages use the same,
 # hopefully current, go version.
-ARG GOLANG_BASE_IMAGE=golang:1.22-alpine
+ARG GOLANG_BASE_IMAGE=golang:1.22.1-alpine
 
 # stage 1 Generate CometBFT Binary
 FROM --platform=$BUILDPLATFORM $GOLANG_BASE_IMAGE as builder

diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ This repo intends on preserving the minimal possible diff with [cometbft/cometbf
 - **specific to Celestia**: consider if [celestia-app](https://github.com/celestiaorg/celestia-app) is a better target
 - **not specific to Celestia**: consider making the contribution upstream in CometBFT
 
-1. [Install Go](https://go.dev/doc/install) 1.22+
+1. [Install Go](https://go.dev/doc/install) 1.22.1+
 2. Fork this repo
 3. Clone your fork
 4. Find an issue to work on (see [good first issues](https://github.com/celestiaorg/celestia-core/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22))

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/cometbft/cometbft
 
-go 1.22
+go 1.22.1
 
 require (
 	github.com/BurntSushi/toml v1.2.1

diff --git a/scripts/proto-gen.sh b/scripts/proto-gen.sh
@@ -10,7 +10,7 @@ cd "$(git rev-parse --show-toplevel)"
 
 # Run inside Docker to install the correct versions of the required tools
 # without polluting the local system.
-docker run --rm -i -v "$PWD":/w --workdir=/w golang:1.22-alpine sh <<"EOF"
+docker run --rm -i -v "$PWD":/w --workdir=/w golang:1.22.1-alpine sh <<"EOF"
 apk add git make
 
 go install github.com/bufbuild/buf/cmd/buf

diff --git a/test/docker/Dockerfile b/test/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.22
+FROM golang:1.22.1
 
 # Grab deps (jq, hexdump, xxd, killall)
 RUN apt-get update && \

diff --git a/test/e2e/docker/Dockerfile b/test/e2e/docker/Dockerfile
@@ -1,7 +1,7 @@
 # We need to build in a Linux environment to support C libraries, e.g. RocksDB.
 # We use Debian instead of Alpine, so that we can use binary database packages
 # instead of spending time compiling them.
-FROM golang:1.22-bullseye
+FROM golang:1.22.1-bullseye
 
 RUN apt-get -qq update -y && apt-get -qq upgrade -y >/dev/null
 RUN apt-get -qq install -y libleveldb-dev librocksdb-dev >/dev/null