Skip to content

Commit

Permalink
Update golang version for telemetry build in sonic-slave-buster to fix
Browse files Browse the repository at this point in the history 
…CVE-2021-33195 (sonic-net#14637)

Update golang version for telemetry build in sonic-slave-buster to fix https://security-tracker.debian.org/tracker/CVE-2021-33195, this PR will be merged into 202012 branch finally.

#### Why I did it
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. Now in 201911 and 202012 branch we're using 1.14.2

##### Work item tracking
- Microsoft ADO **(number only)**:17727291

#### How I did it
Bump golang version into 1.15.15 which contains corresponding fix.

#### How to verify it
unit test to do sanity check.
  • Loading branch information
@FengPan-Frank @pull
FengPan-Frank authored and pull[bot] committed Nov 6, 2024
1 parent 9ef6fb1 commit e1f983a
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion sonic-slave-buster/Dockerfile.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -465,7 +465,7 @@ RUN apt-get install -y kernel-wedge
{%- endif %}

# For gobgp and telemetry build
RUN export VERSION=1.14.2 \
RUN export VERSION=1.15.15 \
{%- if CONFIGURED_ARCH == "armhf" and CROSS_BUILD_ENVIRON != "y" %}
&& wget https://storage.googleapis.com/golang/go$VERSION.linux-armv6l.tar.gz \
&& tar -C /usr/local -xzf go$VERSION.linux-armv6l.tar.gz \
Expand Down

0 comments on commit e1f983a

Please sign in to comment.