blender/flamenco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bump Go from 1.23.1 to 1.24.4

Browse Source 
This fixes four security issues:

Vulnerability #1: GO-2025-3751
    Sensitive headers not cleared on cross-origin redirect in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3751
  Standard library
    Found in: net/http@go1.23.5
    Fixed in: net/http@go1.23.10
    Example traces found:
      #1: pkg/api/openapi_client.gen.go:1212:20: api.Client.TaskOutputProducedWithBody calls http.Client.Do
      #2: pkg/api/openapi_spec.gen.go:318:36: api.GetSwagger calls openapi3.Loader.LoadFromData, which eventually calls http.Get

Vulnerability #2: GO-2025-3750
    Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in
    syscall
  More info: https://pkg.go.dev/vuln/GO-2025-3750
  Standard library
    Found in: os@go1.23.5
    Fixed in: os@go1.23.10
    Platforms: windows
    Example traces found:
      #1: internal/manager/last_rendered/image_processing.go:54:24: last_rendered.saveJPEG calls os.Create
      #2: internal/manager/api_impl/meta.go:144:28: api_impl.Flamenco.CheckSharedStoragePath calls os.CreateTemp
      #3: internal/manager/job_compilers/scripts.go:54:31: job_compilers.loadScriptsFrom calls fs.ReadDir, which calls os.File.ReadDir
      #4: pkg/shaman/filestore/testing.go:107:25: filestore.LinkTestFileStore calls filepath.Walk, which eventually calls os.File.Readdirnames
      #5: internal/manager/local_storage/local_storage.go:116:22: local_storage.getSuitableStorageRoot calls os.Getwd
      #6: pkg/shaman/filestore/testing.go:107:25: filestore.LinkTestFileStore calls filepath.Walk, which calls os.Lstat
      #7: pkg/shaman/checkout/manager.go:274:24: checkout.Manager.SymlinkToCheckout calls os.MkdirAll
      #8: pkg/shaman/filestore/testing.go:38:30: filestore.CreateTestStore calls os.MkdirTemp
      #9: pkg/shaman/touch/touch.go:26:2: touch.init calls os.init, which calls os.NewFile
      #10: internal/manager/task_logs/task_logs.go:183:22: task_logs.Storage.Tail calls os.Open
      #11: internal/manager/config/config.go:662:23: config.Conf.Write calls os.OpenFile
      #12: cmd/blender-runner/blender-runner.go:43:35: blender.main calls exec.Cmd.StderrPipe, which calls os.Pipe
      #13: internal/manager/job_compilers/scripts.go:54:31: job_compilers.loadScriptsFrom calls fs.ReadDir, which eventually calls os.ReadDir
      #14: internal/manager/config/config.go:199:30: config.loadConf calls os.ReadFile
      #15: pkg/shaman/checkout/manager.go:196:11: checkout.Manager.EraseCheckout calls os.Remove
      #16: pkg/shaman/checkout/manager.go:189:24: checkout.Manager.EraseCheckout calls os.RemoveAll
      #17: internal/manager/config/config.go:647:21: config.Conf.Overwrite calls os.Rename
      #18: cmd/blender-runner/blender-runner.go:52:21: blender.main calls exec.Cmd.Start, which calls os.StartProcess
      #19: pkg/shaman/checkout/manager.go:175:18: checkout.Manager.EraseCheckout calls os.Stat
      #20: pkg/shaman/checkout/manager.go:244:18: checkout.Manager.SymlinkToCheckout calls os.Symlink
      #21: cmd/sqlc-export-schema/main.go:87:24: sqlc.saveSchema calls os.WriteFile
      #22: web/web_app.go:55:24: web.FSWrapper.Open calls echo.defaultFS.Open, which calls os.dirFS.Open
      #23: internal/manager/job_compilers/scripts.go:54:31: job_compilers.loadScriptsFrom calls fs.ReadDir, which calls os.dirFS.ReadDir
      #24: internal/manager/config/config.go:662:23: config.Conf.Write calls os.OpenFile, which eventually calls syscall.Open

Vulnerability #3: GO-2025-3563
    Request smuggling due to acceptance of invalid chunked data in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-3563
  Standard library
    Found in: net/http/internal@go1.23.5
    Fixed in: net/http/internal@go1.23.8
    Example traces found:
      #1: pkg/shaman/hasher/copier.go:51:21: hasher.Copy calls http.body.Read, which eventually calls internal.chunkedReader.Read

Vulnerability #4: GO-2025-3447
    Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec
  More info: https://pkg.go.dev/vuln/GO-2025-3447
  Standard library
    Found in: crypto/internal/nistec@go1.23.5
    Fixed in: crypto/internal/nistec@go1.23.6
    Platforms: ppc64le
    Example traces found:
      #1: internal/manager/config/config.go:666:13: config.Conf.Write calls fmt.Fprintf, which eventually calls nistec.P256Point.ScalarBaseMult
      #2: internal/manager/config/config.go:666:13: config.Conf.Write calls fmt.Fprintf, which eventually calls nistec.P256Point.ScalarMult
      #3: internal/manager/config/config.go:666:13: config.Conf.Write calls fmt.Fprintf, which eventually calls nistec.P256Point.SetBytes
This commit is contained in:
Sybren A. Stüvel 2025-06-17 10:21:52 +02:00
parent 0315f15277
commit 8813538c31
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@ -1,6 +1,6 @@
module projects.blender.org/studio/flamenco module projects.blender.org/studio/flamenco
go 1.23.1 go 1.24.4
require ( require (
github.com/adrg/xdg v0.4.0 github.com/adrg/xdg v0.4.0