From 034574f439309ee68f224e14ef1f5a53d10fcfe1 Mon Sep 17 00:00:00 2001
From: Chun-Hung Tseng <henrybear327@gmail.com>
Date: Thu, 4 Apr 2024 09:49:01 +0200
Subject: [PATCH] Bump go toolchain version to address CVE-2023-45288

Changes:
- Bump release-3.6 toolchain version to 1.22.2 due to CVE-2023-45288
- Bump golang.org/x/net to v0.23.0
- Update CHANGELOG-3.4, CHANGELOG-3.5, and CHANGELOG-3.6
- Bump go version in rw-heatmaps (which was still at 1.21 where
everything else is at 1.22)

Reference:
- PR #17703

Signed-off-by: Chun-Hung Tseng <henrybear327@gmail.com>
---
 .go-version                | 2 +-
 CHANGELOG/CHANGELOG-3.4.md | 3 +++
 CHANGELOG/CHANGELOG-3.5.md | 3 +++
 CHANGELOG/CHANGELOG-3.6.md | 4 ++--
 go.mod                     | 4 ++--
 go.sum                     | 4 ++--
 tools/rw-heatmaps/go.mod   | 2 +-
 7 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/.go-version b/.go-version
index 6245beecd..6fee2fedb 100644
--- a/.go-version
+++ b/.go-version
@@ -1 +1 @@
-1.22.1
+1.22.2
diff --git a/CHANGELOG/CHANGELOG-3.4.md b/CHANGELOG/CHANGELOG-3.4.md
index b3680fed9..68ad501bf 100644
--- a/CHANGELOG/CHANGELOG-3.4.md
+++ b/CHANGELOG/CHANGELOG-3.4.md
@@ -9,6 +9,9 @@ Previous change logs can be found at [CHANGELOG-3.3](https://github.com/etcd-io/
 ### Package `clientv3`
 - Add [requests retry when receiving ErrGPRCNotSupportedForLearner and endpoints > 1](https://github.com/etcd-io/etcd/pull/17692).
 
+### Dependencies
+- Compile binaries using [go 1.21.9](https://github.com/etcd-io/etcd/pull/17709).
+
 <hr>
 
 ## v3.4.31 (2024-03-21)
diff --git a/CHANGELOG/CHANGELOG-3.5.md b/CHANGELOG/CHANGELOG-3.5.md
index fdebea038..884809224 100644
--- a/CHANGELOG/CHANGELOG-3.5.md
+++ b/CHANGELOG/CHANGELOG-3.5.md
@@ -9,6 +9,9 @@ Previous change logs can be found at [CHANGELOG-3.4](https://github.com/etcd-io/
 ### Package `clientv3`
 - Add [requests retry when receiving ErrGPRCNotSupportedForLearner and endpoints > 1](https://github.com/etcd-io/etcd/pull/17641).
 
+### Dependencies
+- Compile binaries using [go 1.21.9](https://github.com/etcd-io/etcd/pull/17708).
+
 <hr>
 
 ## v3.5.13 (2024-03-29)
diff --git a/CHANGELOG/CHANGELOG-3.6.md b/CHANGELOG/CHANGELOG-3.6.md
index 08924e1cd..36df7a9b6 100644
--- a/CHANGELOG/CHANGELOG-3.6.md
+++ b/CHANGELOG/CHANGELOG-3.6.md
@@ -93,8 +93,8 @@ See [List of metrics](https://etcd.io/docs/latest/metrics/) for all metrics per
 - Add [`etcd_debugging_server_alarms`](https://github.com/etcd-io/etcd/pull/14276).
 
 ### Go
-- Require [Go 1.21+](https://github.com/etcd-io/etcd/pull/16594).
-- Compile with [Go 1.21+](https://go.dev/doc/devel/release#go1.21.minor). Please refer to [gc-guide](https://go.dev/doc/gc-guide) to configure `GOGC` and `GOMEMLIMIT` properly. 
+- Require [Go 1.22+](https://github.com/etcd-io/etcd/pull/16594).
+- Compile with [Go 1.22+](https://go.dev/doc/devel/release#go1.21.minor). Please refer to [gc-guide](https://go.dev/doc/gc-guide) to configure `GOGC` and `GOMEMLIMIT` properly. 
 
 ### Other
 
diff --git a/go.mod b/go.mod
index 781cca6b0..04962f60b 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module go.etcd.io/etcd/v3
 
 go 1.22
 
-toolchain go1.22.1
+toolchain go1.22.2
 
 replace (
 	go.etcd.io/etcd/api/v3 => ./api
@@ -88,7 +88,7 @@ require (
 	go.opentelemetry.io/proto/otlp v1.1.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
diff --git a/go.sum b/go.sum
index dfced08ae..d821bc210 100644
--- a/go.sum
+++ b/go.sum
@@ -183,8 +183,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
-golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
diff --git a/tools/rw-heatmaps/go.mod b/tools/rw-heatmaps/go.mod
index 1fad2f55c..db64003f8 100644
--- a/tools/rw-heatmaps/go.mod
+++ b/tools/rw-heatmaps/go.mod
@@ -1,6 +1,6 @@
 module go.etcd.io/etcd/tools/rw-heatmaps/v3
 
-go 1.21
+go 1.22
 
 require (
 	github.com/spf13/cobra v1.8.0