mirror of
https://github.com/etcd-io/etcd.git
synced 2024-09-27 06:25:44 +00:00
dccc21bb69
$ govulncheck ./... govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback. Scanning for dependencies with known vulnerabilities... Found 1 known vulnerability. Vulnerability #1: GO-2022-1144 An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. Call stacks in your code: tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls golang.org/x/net/http2.ConfigureServer$1 Found in: golang.org/x/net/http2@v0.2.0 Fixed in: golang.org/x/net/http2@v1.19.4 More info: https://pkg.go.dev/vuln/GO-2022-1144 Vulnerability #2: GO-2022-1144 An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. Call stacks in your code: contrib/lock/storage/storage.go:106:28: go.etcd.io/etcd/v3/contrib/lock/storage.main calls net/http.ListenAndServe contrib/raftexample/httpapi.go:113:31: go.etcd.io/etcd/v3/contrib/raftexample.serveHTTPKVAPI$1 calls net/http.Server.ListenAndServe tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls net/http.Serve tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls net/http.Server.Serve Found in: net/http@go1.19.3 Fixed in: net/http@go1.19.4 More info: https://pkg.go.dev/vuln/GO-2022-1144 Signed-off-by: Benjamin Wang <wachao@vmware.com>
43 lines
1.4 KiB
Docker
43 lines
1.4 KiB
Docker
FROM fedora:35
|
|
|
|
RUN dnf check-update || true \
|
|
&& dnf install --assumeyes \
|
|
git curl wget mercurial meld gcc gcc-c++ which \
|
|
gcc automake autoconf dh-autoreconf libtool libtool-ltdl \
|
|
tar unzip gzip \
|
|
&& dnf check-update || true \
|
|
&& dnf upgrade --assumeyes || true \
|
|
&& dnf autoremove --assumeyes || true \
|
|
&& dnf clean all || true
|
|
|
|
ENV GOROOT /usr/local/go
|
|
ENV GOPATH /go
|
|
ENV PATH ${GOPATH}/bin:${GOROOT}/bin:${PATH}
|
|
ENV GO_VERSION 1.19.4
|
|
ENV GO_DOWNLOAD_URL https://storage.googleapis.com/golang
|
|
RUN rm -rf ${GOROOT} \
|
|
&& curl -s ${GO_DOWNLOAD_URL}/go${GO_VERSION}.linux-amd64.tar.gz | tar -v -C /usr/local/ -xz \
|
|
&& mkdir -p ${GOPATH}/src ${GOPATH}/bin \
|
|
&& go version
|
|
|
|
RUN mkdir -p ${GOPATH}/src/go.etcd.io/etcd
|
|
ADD . ${GOPATH}/src/go.etcd.io/etcd
|
|
ADD ./tests/functional/functional.yaml /functional.yaml
|
|
|
|
RUN go get -v go.etcd.io/gofail \
|
|
&& pushd ${GOPATH}/src/go.etcd.io/etcd \
|
|
&& GO_BUILD_FLAGS="-v" ./scripts/build.sh \
|
|
&& mkdir -p /bin \
|
|
&& cp ./bin/etcd /bin/etcd \
|
|
&& cp ./bin/etcdctl /bin/etcdctl \
|
|
&& GO_BUILD_FLAGS="-v" FAILPOINTS=1 ./scripts/build.sh \
|
|
&& cp ./bin/etcd /bin/etcd-failpoints \
|
|
&& ./tests/functional/build \
|
|
&& cp ./bin/etcd-agent /bin/etcd-agent \
|
|
&& cp ./bin/etcd-proxy /bin/etcd-proxy \
|
|
&& cp ./bin/etcd-runner /bin/etcd-runner \
|
|
&& cp ./bin/etcd-tester /bin/etcd-tester \
|
|
&& go build -v -o /bin/benchmark ./tools/benchmark \
|
|
&& popd \
|
|
&& rm -rf ${GOPATH}/src/go.etcd.io/etcd
|