Dependency update - Golang 1.16.3

[justaugustus]

Tracking info

Link to any previous tracking issue:

Golang mailing list announcement: https://groups.google.com/g/golang-announce/c/wVRzkWSQpO0

SIG Release Slack thread: https://kubernetes.slack.com/archives/C2C40FMNF/p1618545755031100

Work items for go1.16.3

• kube-cross image update: [go1.16] Build go1.16.3 images #2006, kube-cross: Build v1.16.3-canary-2 image #2007

  • image promotion: releng: Promote go1.16.3 images k8s.io#1944

• go-runner image update: [go1.16] Build go1.16.3 images #2006, kube-cross: Build v1.16.3-canary-2 image #2007

  • image promotion: releng: Promote go1.16.3 images k8s.io#1944

• releng-ci image update: [go1.16] Build go1.16.3 images #2006, kube-cross: Build v1.16.3-canary-2 image #2007

  • image promotion: releng: Promote go1.16.3 images k8s.io#1944

After kube-cross image promotion

• kubernetes/kubernetes update (master): [go1.16] Update to go1.16.3 kubernetes#101206

  Ensure the following have been updated within the PR:

  • kube-cross image
  • go-runner image
  • publishing bot rules

After kubernetes/kubernetes has been updated

• k8s-cloud-builder image update: [go1.16] Update kubernetes/kubernetes dependents to use go1.16.3 #2008

• k8s-ci-builder image variants update: [go1.16] Update kubernetes/kubernetes dependents to use go1.16.3 #2008

• kubekins/krte image variants update: kubekins/krte: Build go1.16.3 variants test-infra#21839

Cherry picks

• Kubernetes 1.21: [go1.16] Update to go1.16.3 kubernetes#101209

Follow-up items

• Ensure the Golang issue template is updated with any new requirements
• [ ]

/assign
cc: @kubernetes/release-engineering

[justaugustus]

Update PRs complete.
kubekins-e2e and krte image bumps will get picked up next week in the autobump PR approvals for test-infra.

/close

[k8s-ci-robot]

@justaugustus: Closing this issue.

In response to this:

Update PRs complete.
kubekins-e2e and krte image bumps will get picked up next week in the autobump PR approvals for test-infra.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tao12345666333]

We have just released Go versions 1.16.4 and 1.15.12, minor point releases.

This minor release includes a security fix according to the new security policy (#44918).

ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.

This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts, and is fixed in golang.org/x/[email protected].

This is issue #45710 and CVE-2021-31525.

Should we update Golang to 1.16.4? It's a security fix version.

[justaugustus]

Should we update Golang to 1.16.4? It's a security fix version.

Thanks @tao12345666333! Tracking this work here: #2060