The version of the golang.org/x/net we used (v0.8.0), is vulnerable to a
rendering issue, potentially escaping text that should not be, which can
enable other attacks then.
Packer itself is not vulnerable to the CVE as we don't render web pages,
but security checks do point it as an issue, so we fix it by updating
the dependencies.
CVE refrerence: GO-2023-1988
* Update external plugin documentation source
The Parallels plugin for Packer is now maintained by the Parallels team, under
their respective GitHub org. This changes updates the source address for
the external plugin that should be used for pulling new plugin
documentation.
* Removed packer-plugin-parallels for list of vendored plugins
This step removes community plugins from the Packer binary release. These plugins are being maintained and released independently of Packer and have become out of date. To ensure users are using the latest version of the plugins they are being removed in favor of the external plugin installation processes.
This change removes a set of plugins that have not been updated in a while. These
plugins have been archived for some time now. Users wishing to continue using these plugins
should use the `packer plugins install` or `packer init` commands to install the external plugin.
* Remove profitbricks plugin
* Remove oneandone plugin
The following plugins have been unmaintained for some time now, and their
upstream cloud provider has consolidate the services. These plugins
will continue to be available to Packer via direct installation using
packer init or the packer plugins install command. But they will no longer
be bundled with Packer.
The Digital Ocean plugin is now maintained and released by the Digital Ocean team.
To ensure users are downloading the latest available version the plugin will nolonger
be bundled with Packer.
* Update external plugin documentation source
The UCloud plugin for Packer is now maintained by the UCloud team, under
their respective GitHub org. This changes updates the source address for
the external plugin that should be used for pulling new plugin
documentation.
* Remove packer-plugin-ucloud from vendored plugins.
* Update external plugin documentation source
The Linode plugin for Packer is now maintained by the Linode team, under
their respective GitHub org. This changes updates the source address for
the external plugin that should be used for pulling new plugin
documentation.
* Removed packer-plugin-linode for list of vendored plugins
The Linode plugin for Packer is now maintained by the Linode team, under
their respective GitHub org. This changes removes Linode from the vendored plugins
lists.
```
» Go Modules Scanner
⚠︎ found OSV reported vulnerability GHSA-vvpx-j8f3-3w6h in golang.org/x/net@v0.5.0
⚠︎ found OSV reported vulnerability GO-2023-1571 in golang.org/x/net@v0.5.0
```
The latest version of Go-Getter contains a SMBClient timeout option,
along with an updated AWS SDK to improve S3 support.
```
go get github.com/hashicorp/go-getter/v2
go get github.com/hashicorp/go-getter/s3/v2
go get github.com/hashicorp/go-getter/gcs/v2
go mod tidy
```
As with the go version to 1.18.9, this fix concerns mitigations to the
GO-2022-1144 vulnerability.
Since we depend on golang.org/net too, we need to update it to a version
that is not vulnerable anymore, and this is starting at version 0.4.0
The latest release of the Oracle plugin for Packer removed
Solaris from its list of supported platforms. Since Packer still
releases binaries for Solaris the Oracle plugin will no longer be
bundled and distributed within the Packer binary. Practitioners relying
on the plugin can continue using the plugin by installing it manually
using either the `packer init` or `packer plugins install` commands.
This change updates Packer core Go version to 1.18. The move to Go 1.18 and not Go 1.19
is to allow the HCP Packer SDK time to upgrade to Go 1.18.
Changes Made:
* Bump go mod file to use Go 1.18
* Bump release pipeline to use Go 1.18
* Update plugin updater script to run go mod tidy for Go 1.18
* Update Linux job to use setup-go action
This change brings in updates to Packer's usage of the go-getter plugin
used within the SDK for downloading ISO files. This can be a potentially
breaking change for some plugins as the update go-getter settings in the
SDK prevent reading/writing to suddir that require upload path
traversal (e.g /tmp/.../etc/hosts).
This change also includes 30 minute maximum timeouts for file
downloading to prevent resource exhaustion. This can be an issue for
very large or slow downloads if they exceed more then 30 minutes to
complete.
* Bump versions for all recently plugins
This change brings all plugins in Packer core up to date to address
issues with legacy SSH RSA-SHA1 key algorithms.
Related to: https://github.com/hashicorp/packer/pull/11761
* Update repository for packer-plugin-outscale
The Packer Plugin SDK has been updated in v0.2.12 to address the
x/crypto/ssh fix for unsupported key algorithms. This change is specific
to the SSH communication which is mostly in the sdk pkg. But it is being
brought into Packer to have parity with all the external plugins, which
are being updated separately.
