Skip to content

Security Updates: Upgrade to go-ethereum v1.13.15, Go 1.24, and Alpine Linux patches #1760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Security Updates: Upgrade to go-ethereum v1.13.15, Go 1.24, and Alpine Linux patches #1760

wants to merge 7 commits into from

Conversation

@VirtualAdam
Copy link

@VirtualAdam VirtualAdam commented Nov 19, 2025
edited by cursor bot
Loading

Fixes #1759

Summary

This PR contributes production-tested security improvements for Quorum, addressing multiple CVEs and security vulnerabilities through dependency upgrades and Docker base image hardening.

Changes

go-ethereum v1.13.15 Upgrade (Major Security Fix)

  • Resolves 10 tracked security vulnerabilities
  • Includes critical fixes in:
    • eth/protocols/snap/handler.go - Snap protocol security fix
    • trie/trie.go - Trie vulnerability patch
    • params/version.go - Version tracking

Build System Updates

  • Go 1.21 → Go 1.24 upgrade in Dockerfile
  • Updated build environment for better security and stability

Alpine Linux Security Patches

  • Alpine Linux 3.20 base image with security updates:
    • busybox 1.36.1-r29+ - CVE fixes (Advisory 511246)
    • openssl 3.3.2-r0+, libssl3 3.3.2-r0+, libcrypto3 3.3.2-r0+ - CVE fixes (Advisory 514077)
    • curl 8.9.0-r0+, libcurl 8.9.0-r0+ - CVE fixes (Advisory 513861)
    • musl 1.2.5-r1+, musl-utils 1.2.5-r1+ - CVE fixes (Advisory 517049)

Go Module Updates

  • Updated go.mod and go.sum with security-patched dependencies

Testing

Quorum Acceptance Tests: These changes have been validated with the Quorum acceptance test suite in the Microsoft enterprise environment.

Security Tested: All known CVEs addressed and verified

Note

Upgrade geth to v1.13.15 and Go 1.24.8, harden Docker images with Alpine CVE patches, refresh modules, and add small snap/trie safety checks.

  • Versioning:
    • Bump geth to v1.13.15 (VERSION, params/version.go).
  • Build/CI:
    • Upgrade Go to 1.24.8 in go.mod and GitHub Actions workflow (.github/workflows/build.yml).
    • Refresh Go module versions in go.mod.
  • Docker:
    • Switch builders to golang:1.24-alpine (Dockerfile, Dockerfile.alltools).
    • Update runtime to alpine:3.20 and explicitly install patched busybox, openssl/libssl3/libcrypto3, curl/libcurl, and musl (Dockerfile).
  • Code safety fixes:
    • eth/protocols/snap/handler.go: guard against nil accounts when serving trie nodes.
    • trie/trie.go: prevent retrieving a node from nil and return clear errors in tryGetNode.

Written by Cursor Bugbot for commit 2e0d97c. This will update automatically on new commits. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Updates: Upgrade to go-ethereum v1.13.15, Go 1.24, and Alpine Linux patches

1 participant

@VirtualAdam