bump GO_BUILD_VER from v0.88 to v0.89 to move go from 1.21.9 to 1.21.…

[paulgmiller]

…11 to fix cve https://avd.aquasec.com/nvd/cve-2024-24790

Description

Trivy detects a cve.

trivy i --severity=HIGH,CRITICAL docker.io/calico/typha:v3.26.4

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.4            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of         │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                             │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

Related issues/PRs

fixes #8974

another CVE PR is #8975

Todos

• Tests
• Documentation
• Release note

Release Note

TBD

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

• docs-pr-required: This change requires a change to the documentation that has not been completed yet.
• docs-completed: This change has all necessary documentation completed.
• docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

• release-note-required: This PR has user-facing changes. Most PRs should have this label.
• release-note-not-required: This PR has no user-facing changes.

Other optional labels:

• cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
• needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

[Behnam-Shobiri]

Thank you @paulgmiller
Can you please update UBI to 8.10 as well?

[Behnam-Shobiri]

/sem-approve

[paulgmiller]

@Behnam-Shobiri bumped.

[Behnam-Shobiri]

/sem-approve

[hjiawei]

Felix/node build failed due to a clang version mismatch issue. We updated clang from v12 to v15 in calico/go-build:v0.89. @Behnam-Shobiri is v0.88 branch still active? Maybe it is easier to update golang in v0.88 branch?

[paulgmiller]

No way to build calico 3.26 with clang v15? Maybe by cherry picking dc848fc

Or is clang v15 too big a change to pull back as a patch.

[hjiawei]

No way to build calico 3.26 with clang v15? Maybe by cherry picking dc848fc

Sure. If that still doesn't work, you can ping me to get v0.88 go-build golang version align with v0.89.

[paulgmiller]

@hjiawei got it to build node to but I did have to suppressed a variable unused error in tc.c (did it by debg logging it) but maybe there's a clang directive that would be better

See fdea96d6d1f39aef36a2cef433ef72d0684a9c5c in my change or just look carefully at tc.c and let me know if thats better.

Likely update .88 with the go patch is safer but I don't know how to help there so thought I'd try this.

[hjiawei]

/sem-approve

[hjiawei]

@paulgmiller The build is green finally...

[coutinhop]

Thanks @paulgmiller!