security release for go 1.17.5

[tgross]

Summary

Nomad 1.2.3 has been released to upgrade to Go 1.17.5. All prior versions of Nomad were built with a version of Go that contained 2 CVEs:

• CVE-2021-44717 could allow a task on a Unix system with exhausted file handles to misdirect I/O.
• CVE-2021-44716 could create unbounded memory growth in HTTP2 servers, but Nomad servers do not use HTTP2 and are unaffected.

Remediation

Users should upgrade Nomad agents to Nomad v1.2.3. Upgrading both servers and clients is recommended.

Backports

Nomad 1.1.9 and Nomad 1.0.15 have been released to upgrade the version of Go to 1.16.12 to remediate the vulnerabilities.

Links

• 1.2.3 Changelog - https://github.com/hashicorp/nomad/blob/v1.2.3/CHANGELOG.md
• 1.2.3 Binaries - https://releases.hashicorp.com/nomad/1.2.3/
• 1.1.9 Changelog - https://github.com/hashicorp/nomad/blob/v1.1.9/CHANGELOG.md
• 1.1.9 Binaries - https://releases.hashicorp.com/nomad/1.1.9/
• 1.0.15 Changelog - https://github.com/hashicorp/nomad/blob/v1.0.15/CHANGELOG.md
• 1.0.15 Binaries - https://releases.hashicorp.com/nomad/1.0.15/

[tgross]

Closed by #11665

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.