Bump Golang 1.11.3 (CVE-2018-16875)

[thaJeztah]

go1.11.13 (released 2018/12/14)

• crypto/x509: CPU denial of service in chain validation golang/go#29233
• cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
• cmd/go: remote command execution during "go get -u" golang/go#29230

See the Go 1.11.3 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.11.3

Signed-off-by: Sebastiaan van Stijn github@gone.nl

[thaJeztah]

ping @seemethere @andrewhsu PTAL

[theckman]

@thaJeztah be aware, there's a bit of an issue with the release that may want you to delay:

https://github.com/golang/go/issues/29241

[thaJeztah]

@theckman thanks! I saw the issue, so we'll have to check if we run into that during our builds (not sure if we use go get ... during our builds 😅)

[theckman]

@thaJeztah It's possibly I misunderstand but I think the risk would be anyone who uses the resulting Docker image for building running in to it, not necessarily during the build of the image itself.

[thaJeztah]

Gotcha; yes, for other uses of this image that may be an issue. This image is primarily created for building the docker/cli (although it's not used for the actual releases).

I'll updated again as soon as a new golang patch release is available 👍

[thaJeztah]

Go 1.11.4 bump coming in https://github.com/docker/golang-cross/pull/17