DockerCLI/dockerfiles/Dockerfile.e2e

44 lines
1.5 KiB
Docker
Raw Normal View History

Update Golang 1.12.12 (CVE-2019-17596) Golang 1.12.12 ------------------------------- full diff: https://github.com/golang/go/compare/go1.12.11...go1.12.12 go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime, syscall and net packages. See the Go 1.12.12 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.12.12 Golang 1.12.11 (CVE-2019-17596) ------------------------------- full diff: https://github.com/golang/go/compare/go1.12.10...go1.12.11 go1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa package. See the Go 1.12.11 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.12.11 [security] Go 1.13.2 and Go 1.12.11 are released Hi gophers, We have just released Go 1.13.2 and Go 1.12.11 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you're not sure which, choose Go 1.13.2). Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. The issue is CVE-2019-17596 and Go issue golang.org/issue/34960. Thanks to Daniel Mandragona for discovering and reporting this issue. We'd also like to thank regilero for a previous disclosure of CVE-2019-16276. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 474d522ee2cb9357f73891f1a86c7162d0b9d23c) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-20 17:26:31 -04:00
ARG GO_VERSION=1.12.12
# Use Debian based image as docker-compose requires glibc.
FROM golang:${GO_VERSION}
RUN apt-get update && apt-get install -y \
build-essential \
curl \
openssl \
openssh-client \
&& rm -rf /var/lib/apt/lists/*
ARG COMPOSE_VERSION=1.21.2
RUN curl -L https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose \
&& chmod +x /usr/local/bin/docker-compose
ARG NOTARY_VERSION=v0.6.1
RUN curl -Ls https://github.com/theupdateframework/notary/releases/download/${NOTARY_VERSION}/notary-Linux-amd64 -o /usr/local/bin/notary \
&& chmod +x /usr/local/bin/notary
ARG GOTESTSUM_VERSION=0.3.4
RUN curl -Ls https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_linux_amd64.tar.gz -o gotestsum.tar.gz \
&& tar -xf gotestsum.tar.gz gotestsum \
&& mv gotestsum /usr/local/bin/gotestsum \
&& rm gotestsum.tar.gz
ENV CGO_ENABLED=0 \
DISABLE_WARN_OUTSIDE_CONTAINER=1 \
PATH=/go/src/github.com/docker/cli/build:$PATH
WORKDIR /go/src/github.com/docker/cli
# Trust notary CA cert.
COPY e2e/testdata/notary/root-ca.cert /usr/share/ca-certificates/notary.cert
RUN echo 'notary.cert' >> /etc/ca-certificates.conf && update-ca-certificates
COPY . .
ARG VERSION
ARG GITCOMMIT
ENV VERSION=${VERSION} GITCOMMIT=${GITCOMMIT}
RUN ./scripts/build/binary
RUN ./scripts/build/plugins e2e/cli-plugins/plugins/*
CMD ./scripts/test/e2e/entry