Commit Graph

8042 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 046e7e61f5
update golang to 1.18.4
go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the runtime/metrics package. See the Go 1.18.4 milestone on the
issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved

This update addresses:

CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.

Full diff: https://github.com/golang/go/compare/go1.18.3...go1.18.4

From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:

- net/http: improper sanitization of Transfer-Encoding header

  The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
  a "chunked" encoding. This could potentially allow for request smuggling, but
  only if combined with an intermediate server that also improperly failed to
  reject the header as invalid.

  This is CVE-2022-1705 and https://go.dev/issue/53188.

- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
  containing a nil value for the X-Forwarded-For header, ReverseProxy would set
  the client IP as the value of the X-Forwarded-For header, contrary to its
  documentation. In the more usual case where a Director function set the
  X-Forwarded-For header value to nil, ReverseProxy would leave the header
  unmodified as expected.

  This is https://go.dev/issue/53423 and CVE-2022-32148.

  Thanks to Christian Mehlmauer for reporting this issue.

- compress/gzip: stack exhaustion in Reader.Read

  Calling Reader.Read on an archive containing a large number of concatenated
  0-length compressed files can cause a panic due to stack exhaustion.

  This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

- encoding/xml: stack exhaustion in Unmarshal

  Calling Unmarshal on a XML document into a Go struct which has a nested field
  that uses the any field tag can cause a panic due to stack exhaustion.

  This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

- encoding/xml: stack exhaustion in Decoder.Skip

  Calling Decoder.Skip when parsing a deeply nested XML document can cause a
  panic due to stack exhaustion. The Go Security team discovered this issue, and
  it was independently reported by Juho Nurminen of Mattermost.

  This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

- encoding/gob: stack exhaustion in Decoder.Decode

  Calling Decoder.Decode on a message which contains deeply nested structures
  can cause a panic due to stack exhaustion.

  This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

- path/filepath: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

- io/fs: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

- go/parser: stack exhaustion in all Parse* functions

  Calling any of the Parse functions on Go source code which contains deeply
  nested types or declarations can cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-13 10:52:34 +02:00
Sebastiaan van Stijn 8dd94d3824
Merge pull request #3700 from vvoland/new-curators
Add Bruno and Paweł to curators
2022-07-07 22:12:57 +02:00
Paweł Gronowski e7a1f14d38 maintainers: Add Paweł Gronowski as curator
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-07-07 14:03:25 +02:00
Paweł Gronowski c25ff58cb2 maintainers: Add Bruno de Sousa as curator
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-07-07 14:01:41 +02:00
Sebastiaan van Stijn a9ae026984
Merge pull request #3655 from thaJeztah/docs_ps_notrunc
docs: add missing --no-trunc in example
2022-07-06 21:55:35 +02:00
Sebastiaan van Stijn 4f6679050e
Merge pull request #3687 from crazy-max/dockerfile-ref-moved
docs: dockerfile reference moved to buildkit repo
2022-07-05 09:49:33 +02:00
Sebastiaan van Stijn 8d9b95603a
Merge pull request #3692 from thaJeztah/validate_pull_opts
container: validate --pull option on create and run
2022-06-30 21:45:07 +02:00
Sebastiaan van Stijn 4460252b43
Merge pull request #3694 from thaJeztah/reference_canonical_aliases
cli: use custom annotation for aliases
2022-06-30 21:44:08 +02:00
Sebastiaan van Stijn 2280a9d5a7
Merge pull request #3670 from thaJeztah/fix_quotes_panic
opts: fix potential panic in trimQuotes
2022-06-30 20:56:09 +02:00
Sebastiaan van Stijn 80b1285fec cli: use custom annotation for aliases
Cobra allows for aliases to be defined for a command, but only allows these
to be defined at the same level (for example, `docker image ls` as alias for
`docker image list`). Our CLI has some commands that are available both as a
top-level shorthand as well as `docker <object> <verb>` subcommands. For example,
`docker ps` is a shorthand for `docker container ps` / `docker container ls`.

This patch introduces a custom "aliases" annotation that can be used to print
all available aliases for a command. While this requires these aliases to be
defined manually, in practice the list of aliases rarely changes, so maintenance
should be minimal.

As a convention, we could consider the first command in this list to be the
canonical command, so that we can use this information to add redirects in
our documentation in future.

Before this patch:

    docker images --help

    Usage:  docker images [OPTIONS] [REPOSITORY[:TAG]]

    List images

    Options:
      -a, --all             Show all images (default hides intermediate images)
      ...

With this patch:

    docker images --help

    Usage:  docker images [OPTIONS] [REPOSITORY[:TAG]]

    List images

    Aliases:
      docker image ls, docker image list, docker images

    Options:
      -a, --all             Show all images (default hides intermediate images)
      ...

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-28 17:32:09 +02:00
Sebastiaan van Stijn 05d288eb06
Merge pull request #3693 from thaJeztah/cli_usage_aliases
cli: print full command as aliases in usage output
2022-06-28 17:31:30 +02:00
Sebastiaan van Stijn 8403f06629
Merge pull request #3691 from thaJeztah/fix_conflicting_names
cli/command/container: rename variable that collided with import
2022-06-28 14:03:51 +02:00
Sebastiaan van Stijn 190dac77bd
container: validate --pull option on create and run
Before this change, specifying the `--pull` flag without a value, could
result in the flag after it, or the positional argument to be used as
value.

This patch makes sure that the value is an expected value;

    docker create --pull --rm hello-world
    docker: invalid pull option: '--rm': must be one of "always", "missing" or "never".

    docker run --pull --rm hello-world
    docker: invalid pull option: '--rm': must be one of "always", "missing" or "never".

    docker run --pull hello-world
    docker: invalid pull option: 'hello-world': must be one of "always", "missing" or "never".

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-28 13:58:50 +02:00
Sebastiaan van Stijn 2d88c896bc
cli: print full command as aliases in usage output
The default output for Cobra aliases only shows the subcommand as alias, which
is not very intuitive. This patch changes the output to print the full command
as it would be called by the user.

Note that there's still some improvements to be made; due to how aliases must be
set-up in Cobra, aliases at different "levels" are still not shown. So for example,
`docker ps --help` will not show `docker container ps` as alias, and vice-versa.
This will require additional changes, and can possibly be resolved using custom
metadata/annotations.

Before this patch:

    docker container ls --help

    Usage:  docker container ls [OPTIONS]

    List containers

    Aliases:
      ls, ps, list

After this patch:

    docker container ls --help

    Usage:  docker container ls [OPTIONS]

    List containers

    Aliases:
      docker container ls, docker container ps, docker container list

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-28 11:03:30 +02:00
Sebastiaan van Stijn 44f3b87f0e
Merge pull request #3627 from vvoland/3554-exec-size
command/exec: Fill ConsoleSize
2022-06-27 17:26:02 +02:00
Sebastiaan van Stijn 64520f8367
Merge pull request #3690 from vvoland/vcobra
vendor: Bump github.com/spf13/cobra to v1.5.0
2022-06-27 17:24:18 +02:00
Sebastiaan van Stijn 5a434d8f77
cli/command/container: rename variable that collided with import
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-27 17:20:27 +02:00
Paweł Gronowski a929ac0f35 vendor: Bump github.com/spf13/cobra to v1.5.0
changes: https://github.com/spf13/cobra/compare/v1.4.0...v1.5.0

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-06-27 16:01:16 +02:00
CrazyMax f3ed630f8f
docs: dockerfile reference moved to buildkit repo
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-06-27 11:51:46 +02:00
Paweł Gronowski a141f1c267 command/exec: Fill ConsoleSize
This makes the exec'd process console dimensions immediately match the
users terminal.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-06-27 11:14:23 +02:00
Sebastiaan van Stijn 015b4b7db5
Merge pull request #3581 from thaJeztah/docs_version_update_examples
docs: reference: version: improve description
2022-06-27 10:55:50 +02:00
Sebastiaan van Stijn bb5c3575b3
Merge pull request #3688 from vvoland/3554-update-moby
vendor: github.com/docker/docker 4eb1c5bd52afa08595d9a082a9ba05c81f79be07
2022-06-24 19:26:33 +02:00
Paweł Gronowski 9373b26116 vendor: github.com/docker/docker 4eb1c5bd52afa08595d9a082a9ba05c81f79be07
Update to latest master

Full diff: 38633e7971...4eb1c5bd52

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-06-24 18:26:30 +02:00
Sebastiaan van Stijn b496125aa7
Merge pull request #3684 from bbodenmiller/patch-3
Improve doc code formatting
2022-06-22 21:55:24 +02:00
Ben Bodenmiller e458cf1afc
Improve doc code formatting
Signed-off-by: Ben Bodenmiller <bbodenmiller@gmail.com>
2022-06-21 23:13:23 -07:00
Sebastiaan van Stijn ac1d1ad727
Merge pull request #3680 from muru/patch-1
docs: fix misleading example of setting an env variable for a single command
2022-06-21 10:36:11 +02:00
Murukesh Mohanan 7227c0145d
docs: fix misleading example of setting an env variable for a single command
The `DEBIAN_FRONTEND` environment variable is used to control the interface by which debconf questions are presented to the user (see [`man 7 debconf`][1]). In `DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y`, the `DEBIAN_FRONTEND` environment variable is only set for the `apt-get update` command which does not ask debconf questions, and will not affect the `apt-get install` command where these questions are actually asked. It should be the other way around.

  [1]: https://manpages.debian.org/debconf.7.html

Signed-off-by: Murukesh Mohanan <murukesh.mohanan@gmail.com>
2022-06-20 18:50:59 +09:00
Sebastiaan van Stijn a51ea675b2
opts: fix potential panic in trimQuotes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-09 08:00:33 +02:00
Sebastiaan van Stijn c59773f155
Merge pull request #3640 from photra/3632-fix-ps-format
Fix psFormat's Size handling in config file
2022-06-07 13:08:43 +02:00
Phong Tran 0929bed42a
Fix psFormat's Size handling in config file
- do an early check if a custom format is specified either through the
  command-line, or through the cli's configuration, before adjusting
  the options (to add "size" if needed).
- also removes a redundant `options.Size = opts.size` line, as this value is
  already copied at the start of buildContainerListOptions()
- Update NewContainerFormat to use "table" format as a default if no format
  was given.

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Phong Tran <tran.pho@northeastern.edu>
2022-06-07 12:48:56 +02:00
Sebastiaan van Stijn 7294e7c701
Merge pull request #3658 from crazy-max/update-platforms
bake: align platforms
2022-06-06 20:30:42 +02:00
CrazyMax 8e0afc6489
bake: align platforms
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-06-06 18:33:17 +02:00
Sebastiaan van Stijn b75c262639
Merge pull request #3659 from crazy-max/fix-mod-outdated
bake: use no-cache-filter for outdated stage
2022-06-05 17:29:42 +02:00
Sebastiaan van Stijn 1c051c891c
Merge pull request #3657 from crazy-max/bump-xx
Dockerfile: update xx to 1.1.1
2022-06-05 17:28:23 +02:00
CrazyMax 0f6a0eb2d4
bake: use no-cache-filter for outdated stage
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-06-05 16:25:05 +02:00
CrazyMax 0c17225df0
Dockerfile: update xx to 1.1.1
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-06-05 16:16:16 +02:00
Sebastiaan van Stijn 787077d41b
docs: add missing --no-trunc in example
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-05 12:38:31 +02:00
Sebastiaan van Stijn 3e9117b7e2
Merge pull request #3653 from thaJeztah/update_engine
vendor: github.com/docker/docker 38633e797195643580ce5c4af7c5422aad3eb7de
2022-06-03 19:47:27 +02:00
Sebastiaan van Stijn cc78788bbd
vendor: github.com/docker/docker 38633e797195643580ce5c4af7c5422aad3eb7de
no changes in vendoring, just updating to latest master

full diff: cf4595265e...38633e7971

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-03 19:34:27 +02:00
Sebastiaan van Stijn 28069af1d7
Merge pull request #3651 from thaJeztah/update_authors_mailmap
update AUTHORS and mailmap
2022-06-03 14:08:16 +02:00
Sebastiaan van Stijn c93b7e7896
Merge pull request #3650 from thaJeztah/update_engine
vendor: github.com/docker/docker cf4595265e7703e1e9745a30f1dd265acbc075d3
2022-06-03 14:08:01 +02:00
Sebastiaan van Stijn 1f179ac65e
vendor: github.com/docker/docker cf4595265e7703e1e9745a30f1dd265acbc075d3
No changes in vendored files, just syncing with latest master

full diff: 3e32104e0e...cf4595265e

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-03 13:22:18 +02:00
Sebastiaan van Stijn a4ffbcd958
update AUTHORS and mailmap
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-03 12:18:51 +02:00
Sebastiaan van Stijn 9cda6ce011
Merge pull request #3641 from photra/3636-deflake-testvolumecreateclusteropts
Deflake TestVolumeCreateClusterOpts
2022-06-03 12:08:47 +02:00
Phong Tran 1d85b4d0ec
Deflake TestVolumeCreateClusterOpts
Add Secret sorting prior to request to prevent flakiness in CI

Signed-off-by: Phong Tran <tran.pho@northeastern.edu>

Co-authored-by: Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>
Signed-off-by: Phong Tran <tran.pho@northeastern.edu>
2022-06-03 11:52:51 +02:00
Sebastiaan van Stijn 2119f425b6
docs: reference: version: add info about API version negotiation
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 22:53:23 +02:00
Sebastiaan van Stijn 99bb525f98
docs: reference: version: improve description
Move the "default output" section into the description, and
describe the section that can be found in the output.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 22:50:39 +02:00
Nicolas De loof df3c2f171d
Merge pull request #3646 from thaJeztah/update_golang_1.18.3 2022-06-02 11:45:19 +02:00
Sebastiaan van Stijn aa720f154a
update golang to 1.18.3
go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
compiler, and the crypto/tls and text/template/parse packages. See the Go
1.18.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.3+label%3ACherryPickApproved

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

- crypto/rand: rand.Read hangs with extremely large buffers
  On Windows, rand.Read will hang indefinitely if passed a buffer larger than
  1 << 32 - 1 bytes.

  Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
  for reporting this issue.

  This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
  Session tickets generated by crypto/tls did not contain a randomly generated
  ticket_age_add. This allows an attacker that can observe TLS handshakes to
  correlate successive connections by comparing ticket ages during session
  resumption.

  Thanks to GitHub user nervuri for reporting this.

  This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows

  If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
  are executed when Cmd.Path is unset and, in the working directory, there are
  binaries named either "..com" or "..exe", they will be executed.

  Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
  this.

  This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows

  On Windows, the `filepath.Clean` function could convert an invalid path to a
  valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

  Thanks to Unrud for reporting this issue.

  This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.

[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 09:22:18 +02:00
Sebastiaan van Stijn d86fce7b05
Merge pull request #3645 from thaJeztah/update_engine
info: update plugin section to show installed path
2022-06-01 16:24:01 +02:00