Commit Graph

8899 Commits

Author SHA1 Message Date
TheRealGramdalf 3ab117e7cd
Fix typo in dockerd reference documentation
Signed-off-by: Graeme Wiebe <graeme.wiebe@gmail.com>
(cherry picked from commit e93ec2f6a6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-11 21:52:22 +01:00
Sebastiaan van Stijn f9cdb6f96a
docs: update debian examples to use bookworm
"bullseye" is no longer the "latest" debian, so these
examples were now incorrect.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6468c63c81)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-11 21:51:18 +01:00
Hugo Chastel 13a7d571a1
Add zstd as supported in load command doc
Signed-off-by: Hugo Chastel <Hugo-C@users.noreply.github.com>
(cherry picked from commit f387558b55)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-11 21:51:06 +01:00
saurabh 55cec698b7
--env-file about comments doc updated
Signed-off-by: Saurabh Kumar <saurabhkumar0184@gmail.com>

(cherry picked from commit efc9236794)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-11 21:50:52 +01:00
Sebastiaan van Stijn 9df8eb2b9c
docs: update redirect metadata for hugo
docs.docker.com switched from Jekyll to Hugo, which uses "aliases"
instead of "redirect_from".

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 07338fe965)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-11 21:50:38 +01:00
Sebastiaan van Stijn f5a9aabe74
Merge pull request #4695 from thaJeztah/24.0_update_golang_1.20.12
[24.0] update to go1.20.12
2023-12-07 17:40:21 +01:00
Sebastiaan van Stijn cda067a175
update to go1.20.12
go1.20.12 (released 2023-12-05) includes security fixes to the go command,
and the net/http and path/filepath packages, as well as bug fixes to the
compiler and the go command. See the Go 1.20.12 milestone on our issue
tracker for details.

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.11...go1.20.12

from the security mailing:

[security] Go 1.21.5 and Go 1.20.12 are released

Hello gophers,

We have just released Go versions 1.21.5 and 1.20.12, minor point releases.

These minor releases include 3 security fixes following the security policy:

- net/http: limit chunked data overhead

  A malicious HTTP sender can use chunk extensions to cause a receiver
  reading from a request or response body to read many more bytes from
  the network than are in the body.

  A malicious HTTP client can further exploit this to cause a server to
  automatically read a large amount of data (up to about 1GiB) when a
  handler fails to read the entire body of a request.

  Chunk extensions are a little-used HTTP feature which permit including
  additional metadata in a request or response body sent using the chunked
  encoding. The net/http chunked encoding reader discards this metadata.
  A sender can exploit this by inserting a large metadata segment with
  each byte transferred. The chunk reader now produces an error if the
  ratio of real body to encoded bytes grows too small.

  Thanks to Bartek Nowotarski for reporting this issue.

  This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.

- cmd/go: go get may unexpectedly fallback to insecure git

  Using go get to fetch a module with the ".git" suffix may unexpectedly
  fallback to the insecure "git://" protocol if the module is unavailable
  via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE
  is not set for said module. This only affects users who are not using
  the module proxy and are fetching modules directly (i.e. GOPROXY=off).

  Thanks to David Leadbeater for reporting this issue.

  This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.

- path/filepath: retain trailing \ when cleaning paths like \\?\c:\

  Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the
  volume name in Windows paths starting with \\?\, resulting in
  filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among
  other effects). The previous behavior has been restored.

  This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-06 01:41:51 +01:00
Sebastiaan van Stijn 998d2e8d78
update to go1.20.11
go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath
package, as well as bug fixes to the linker and the net/http package. See the
Go 1.20.11 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.11+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.10...go1.20.11

from the security mailing:

[security] Go 1.21.4 and Go 1.20.11 are released

Hello gophers,

We have just released Go versions 1.21.4 and 1.20.11, minor point releases.

These minor releases include 2 security fixes following the security policy:

- path/filepath: recognize `\??\` as a Root Local Device path prefix.

  On Windows, a path beginning with `\??\` is a Root Local Device path equivalent
  to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to
  access arbitrary locations on the system. For example, the path `\??\c:\x`
  is equivalent to the more common path c:\x.

  The filepath package did not recognize paths with a `\??\` prefix as special.

  Clean could convert a rooted path such as `\a\..\??\b` into
  the root local device path `\??\b`. It will now convert this
  path into `.\??\b`.

  `IsAbs` did not report paths beginning with `\??\` as absolute.
  It now does so.

  VolumeName now reports the `\??\` prefix as a volume name.

  `Join(`\`, `??`, `b`)` could convert a seemingly innocent
  sequence of path elements into the root local device path
  `\??\b`. It will now convert this to `\.\??\b`.

  This is CVE-2023-45283 and https://go.dev/issue/63713.

- path/filepath: recognize device names with trailing spaces and superscripts

  The `IsLocal` function did not correctly detect reserved names in some cases:

  - reserved names followed by spaces, such as "COM1 ".
  - "COM" or "LPT" followed by a superscript 1, 2, or 3.

  `IsLocal` now correctly reports these names as non-local.

  This is CVE-2023-45284 and https://go.dev/issue/63713.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-06 01:41:18 +01:00
Sebastiaan van Stijn 65bc42b4af
Merge pull request #4682 from thaJeztah/24.0_backport_noraw
[24.0 backport] docs: remove "{% raw %}" / "{% endraw %}" Jekyl (liquid) leftovers
2023-11-28 10:26:40 +01:00
Sebastiaan van Stijn 00dbc19cab
Merge pull request #4680 from thaJeztah/24.0_backport_fix_flag_typo
[24.0 backport] docs/man: fix -name flag with single hyphen
2023-11-27 22:12:19 +01:00
Sebastiaan van Stijn 207d9edaa7
docs: reference/commandlin/cli: remove redundant italic
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 354f62f0c5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-27 22:06:20 +01:00
Sebastiaan van Stijn e799792d8a
docs: remove "{% raw %}" / "{% endraw %}" Jekyl (liquid) leftovers
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e2626200aa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-27 22:06:20 +01:00
Sebastiaan van Stijn 327b84fcbf
docs/man: fix -name flag with single hyphen
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 174cbb588f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-27 21:00:38 +01:00
Sebastiaan van Stijn 48ec4f339e
Merge pull request #4639 from dvdksn/backport_dockerd-default-nw-opt
[24.0 Backport] docs: add default-network-opt daemon option
2023-11-06 13:31:52 +01:00
David Karlsson 88a745999d docs: add default-network-opt daemon option
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
(cherry picked from commit 848fe622ce)
2023-11-06 13:23:17 +01:00
Sebastiaan van Stijn afdd53b4e3
Merge pull request #4629 from thaJeztah/24.0_update_engine
[24.0] vendor: github.com/docker/docker v24.0.6
2023-10-26 09:06:42 +02:00
Brian Goff 12c309fe91
Merge pull request #4628 from thaJeztah/24.0_backport_bump_compress
[24.0 backport] vendor: github.com/klauspost/compress v1.17.2
2023-10-25 17:42:02 -07:00
Sebastiaan van Stijn f42719820d
vendor: github.com/docker/docker v24.0.6
full diff: https://github.com/moby/moby/compare/v24.0.5...v24.0.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-26 00:37:11 +02:00
Sebastiaan van Stijn 17770189de
vendor: github.com/klauspost/compress v1.17.2
fixes data corruption with zstd output in "best"

- 1.17.2 diff: https://github.com/klauspost/compress/compare/v1.17.1...v1.17.2
- full diff: https://github.com/klauspost/compress/compare/v1.16.5...v1.17.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6372c6aae6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-25 23:17:39 +02:00
Sebastiaan van Stijn cde0441dc8
vendor: github.com/klauspost/compress v1.16.5
full diff: https://github.com/klauspost/compress/compare/v1.16.3...v1.16.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 497b13c661)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-25 23:17:35 +02:00
Sebastiaan van Stijn d9f94d5719
Merge pull request #4618 from thaJeztah/24.0_backport_cli-issue-502
[24.0 backport] Add docker ps status descriptions
2023-10-23 16:11:33 +02:00
Sam Thibault 54d83fbbf4
Add docker ps status descriptions
Signed-off-by: Sam Thibault <sam.thibault@docker.com>
(cherry picked from commit 8bf121c3bc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-23 12:34:39 +02:00
Sebastiaan van Stijn 30a185e936
Merge pull request #4609 from thaJeztah/24.0_backport_x_net
[24.0 backport] vendor: golang.org/x/net v0.17.0
2023-10-19 14:06:59 +02:00
Sebastiaan van Stijn d43c48d5ab
vendor: golang.org/x/net v0.17.0
full diff: https://github.com/golang/net/compare/v0.10.0...v0.17.0

This fixes the same CVE as go1.21.3 and go1.20.10;

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a27466fb6f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-19 12:35:49 +02:00
Sebastiaan van Stijn 1919679638
vendor: golang.org/x/crypto v0.14.0
full diff: https://github.com/golang/crypto/compare/v0.9.0...v0.14.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 612a171557)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-19 12:34:31 +02:00
Sebastiaan van Stijn 6c5bc490d4
vendor: golang.org/x/term v0.13.0
- term: consistently return zeroes on GetSize error

full diff: https://github.com/golang/term/compare/v0.8.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 392db31e2a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-19 12:33:19 +02:00
Sebastiaan van Stijn 66558a4e64
vendor: golang.org/x/text v0.13.0
full diff: https://github.com/golang/text/compare/v0.9.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ac307788a6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-19 12:32:30 +02:00
Sebastiaan van Stijn 0d554b549b
vendor: golang.org/x/sys v0.13.0
full diff: https://github.com/golang/sys/compare/v0.10.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 48655f794c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-19 12:31:38 +02:00
Sebastiaan van Stijn 8c4dc6c603
vendor: golang.org/x/crypto v0.9.0
full diff: https://github.com/golang/crypto/compare/v0.3.0...v0.9.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c9d56b8504)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-19 12:29:57 +02:00
Sebastiaan van Stijn aef1157742
vendor: golang.org/x/sys v0.10.0
full diff: https://github.com/golang/sys/compare/v0.8.0...v0.10.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ffea6940e7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-19 12:27:19 +02:00
Sebastiaan van Stijn 54894f0224
vendor: golang.org/x/sync v0.3.0
full diff: https://github.com/golang/sync/compare/v0.1.0...v0.3.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1554b49329)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-19 12:27:00 +02:00
Bjorn Neergaard 0f109aafa8
Merge pull request #4584 from thaJeztah/24.0_backport_update_actions
[24.0 backport] build(deps): bump actions/checkout from 3 to 4
2023-10-13 08:49:32 -07:00
Bjorn Neergaard 89ce230bd8
Merge pull request #4587 from thaJeztah/24.0_backport_go1.21_prepare
[24.0 backport] assorted dockerfile and test updates
2023-10-13 08:49:15 -07:00
Sebastiaan van Stijn db6e494b40
Merge pull request #4594 from thaJeztah/24.0_backport_update_md2man
[24.0 backport] update go-md2man to v2.0.3
2023-10-13 17:27:19 +02:00
Sebastiaan van Stijn 5b3e376f86
Merge pull request #4597 from thaJeztah/24.0_update_go1.20.10
[24.0] update to go1.20.10
2023-10-12 14:20:26 +02:00
Sebastiaan van Stijn a47889a70f
update to go1.20.10
go1.20.10 (released 2023-10-10) includes a security fix to the net/http package.
See the Go 1.20.10 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.10+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.9...go1.20.10

From the security mailing:

[security] Go 1.21.3 and Go 1.20.10 are released

Hello gophers,

We have just released Go versions 1.21.3 and 1.20.10, minor point releases.

These minor releases include 1 security fixes following the security policy:

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 20:04:46 +02:00
Sebastiaan van Stijn 3c10203b39
update to go1.20.9
go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go package,
as well as bug fixes to the go command and the linker. See the Go 1.20.9
milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.9+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.8...go1.20.9

From the security mailing:

[security] Go 1.21.2 and Go 1.20.9 are released

Hello gophers,

We have just released Go versions 1.21.2 and 1.20.9, minor point releases.

These minor releases include 1 security fixes following the security policy:

- cmd/go: line directives allows arbitrary execution during build

  "//line" directives can be used to bypass the restrictions on "//go:cgo_"
  directives, allowing blocked linker and compiler flags to be passed during
  compliation. This can result in unexpected execution of arbitrary code when
  running "go build". The line directive requires the absolute path of the file in
  which the directive lives, which makes exploting this issue significantly more
  complex.

  This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 20:04:12 +02:00
Sebastiaan van Stijn 9662d73735
update go-md2man to v2.0.3
full diff: https://github.com/cpuguy83/go-md2man/compare/v2.0.1...v2.0.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3f1195e4ec)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 19:24:29 +02:00
Tianon Gravi 35453d6c4f
Update minimum Go version to 1.19
On Go 1.18 since a5ebe2282a, we get:

    # github.com/docker/docker-credential-helpers/client
    vendor/github.com/docker/docker-credential-helpers/client/command.go:34:39: programCmd.Environ undefined (type *exec.Cmd has no field or method Environ)
    note: module requires Go 1.19
    # github.com/docker/cli/cli/connhelper/commandconn
    cli/connhelper/commandconn/commandconn.go:71:22: undefined: atomic.Bool
    cli/connhelper/commandconn/commandconn.go:76:22: undefined: atomic.Bool
    cli/connhelper/commandconn/commandconn.go:77:22: undefined: atomic.Bool
    cli/connhelper/commandconn/commandconn.go:78:22: undefined: atomic.Bool

These go away when building against 1.19+.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
(cherry picked from commit 0f59f04f57)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-29 10:00:53 +02:00
dependabot[bot] 2a76b0c4e7
build(deps): bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit dee40053f6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 14:34:32 +02:00
Sebastiaan van Stijn 1ebaef3663
Dockerfile: use GOTOOLCHAIN=local
This may find its way into the official images, but until it does, let's
make sure we don't get unexpected updates of go.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e9759cee69)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 14:30:13 +02:00
Sebastiaan van Stijn 8a7833ab62
Dockerfile: build gotestsum and goversioninfo without cgo
It's not needed to build these binaries. The Dockerfile.dev image already
has CGO_ENABLED=0 as default in the golang image, so does not need updates.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f07e7e1eed)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 14:29:40 +02:00
Sebastiaan van Stijn 2e86812d7a
e2e: update to use compose v2, and don't depend on distro-packages
We were depending on alpine's package repository to install compose,
but for debian we used compose's GitHub releases. Depending on distro
packages means that we don't know when updates will happen, and versions
may diverge because of that; for example, alpine 3.18 updated to compose
v2;

On alpine 3.17:

    make -f docker.Makefile build-e2e-image
    docker run --rm docker-cli-e2e docker-compose --version
    docker-compose version 1.29.2, build unknown

On alpine 3.18:

    make -f docker.Makefile build-e2e-image
    docker run --rm docker-cli-e2e docker-compose --version
    Docker Compose version v2.17.3

This caused our e2e script to fail, as it made assumptions about the name
format created by compose, which changed from underscores to hyphens in v2;

    Container cliendtoendsuite-engine-1  Running
    Error: No such object: cliendtoendsuite_engine_1

This patch:

- updates the Dockerfile to install compose from the compose-bin image
- adjusts the e2e script for the new naming scheme format
- removes the version field from the compose-files used in e2e, as they
  are no longer used by compose.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9e424af5da)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 14:29:27 +02:00
Sebastiaan van Stijn e7ca37861b
Dockerfile: use COPY --link where possible
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit af05a68828)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 14:28:47 +02:00
Bjorn Neergaard 1f8118b1cc
Merge pull request #4565 from thaJeztah/24.0_backport_docker_tag_dupwords
[24.0 backport] docs: fix duplicate words in "docker tag" reference
2023-09-15 08:17:43 -06:00
Sebastiaan van Stijn f2a3d50b30
docs: fix duplicate words in "docker tag" reference
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3a16c3bb09)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-14 13:45:34 +02:00
Bjorn Neergaard edae25f8af
Merge pull request #4561 from thaJeztah/24.0_backport_update_golang_1.20.8
[24.0 backport] update to go1.20.8
2023-09-13 10:05:54 -06:00
Bjorn Neergaard d848d49be9
Merge pull request #4543 from thaJeztah/24.0_backport_bump_golangci_lint
[24.0 backport] update golangci-lint to v1.54.2
2023-09-13 10:05:27 -06:00
Sebastiaan van Stijn 4feeefbd68
update to go1.20.8
go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
package, as well as bug fixes to the compiler, the go command, the runtime,
and the crypto/tls, go/types, net/http, and path/filepath packages. See the
Go 1.20.8 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.8+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.7...go1.20.8

From the security mailing:

[security] Go 1.21.1 and Go 1.20.8 are released

Hello gophers,

We have just released Go versions 1.21.1 and 1.20.8, minor point releases.

These minor releases include 4 security fixes following the security policy:

- cmd/go: go.mod toolchain directive allows arbitrary execution
  The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
  execute scripts and binaries relative to the root of the module when the "go"
  command was executed within the module. This applies to modules downloaded using
  the "go" command from the module proxy, as well as modules downloaded directly
  using VCS software.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

- html/template: improper handling of HTML-like comments within script contexts
  The html/template package did not properly handle HMTL-like "<!--" and "-->"
  comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
  cause the template parser to improperly interpret the contents of <script>
  contexts, causing actions to be improperly escaped. This could be leveraged to
  perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

- html/template: improper handling of special tags within script contexts
  The html/template package did not apply the proper rules for handling occurrences
  of "<script", "<!--", and "</script" within JS literals in <script> contexts.
  This may cause the template parser to improperly consider script contexts to be
  terminated early, causing actions to be improperly escaped. This could be
  leveraged to perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.

- crypto/tls: panic when processing post-handshake message on QUIC connections
  Processing an incomplete post-handshake message for a QUIC connection caused a panic.

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4b00be585c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-13 17:49:18 +02:00
Bjorn Neergaard ed223bc820
Merge pull request #4544 from thaJeztah/24.0_backport_fix_events_json_format
[24.0 backport] cli/command/system: fix "docker events" not supporting --format=json
2023-08-31 11:24:32 -06:00