Commit Graph

9486 Commits

Author SHA1 Message Date
Sebastiaan van Stijn a27466fb6f
vendor: golang.org/x/net v0.17.0
full diff: https://github.com/golang/net/compare/v0.10.0...v0.17.0

This fixes the same CVE as go1.21.3 and go1.20.10;

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 20:56:02 +02:00
Sebastiaan van Stijn 612a171557
vendor: golang.org/x/crypto v0.14.0
full diff: https://github.com/golang/crypto/compare/v0.9.0...v0.14.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 20:55:22 +02:00
Sebastiaan van Stijn 392db31e2a
vendor: golang.org/x/term v0.13.0
- term: consistently return zeroes on GetSize error

full diff: https://github.com/golang/term/compare/v0.8.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 20:53:19 +02:00
Sebastiaan van Stijn ac307788a6
vendor: golang.org/x/text v0.13.0
full diff: https://github.com/golang/text/compare/v0.9.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 20:50:23 +02:00
Sebastiaan van Stijn 48655f794c
vendor: golang.org/x/sys v0.13.0
full diff: https://github.com/golang/sys/compare/v0.10.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 20:49:37 +02:00
Bjorn Neergaard fc247d6911
Merge pull request #4603 from thaJeztah/update_distribution_2.8.3
vendor: github.com/docker/distribution v2.8.3
2023-10-13 09:22:21 -07:00
Sebastiaan van Stijn 6de5254162
vendor: github.com/docker/distribution v2.8.3
- Fix storageDriver gcs not registered in binaries
- reference: replace uses of deprecated function SplitHostname
- Dont parse errors as JSON unless Content-Type is set to JSON
- update to go1.20.8
- Set Content-Type header in registry client ReadFrom
- deprecate reference package, migrate to github.com/distribution/reference
- digestset: deprecate package in favor of go-digest/digestset
- Do not close HTTP request body in HTTP handler

full diff: https://github.com/distribution/distribution/compare/v2.8.2...v2.8.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 17:54:59 +02:00
Sebastiaan van Stijn a46f850435
Merge pull request #4596 from thaJeztah/update_golang_1.21.3
update to go1.21.3
2023-10-12 10:44:19 +02:00
Sebastiaan van Stijn ceab9b5e8e
update to go1.21.3
go1.21.3 (released 2023-10-10) includes a security fix to the net/http package.
See the Go 1.21.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.21.3+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.21.2...go1.21.3

From the security mailing:

[security] Go 1.21.3 and Go 1.20.10 are released

Hello gophers,

We have just released Go versions 1.21.3 and 1.20.10, minor point releases.

These minor releases include 1 security fixes following the security policy:

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 20:02:33 +02:00
Sebastiaan van Stijn d249ce2794
update to go1.21.2
go1.21.2 (released 2023-10-05) includes one security fixes to the cmd/go package,
as well as bug fixes to the compiler, the go command, the linker, the runtime,
and the runtime/metrics package. See the Go 1.21.2 milestone on our issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.21.2+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.21.1...go1.21.2

From the security mailing:

[security] Go 1.21.2 and Go 1.20.9 are released

Hello gophers,

We have just released Go versions 1.21.2 and 1.20.9, minor point releases.

These minor releases include 1 security fixes following the security policy:

- cmd/go: line directives allows arbitrary execution during build

  "//line" directives can be used to bypass the restrictions on "//go:cgo_"
  directives, allowing blocked linker and compiler flags to be passed during
  compliation. This can result in unexpected execution of arbitrary code when
  running "go build". The line directive requires the absolute path of the file in
  which the directive lives, which makes exploting this issue significantly more
  complex.

  This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 20:02:16 +02:00
Sebastiaan van Stijn 26951f75de
Merge pull request #4592 from thaJeztah/update_md2man
update go-md2man to v2.0.3
2023-10-11 19:08:15 +02:00
Sebastiaan van Stijn 3f1195e4ec
update go-md2man to v2.0.3
full diff: https://github.com/cpuguy83/go-md2man/compare/v2.0.1...v2.0.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 18:26:14 +02:00
Sebastiaan van Stijn dcc1610768
Merge pull request #4316 from AkihiroSuda/rro
mount: add `bind-recursive=<bool|string>` and deprecate `bind-nonrecursive=<bool>`
2023-10-02 12:20:11 -07:00
Akihiro Suda fc6976db45
mount: add `bind-recursive=<bool|string>` and deprecate `bind-nonrecursive=<bool>`
See `opts/mount_test.go:TestMountOptSetBindRecursive()` for the behavior.

Documentation will be added separately after reaching consensus on the
design.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-10-01 02:58:17 +09:00
Sebastiaan van Stijn 05bec8dd43
Merge pull request #4586 from tianon/go1.19min
Update minimum Go version to 1.19
2023-09-29 10:00:07 +02:00
Tianon Gravi 0f59f04f57 Update minimum Go version to 1.19
On Go 1.18 since a5ebe2282a, we get:

    # github.com/docker/docker-credential-helpers/client
    vendor/github.com/docker/docker-credential-helpers/client/command.go:34:39: programCmd.Environ undefined (type *exec.Cmd has no field or method Environ)
    note: module requires Go 1.19
    # github.com/docker/cli/cli/connhelper/commandconn
    cli/connhelper/commandconn/commandconn.go:71:22: undefined: atomic.Bool
    cli/connhelper/commandconn/commandconn.go:76:22: undefined: atomic.Bool
    cli/connhelper/commandconn/commandconn.go:77:22: undefined: atomic.Bool
    cli/connhelper/commandconn/commandconn.go:78:22: undefined: atomic.Bool

These go away when building against 1.19+.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2023-09-29 00:32:39 -07:00
Sebastiaan van Stijn 162e490623
Merge pull request #4581 from thaJeztah/bump_golang_1.21
update golang to go1.21.1
2023-09-28 20:25:15 +02:00
Bjorn Neergaard cfe00daaaa
Merge pull request #4580 from thaJeztah/bump_distref
vendor: github.com/distribution/reference v0.5.0
2023-09-27 18:25:54 -06:00
Sebastiaan van Stijn d254cc3bbe
update golang to go1.21.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 00:54:16 +02:00
Sebastiaan van Stijn 4c75107a62
vendor: github.com/distribution/reference v0.5.0
full diff: https://github.com/distribution/reference/compare/e42074f83a9c...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 00:18:52 +02:00
Sebastiaan van Stijn 9358631f81
Merge pull request #4457 from thaJeztah/no_buildkit
remove buildkit as dependency from the CLI (integrate github.com/moby/buildkit/util/appcontext)
2023-09-28 00:18:28 +02:00
Sebastiaan van Stijn 112d79a413
appcontext: remove unused parts
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 00:05:00 +02:00
Sebastiaan van Stijn febb37a38e
remove buildkit as dependency
This copies the github.com/moby/buildkit/util/appcontext
package as an internal package. The appcontext package from
BuildKit was the only remaining dependency on BuildKit, and
while we may need some of its functionality, the implementation
is not correct for how it's used in docker/cli (so would need
a rewrite).

Moving a copy of the code into the docker/cli (but as internal
package to prevent others from depending on it) is a first step
in that process, and removes the circular dependency between
BuildKit and the CLi.

We are only using these:

    tree vendor/github.com/moby/buildkit
    vendor/github.com/moby/buildkit
    ├── AUTHORS
    ├── LICENSE
    └── util
        └── appcontext
            ├── appcontext.go
            ├── appcontext_unix.go
            ├── appcontext_windows.go
            └── register.go

    3 directories, 6 files

Before this:

    go mod graph | grep ' github.com/docker/cli'
    github.com/moby/buildkit@v0.11.6 github.com/docker/cli@v23.0.0-rc.1+incompatible

After this:

    go mod graph | grep ' github.com/docker/cli'
    # (nothing)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 00:04:51 +02:00
Sebastiaan van Stijn 35442a61ac
Merge pull request #4577 from thaJeztah/gotestsum_nocgo
Dockerfile: build gotestsum and goversioninfo without cgo
2023-09-26 13:51:56 +02:00
Sebastiaan van Stijn 6e97f42480
Merge pull request #4576 from thaJeztah/update_compose_v2
e2e: update to use compose v2, and don't depend on distro-packages
2023-09-26 13:51:36 +02:00
Sebastiaan van Stijn a36f0f9194
Merge pull request #4578 from thaJeztah/gotoolchain_local
Dockerfile: use GOTOOLCHAIN=local
2023-09-26 13:51:07 +02:00
Sebastiaan van Stijn e9759cee69
Dockerfile: use GOTOOLCHAIN=local
This may find its way into the official images, but until it does, let's
make sure we don't get unexpected updates of go.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-26 12:43:38 +02:00
Sebastiaan van Stijn f07e7e1eed
Dockerfile: build gotestsum and goversioninfo without cgo
It's not needed to build these binaries. The Dockerfile.dev image already
has CGO_ENABLED=0 as default in the golang image, so does not need updates.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-26 12:37:07 +02:00
Sebastiaan van Stijn 9e424af5da
e2e: update to use compose v2, and don't depend on distro-packages
We were depending on alpine's package repository to install compose,
but for debian we used compose's GitHub releases. Depending on distro
packages means that we don't know when updates will happen, and versions
may diverge because of that; for example, alpine 3.18 updated to compose
v2;

On alpine 3.17:

    make -f docker.Makefile build-e2e-image
    docker run --rm docker-cli-e2e docker-compose --version
    docker-compose version 1.29.2, build unknown

On alpine 3.18:

    make -f docker.Makefile build-e2e-image
    docker run --rm docker-cli-e2e docker-compose --version
    Docker Compose version v2.17.3

This caused our e2e script to fail, as it made assumptions about the name
format created by compose, which changed from underscores to hyphens in v2;

    Container cliendtoendsuite-engine-1  Running
    Error: No such object: cliendtoendsuite_engine_1

This patch:

- updates the Dockerfile to install compose from the compose-bin image
- adjusts the e2e script for the new naming scheme format
- removes the version field from the compose-files used in e2e, as they
  are no longer used by compose.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-26 12:20:01 +02:00
Sebastiaan van Stijn 8d1ddffb83
Merge pull request #4572 from thaJeztah/update_engine
vendor: github.com/docker/docker d3afa80b96bf (v25.0.0-dev)
2023-09-21 19:19:14 +02:00
Sebastiaan van Stijn 3e2187b4cb
vendor: github.com/docker/docker d3afa80b96bf (v25.0.0-dev)
full diff: 06499c52e2...d3afa80b96

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-21 15:30:51 +02:00
Sebastiaan van Stijn f90890fb48
vendor: github.com/Microsoft/hcsshim v0.11.1
full diff: https://github.com/microsoft/hcsshim/compare/v0.9.10...v0.11.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-21 15:29:50 +02:00
Sebastiaan van Stijn 23f50a0665
vendor: github.com/containerd/containerd v1.6.24
unfortunately, brings back hcsshim as dependency

full diff: https://github.com/containerd/containerd/compare/v1.6.22...v1.6.24

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:42:32 +02:00
Sebastiaan van Stijn 497b13c661
vendor: github.com/klauspost/compress v1.16.5
full diff: https://github.com/klauspost/compress/compare/v1.16.3...v1.16.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:38:35 +02:00
Sebastiaan van Stijn e0ad0127b1
vendor: google.golang.org/grpc v1.56.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:37:37 +02:00
Sebastiaan van Stijn c2308ad6fb
vendor: google.golang.org/protobuf v1.31.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:36:23 +02:00
Sebastiaan van Stijn 56396ba357
vendor: golang.org/x/tools v0.8.0
full diff:

- https://github.com/golang/mod/compare/v0.9.0...v0.10.0
- https://github.com/golang/tools/compare/v0.7.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:36:16 +02:00
Sebastiaan van Stijn c9d56b8504
vendor: golang.org/x/crypto v0.9.0
full diff: https://github.com/golang/crypto/compare/v0.3.0...v0.9.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:36:07 +02:00
Sebastiaan van Stijn ffea6940e7
vendor: golang.org/x/sys v0.10.0
full diff: https://github.com/golang/sys/compare/v0.8.0...v0.10.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:29:33 +02:00
Sebastiaan van Stijn 1554b49329
vendor: golang.org/x/sync v0.3.0
full diff: https://github.com/golang/sync/compare/v0.1.0...v0.3.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:28:31 +02:00
Sebastiaan van Stijn 78012b00a5
vendor: container-device-interface v0.6.1
no changes to vendored files

full diff: https://github.com/container-orchestrated-devices/container-device-interface/compare/v0.6.0...v0.6.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:24:08 +02:00
Bjorn Neergaard 0e70f1b7b8
Merge pull request #4564 from thaJeztah/docker_tag_dupwords
docs: fix duplicate words in "docker tag" reference
2023-09-15 08:17:27 -06:00
Sebastiaan van Stijn 3a16c3bb09
docs: fix duplicate words in "docker tag" reference
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-14 13:44:39 +02:00
Sebastiaan van Stijn cd6467b2d1
Merge pull request #4419 from akerouanton/missing-nw-advanced-options
Add missing opts to --network advanced syntax
2023-09-13 23:46:17 +02:00
Bjorn Neergaard 86329b6063
Merge pull request #4539 from thaJeztah/bump_golangci_lint
update golangci-lint to v1.54.2
2023-09-13 10:05:25 -06:00
Bjorn Neergaard 852670c94a
Merge pull request #4557 from thaJeztah/update_golang_1.20.8
update to go1.20.8
2023-09-13 09:15:18 -06:00
Sebastiaan van Stijn a15d4c47a7
Merge pull request #4555 from briantracy/patch-2
Fix extremely minor typo in docker-run man page
2023-09-12 12:59:06 +02:00
Sebastiaan van Stijn ba85223927
Merge pull request #4560 from docker/dependabot/github_actions/docker/bake-action-4
build(deps): bump docker/bake-action from 3 to 4
2023-09-12 11:53:13 +02:00
dependabot[bot] 7e94675067
build(deps): bump docker/bake-action from 3 to 4
Bumps [docker/bake-action](https://github.com/docker/bake-action) from 3 to 4.
- [Release notes](https://github.com/docker/bake-action/releases)
- [Commits](https://github.com/docker/bake-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: docker/bake-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-12 09:29:01 +00:00
Sebastiaan van Stijn 4f1f0025a1
Merge pull request #4559 from docker/dependabot/github_actions/docker/setup-buildx-action-3
build(deps): bump docker/setup-buildx-action from 2 to 3
2023-09-12 11:28:20 +02:00