Commit Graph

7607 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 93eead45ee
Update to go 1.18.6 to address CVE-2022-27664, CVE-2022-32190
From the mailing list:

We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:

- net/http: handle server errors after sending GOAWAY
  A closing HTTP/2 server connection could hang forever waiting for a clean
  shutdown that was preempted by a subsequent fatal error. This failure mode
  could be exploited to cause a denial of service.

  Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
  and Kaan Onarlioglu for reporting this.

  This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

- net/url: JoinPath does not strip relative path components in all circumstances
  JoinPath and URL.JoinPath would not remove `../` path components appended to a
  relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
  URL `https://go.dev/../go`, despite the JoinPath documentation stating that
  `../` path elements are cleaned from the result.

  Thanks to q0jt for reporting this issue.

  This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Release notes:

go1.18.6 (released 2022-09-06) includes security fixes to the net/http package,
as well as bug fixes to the compiler, the go command, the pprof command, the
runtime, and the crypto/tls, encoding/xml, and net packages. See the Go 1.18.6
milestone on the issue tracker for details;

https://github.com/golang/go/issues?q=milestone%3AGo1.18.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1061f74496)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 22:14:52 +02:00
Sebastiaan van Stijn bd04f199f7
Merge pull request #3752 from thaJeztah/20.10_backport_completion
[20.10 backport] Add completion for docker-compose plugin
2022-08-27 21:37:23 +02:00
Sebastiaan van Stijn 2484f7e046
Merge pull request #3754 from thaJeztah/20.10_update_engine
[20.10] vendor: github.com/docker/docker v20.10.17
2022-08-26 16:29:01 +02:00
Sebastiaan van Stijn 45075ea08c
[20.10] vendor: github.com/docker/docker v20.10.17
full diff: https://github.com/docker/docker/compare/v20.10.14...v20.10.17

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-26 15:08:55 +02:00
Vardan Pogosian c2dcaecf19
make compose plugin detection in bash completion work on Mac OS
Signed-off-by: Vardan Pogosian <vardan.pogosyan@gmail.com>
(cherry picked from commit 77b1031be9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-26 14:07:25 +02:00
Ulysses Souza 613b9362d0
Detect compose plugin
Signed-off-by: Ulysses Souza <ulyssessouza@gmail.com>
(cherry picked from commit 5a8d7d506c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-26 14:07:23 +02:00
Ulysses Souza b30d250320
Add completion for docker-compose plugin
Signed-off-by: Ulysses Souza <ulyssessouza@gmail.com>
(cherry picked from commit 1148163c3e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-26 14:07:20 +02:00
Sebastiaan van Stijn fe0cdaf027
Merge pull request #3753 from thaJeztah/20.10_backport_fix_TestRemoveForce
[20.10 backport] fix race condition in TestRemoveForce
2022-08-26 14:06:43 +02:00
Sebastiaan van Stijn 6b25bc3003
fix race condition in TestRemoveForce
This test uses two subtests that were sharing the same variable.
Subtests run in a goroutine, which could lead to them concurrently
accessing the variable, resulting in a panic:

    === FAIL: cli/command/container TestRemoveForce/without_force (0.00s)
    Error: Error: No such container: nosuchcontainer
        --- FAIL: TestRemoveForce/without_force (0.00s)
    panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    	panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x40393f]
    goroutine 190 [running]:
    testing.tRunner.func1.2({0xb76380, 0x124c9a0})
    	/usr/local/go/src/testing/testing.go:1389 +0x24e
    testing.tRunner.func1()
    	/usr/local/go/src/testing/testing.go:1392 +0x39f
    panic({0xb76380, 0x124c9a0})
    	/usr/local/go/src/runtime/panic.go:838 +0x207
    sort.StringSlice.Less(...)
    	/usr/local/go/src/sort/sort.go:319
    sort.insertionSort({0xd87380, 0xc00051b3b0}, 0x0, 0x2)
    	/usr/local/go/src/sort/sort.go:40 +0xb1
    sort.quickSort({0xd87380, 0xc00051b3b0}, 0x18?, 0xb4f060?, 0xc000540e01?)
    	/usr/local/go/src/sort/sort.go:222 +0x171
    sort.Sort({0xd87380, 0xc00051b3b0})
    	/usr/local/go/src/sort/sort.go:231 +0x53
    sort.Strings(...)
    	/usr/local/go/src/sort/sort.go:335
    github.com/docker/cli/cli/command/container.TestRemoveForce.func2(0xc0005389c0?)
    	/go/src/github.com/docker/cli/cli/command/container/rm_test.go:36 +0x125
    testing.tRunner(0xc00053e4e0, 0xc00051b140)
    	/usr/local/go/src/testing/testing.go:1439 +0x102
    created by testing.(*T).Run
    	/usr/local/go/src/testing/testing.go:1486 +0x35f
    === FAIL: cli/command/container TestRemoveForce (0.00s)

This patch changes the test to use to separate variables.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9688f62d20)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-26 13:47:31 +02:00
Sebastiaan van Stijn 0785bd743d
Merge pull request #3746 from thaJeztah/20.10_backport_bump_go_1.18
[20.10 backport] Update golang to 1.18.5
2022-08-19 17:19:47 +02:00
Sebastiaan van Stijn bdac0b38d9
Update golang to 1.18.5
Update Go runtime to 1.18.5 to address CVE-2022-32189.

Full diff: https://github.com/golang/go/compare/go1.18.4...go1.18.5

--------------------------------------------------------

From the security announcement:
https://groups.google.com/g/golang-announce/c/YqYYG87xB10

We have just released Go versions 1.18.5 and 1.17.13, minor point
releases.

These minor releases include 1 security fixes following the security
policy:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is
too short.

This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6191b662b3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:58:31 +02:00
Sebastiaan van Stijn c70b01ec1f
update golang to 1.18.4
go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the runtime/metrics package. See the Go 1.18.4 milestone on the
issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved

This update addresses:

CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.

Full diff: https://github.com/golang/go/compare/go1.18.3...go1.18.4

From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:

- net/http: improper sanitization of Transfer-Encoding header

  The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
  a "chunked" encoding. This could potentially allow for request smuggling, but
  only if combined with an intermediate server that also improperly failed to
  reject the header as invalid.

  This is CVE-2022-1705 and https://go.dev/issue/53188.

- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
  containing a nil value for the X-Forwarded-For header, ReverseProxy would set
  the client IP as the value of the X-Forwarded-For header, contrary to its
  documentation. In the more usual case where a Director function set the
  X-Forwarded-For header value to nil, ReverseProxy would leave the header
  unmodified as expected.

  This is https://go.dev/issue/53423 and CVE-2022-32148.

  Thanks to Christian Mehlmauer for reporting this issue.

- compress/gzip: stack exhaustion in Reader.Read

  Calling Reader.Read on an archive containing a large number of concatenated
  0-length compressed files can cause a panic due to stack exhaustion.

  This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

- encoding/xml: stack exhaustion in Unmarshal

  Calling Unmarshal on a XML document into a Go struct which has a nested field
  that uses the any field tag can cause a panic due to stack exhaustion.

  This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

- encoding/xml: stack exhaustion in Decoder.Skip

  Calling Decoder.Skip when parsing a deeply nested XML document can cause a
  panic due to stack exhaustion. The Go Security team discovered this issue, and
  it was independently reported by Juho Nurminen of Mattermost.

  This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

- encoding/gob: stack exhaustion in Decoder.Decode

  Calling Decoder.Decode on a message which contains deeply nested structures
  can cause a panic due to stack exhaustion.

  This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

- path/filepath: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

- io/fs: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

- go/parser: stack exhaustion in all Parse* functions

  Calling any of the Parse functions on Go source code which contains deeply
  nested types or declarations can cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 046e7e61f5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:58:29 +02:00
Sebastiaan van Stijn 0389090aeb
update golang to 1.18.3
go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
compiler, and the crypto/tls and text/template/parse packages. See the Go
1.18.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.3+label%3ACherryPickApproved

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

- crypto/rand: rand.Read hangs with extremely large buffers
  On Windows, rand.Read will hang indefinitely if passed a buffer larger than
  1 << 32 - 1 bytes.

  Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
  for reporting this issue.

  This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
  Session tickets generated by crypto/tls did not contain a randomly generated
  ticket_age_add. This allows an attacker that can observe TLS handshakes to
  correlate successive connections by comparing ticket ages during session
  resumption.

  Thanks to GitHub user nervuri for reporting this.

  This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows

  If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
  are executed when Cmd.Path is unset and, in the working directory, there are
  binaries named either "..com" or "..exe", they will be executed.

  Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
  this.

  This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows

  On Windows, the `filepath.Clean` function could convert an invalid path to a
  valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

  Thanks to Unrud for reporting this issue.

  This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.

[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit aa720f154a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:58:28 +02:00
Sebastiaan van Stijn c904936d69
update golang to 1.18.2
go1.18.2 (released 2022-05-10) includes security fixes to the syscall package,
as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509,
go/types, net/http/httptest, reflect, and sync/atomic packages. See the Go 1.18.2
milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.2+label%3ACherryPickApproved

Full diff: http://github.com/golang/go/compare/go1.18.1...go1.18.2

Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f5d16893dd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:58:26 +02:00
Sebastiaan van Stijn 386d50c2e9
update golang to 1.18.1
go1.18.1 (released 2022-04-12) includes security fixes to the crypto/elliptic,
crypto/x509, and encoding/pem packages, as well as bug fixes to the compiler,
linker, runtime, the go command, vet, and the bytes, crypto/x509, and go/types
packages. See the Go 1.18.1 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.1+label%3ACherryPickApproved

Includes fixes for:

- CVE-2022-24675 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675)
- CVE-2022-27536 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27536)
- CVE-2022-28327 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c3fe1b962f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:58:24 +02:00
Sebastiaan van Stijn 990186f2f6
update go to 1.18.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 635c55d52f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:58:23 +02:00
Sebastiaan van Stijn 86bf1966e2
staticcheck: ignore SA1019: strings.Title is deprecated
This function is deprecated because it has known limitations when using
with multi-byte strings. This limitations are quite "corner case", and
our use (mostly) is for ASCII strings. The suggestion replacement brings
20k+ lines of code, which is a bit too much to fix those corner cases.

    templates/templates.go:23:14: SA1019: strings.Title is deprecated: The rule Title uses for word boundaries does not handle Unicode punctuation properly. Use golang.org/x/text/cases instead. (staticcheck)
        "title":    strings.Title,
                    ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bf29b40a8c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:58:21 +02:00
Sebastiaan van Stijn b3022b91d1
[20.10] Dockerfile.lint: use go install
"go get@version" is no longer supported on newer versions of go.
Also renaming the build-arg to match what's used in master.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:58:19 +02:00
Sebastiaan van Stijn f14ba9f5d7
[20.10] Dockerfile: use syntax=docker/dockerfile:1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:58:17 +02:00
Sebastiaan van Stijn ae45936575
Merge pull request #3747 from thaJeztah/20.10_update_json_iterator
[20.10] update dependencies for go1.18 compatibility
2022-08-19 16:57:45 +02:00
Sebastiaan van Stijn c189c4dbea
[20.10] vendor: github.com/json-iterator/go v1.1.12 for Go 1.18 compatibility
full diff: 0ff49de124...024077e996

Fixes a nil-pointer exception on go 1.18;

```
=== FAIL: cli/context/kubernetes TestSaveLoadContexts (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x40fcbc]

goroutine 19 [running]:
testing.tRunner.func1.2({0xa7e080, 0x1073930})
	/usr/local/go/src/testing/testing.go:1389 +0x24e
testing.tRunner.func1()
	/usr/local/go/src/testing/testing.go:1392 +0x39f
panic({0xa7e080, 0x1073930})
	/usr/local/go/src/runtime/panic.go:838 +0x207
reflect.mapiternext(0x40?)
	/usr/local/go/src/runtime/map.go:1378 +0x19
github.com/docker/cli/vendor/github.com/modern-go/reflect2.(*UnsafeMapIterator).UnsafeNext(0x8?)
	/go/src/github.com/docker/cli/vendor/github.com/modern-go/reflect2/unsafe_map.go:136 +0x32
github.com/docker/cli/vendor/github.com/json-iterator/go.(*sortKeysMapEncoder).Encode(0xc000478930, 0xc0000ca3a8, 0xc0000bae40)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect_map.go:293 +0x335
github.com/docker/cli/vendor/github.com/json-iterator/go.(*placeholderEncoder).Encode(0xc00046c898?, 0x95d787?, 0xc0000bae58?)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect.go:327 +0x22
github.com/docker/cli/vendor/github.com/json-iterator/go.(*structFieldEncoder).Encode(0xc000482630, 0xa2790c?, 0xc0000bae40)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect_struct_encoder.go:110 +0x56
github.com/docker/cli/vendor/github.com/json-iterator/go.(*structEncoder).Encode(0xc000482780, 0xb3a599?, 0xc0000bae40)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect_struct_encoder.go:158 +0x652
github.com/docker/cli/vendor/github.com/json-iterator/go.(*placeholderEncoder).Encode(0xc00046ca10?, 0x95d787?, 0xc0000bae58?)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect.go:327 +0x22
github.com/docker/cli/vendor/github.com/json-iterator/go.(*structFieldEncoder).Encode(0xc0004829f0, 0xa0fd11?, 0xc0000bae40)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect_struct_encoder.go:110 +0x56
github.com/docker/cli/vendor/github.com/json-iterator/go.(*structEncoder).Encode(0xc000482a50, 0x40aa15?, 0xc0000bae40)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect_struct_encoder.go:158 +0x652
github.com/docker/cli/vendor/github.com/json-iterator/go.(*sliceEncoder).Encode(0xc00047e198, 0xc0003a83c8, 0xc0000bae40)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect_slice.go:38 +0x2bb
github.com/docker/cli/vendor/github.com/json-iterator/go.(*structFieldEncoder).Encode(0xc0004837a0, 0xa12e12?, 0xc0000bae40)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect_struct_encoder.go:110 +0x56
github.com/docker/cli/vendor/github.com/json-iterator/go.(*structEncoder).Encode(0xc000483890, 0x0?, 0xc0000bae40)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect_struct_encoder.go:158 +0x652
github.com/docker/cli/vendor/github.com/json-iterator/go.(*OptionalEncoder).Encode(0xc0003b6be0?, 0x0?, 0x0?)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect_optional.go:74 +0xa4
github.com/docker/cli/vendor/github.com/json-iterator/go.(*onePtrEncoder).Encode(0xc000471e30, 0xc0003a8370, 0xc000460720?)
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect.go:214 +0x82
github.com/docker/cli/vendor/github.com/json-iterator/go.(*Stream).WriteVal(0xc0000bae40, {0xabe4a0, 0xc0003a8370})
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/reflect.go:93 +0x158
github.com/docker/cli/vendor/github.com/json-iterator/go.(*frozenConfig).Marshal(0xc0003b6be0, {0xabe4a0, 0xc0003a8370})
	/go/src/github.com/docker/cli/vendor/github.com/json-iterator/go/config.go:299 +0xc9
github.com/docker/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/json.(*Serializer).Encode(0xc00043aee0?, {0xc375c0?, 0xc0003a8370?}, {0xc339e0, 0xc000460210})
	/go/src/github.com/docker/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/json/json.go:310 +0x6d
github.com/docker/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/versioning.(*codec).Encode(0xc0000f8480, {0xc37570?, 0xc0000bacc0}, {0xc339e0, 0xc000460210})
	/go/src/github.com/docker/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/versioning/versioning.go:231 +0x926
github.com/docker/cli/vendor/k8s.io/apimachinery/pkg/runtime.Encode({0x7f48b36ce5c0, 0xc0000f8480}, {0xc37570, 0xc0000bacc0})
	/go/src/github.com/docker/cli/vendor/k8s.io/apimachinery/pkg/runtime/codec.go:46 +0x64
github.com/docker/cli/vendor/k8s.io/client-go/tools/clientcmd.Write(...)
	/go/src/github.com/docker/cli/vendor/k8s.io/client-go/tools/clientcmd/loader.go:469
github.com/docker/cli/cli/context/kubernetes.TestSaveLoadContexts(0xc0004561a0?)
	/go/src/github.com/docker/cli/cli/context/kubernetes/endpoint_test.go:75 +0xf0a
testing.tRunner(0xc0004561a0, 0xb89ea0)
	/usr/local/go/src/testing/testing.go:1439 +0x102
created by testing.(*T).Run
	/usr/local/go/src/testing/testing.go:1486 +0x35f
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:12:25 +02:00
Sebastiaan van Stijn 0c46ffc1f9
[20.10] vendor: github.com/modern-go/reflect2 v1.0.2 for Go 1.18 compatibility
full diff: 4b7aa43c67...2b33151c9b

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:10:25 +02:00
Sebastiaan van Stijn 6be9ce798e
[20.10] vendor: github.com/google/gofuzz v1.0.0
no local changes, just matching the minimum version for github.com/json-iterator/go

full diff: 24818f796f...f140a6486e

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-19 16:06:12 +02:00
Sebastiaan van Stijn c8b7ef1e29
Merge pull request #3743 from thaJeztah/20.10_backport_bump_golangci_lint
[20.10 backport] lint: update golangci-lint to v1.45.2
2022-08-19 12:48:25 +02:00
Sebastiaan van Stijn 779ed309a8
lint: update golangci-lint to v1.45.2
Also removed deprecated linters:

The linter 'interfacer' is deprecated (since v1.38.0) due to: The repository of the linter has been archived by the owner.
The linter 'golint' is deprecated (since v1.41.0) due to: The repository of the linter has been archived by the owner.  Replaced by revive.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3ffe6a3375)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 19:19:06 +02:00
Sebastiaan van Stijn 2f7e84be65
linting: fix incorrectly formatted errors (revive)
cli/compose/interpolation/interpolation.go:102:4: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
                "invalid interpolation format for %s: %#v. You may need to escape any $ with another $.",
                ^

    cli/command/stack/loader/loader.go:30:30: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
                return nil, errors.Errorf("Compose file contains unsupported options:\n\n%s\n",
                                          ^

    cli/command/formatter/formatter.go:76:30: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
            return tmpl, errors.Errorf("Template parsing error: %v\n", err)
                                       ^

    cli/command/formatter/formatter.go:97:24: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
            return errors.Errorf("Template parsing error: %v\n", err)
                                 ^

    cli/command/image/build.go:257:25: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
                return errors.Errorf("error checking context: '%s'.", err)
                                     ^

    cli/command/volume/create.go:35:27: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
                        return errors.Errorf("Conflicting options: either specify --name or provide positional arg, not both\n")
                                             ^

    cli/command/container/create.go:160:24: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
            return errors.Errorf("failed to remove the CID file '%s': %s \n", cid.path, err)
                                 ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4ab70bf61e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 19:16:48 +02:00
Sebastiaan van Stijn e628209d9b
linting: ignore some "G101: Potential hardcoded credentials" warnings
cli/config/credentials/native_store.go:10:2: G101: Potential hardcoded credentials (gosec)
        remoteCredentialsPrefix = "docker-credential-"
        ^
    cli/command/service/opts.go:917:2: G101: Potential hardcoded credentials (gosec)
        flagCredentialSpec          = "credential-spec"
        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d7c1fb9112)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 19:16:38 +02:00
Sebastiaan van Stijn 80a3add604
cli/command/container: unnecessary use of fmt.Sprintf (gosimple)
cli/command/container/formatter_stats.go:184:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("--")
                   ^
    cli/command/container/formatter_stats.go:191:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("-- / --")
                   ^
    cli/command/container/formatter_stats.go:201:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("--")
                   ^
    cli/command/container/formatter_stats.go:184:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("--")
                   ^
    cli/command/container/formatter_stats.go:191:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("-- / --")
                   ^
    cli/command/container/formatter_stats.go:201:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("--")
                   ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5a65aadd8d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 19:16:29 +02:00
Sebastiaan van Stijn 715cfc4c2f
Merge pull request #3726 from thaJeztah/20.10_bump_golang_1.17.13
[20.10] Update golang to 1.17.13
2022-08-04 11:19:28 +02:00
Sebastiaan van Stijn 80fb0d575e
[20.10] Update golang to 1.17.13
Update Go runtime to 1.17.13 to address CVE-2022-32189.

Full diff: https://github.com/golang/go/compare/go1.17.12...go1.17.13

--------------------------------------------------------

From the security announcement:
https://groups.google.com/g/golang-announce/c/YqYYG87xB10

We have just released Go versions 1.18.5 and 1.17.13, minor point
releases.

These minor releases include 1 security fixes following the security
policy:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is
too short.

This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.17.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-03 20:20:24 +02:00
Sebastiaan van Stijn 9d28e08a2d
Merge pull request #3707 from thaJeztah/20.10_update_golang_1.17.12
[20.10] update golang to 1.17.12
2022-07-19 21:08:30 +02:00
Sebastiaan van Stijn d72bef2088
[20.10] update golang to 1.17.12
go1.17.12 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the runtime,
and the runtime/metrics package. See the Go 1.17.12 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.12+label%3ACherryPickApproved

This update addresses:

CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.

Full diff: https://github.com/golang/go/compare/go1.17.11...go1.17.12

From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:

- net/http: improper sanitization of Transfer-Encoding header

  The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
  a "chunked" encoding. This could potentially allow for request smuggling, but
  only if combined with an intermediate server that also improperly failed to
  reject the header as invalid.

  This is CVE-2022-1705 and https://go.dev/issue/53188.

- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
  containing a nil value for the X-Forwarded-For header, ReverseProxy would set
  the client IP as the value of the X-Forwarded-For header, contrary to its
  documentation. In the more usual case where a Director function set the
  X-Forwarded-For header value to nil, ReverseProxy would leave the header
  unmodified as expected.

  This is https://go.dev/issue/53423 and CVE-2022-32148.

  Thanks to Christian Mehlmauer for reporting this issue.

- compress/gzip: stack exhaustion in Reader.Read

  Calling Reader.Read on an archive containing a large number of concatenated
  0-length compressed files can cause a panic due to stack exhaustion.

  This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

- encoding/xml: stack exhaustion in Unmarshal

  Calling Unmarshal on a XML document into a Go struct which has a nested field
  that uses the any field tag can cause a panic due to stack exhaustion.

  This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

- encoding/xml: stack exhaustion in Decoder.Skip

  Calling Decoder.Skip when parsing a deeply nested XML document can cause a
  panic due to stack exhaustion. The Go Security team discovered this issue, and
  it was independently reported by Juho Nurminen of Mattermost.

  This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

- encoding/gob: stack exhaustion in Decoder.Decode

  Calling Decoder.Decode on a message which contains deeply nested structures
  can cause a panic due to stack exhaustion.

  This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

- path/filepath: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

- io/fs: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

- go/parser: stack exhaustion in all Parse* functions

  Calling any of the Parse functions on Go source code which contains deeply
  nested types or declarations can cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-13 10:54:57 +02:00
Sebastiaan van Stijn 100c70180f
Merge pull request #3664 from thaJeztah/20.10_backport_fix_link
[20.10 backport] Fix dead external link
2022-06-06 23:36:39 +02:00
Phong Tran 7502d7e560
Fix dead external link
Signed-off-by: Phong Tran <tran.pho@northeastern.edu>
(cherry picked from commit 2585b6a792)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-06 23:15:19 +02:00
Nicolas De loof 4d718932c1
Merge pull request #3648 from thaJeztah/20.10_backport_asterisk_in_zsh_completion 2022-06-02 11:45:35 +02:00
Nicolas De loof 826eaafa6d
Merge pull request #3647 from thaJeztah/20.10_update_golang_1.17.11 2022-06-02 11:45:28 +02:00
Marc Cornellà 308624c3b1
fix: remove asterisk from docker command suggestions
Some commands in the output of `docker` show up with an asterisk, like
app, build, buildx or scan. This tweak removes that so that the
asterisk is not filled in when choosing those commands.

Signed-off-by: Marc Cornellà <hello@mcornella.com>
(cherry picked from commit b1f18b700e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 10:07:57 +02:00
Sebastiaan van Stijn de7d866b6a
[20.10] update golang to 1.17.11
go1.17.11 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
crypto/tls package. See the Go 1.17.11 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.17.11+label%3ACherryPickApproved

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

- crypto/rand: rand.Read hangs with extremely large buffers
  On Windows, rand.Read will hang indefinitely if passed a buffer larger than
  1 << 32 - 1 bytes.

  Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
  for reporting this issue.

  This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
  Session tickets generated by crypto/tls did not contain a randomly generated
  ticket_age_add. This allows an attacker that can observe TLS handshakes to
  correlate successive connections by comparing ticket ages during session
  resumption.

  Thanks to GitHub user nervuri for reporting this.

  This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows

  If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
  are executed when Cmd.Path is unset and, in the working directory, there are
  binaries named either "..com" or "..exe", they will be executed.

  Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
  this.

  This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows

  On Windows, the `filepath.Clean` function could convert an invalid path to a
  valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

  Thanks to Unrud for reporting this issue.

  This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.

[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 09:23:24 +02:00
Sebastiaan van Stijn aa7e414fdc
Merge pull request #3601 from thaJeztah/20.10_bump_golang_1.17.10
[20.10] update golang to 1.17.10, golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
2022-05-11 18:22:17 +02:00
Sebastiaan van Stijn 240e4b5501
[20.10] vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

full diff: 63515b42dc...33da011f77

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-11 14:37:09 +02:00
Sebastiaan van Stijn 5d4776bd90
[20.10] update golang to 1.17.10
go1.17.10 (released 2022-05-10) includes security fixes to the syscall package,
as well as bug fixes to the compiler, runtime, and the crypto/x509 and net/http/httptest
packages. See the Go 1.17.10 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.10+label%3ACherryPickApproved

Full diff: http://github.com/golang/go/compare/go1.17.9...go1.17.10

Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-11 14:35:54 +02:00
Sebastiaan van Stijn 1841277463
Merge pull request #3592 from thaJeztah/20.10_backport_bump_x_sys
[20.10 backport] vendor: golang.org/x/sys 63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
2022-05-06 10:40:09 +02:00
Sebastiaan van Stijn 49e9c2ae3d vendor: golang.org/x/sys 63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
Go 1.17 requires golang.org/x/sys a76c4d0a0096537dc565908b53073460d96c8539 (May 8,
2021) or later, see https://github.com/golang/go/issues/45702. While this seems
to affect macOS only, let's update to the latest version.

full diff: d19ff857e8...63515b42dc

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 61a1775adb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-06 10:08:27 +02:00
Sebastiaan van Stijn 87a3ce2699 vendor: golang.org/x/sys d19ff857e887eacb631721f188c7d365c2331456
full diff: 134d130e1a...d19ff857e8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8ebe404dfc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-06 10:07:40 +02:00
Tonis Tiigi 1d8abed17d
vendor: update x/sys to 134d130e
Makes possible to build for windows/arm64

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit e50cf79579)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-06 10:06:43 +02:00
Sebastiaan van Stijn fd82621d35
Merge pull request #3563 from thaJeztah/20.10_bump_golang_1.17.9
[20.10] update golang to 1.17.9
2022-04-21 16:44:35 +02:00
Sebastiaan van Stijn e5ca16bda7
Merge pull request #3551 from thaJeztah/20.10_backport_deprecation_add_missing_fluend_option
[20.10 backport] docs: deprecated: add entry for "fluent-async-connect" log-opt
2022-04-21 16:01:02 +02:00
Sebastiaan van Stijn 31dad66f9a
[20.10] update golang to 1.17.9
go1.17.9 (released 2022-04-12) includes security fixes to the crypto/elliptic
and encoding/pem packages, as well as bug fixes to the linker and runtime. See
the Go 1.17.9 milestone on the issue tracker for details:

Includes fixes for:

- CVE-2022-24675 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675)
- CVE-2022-28327 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-19 18:20:51 +02:00
Sebastiaan van Stijn 113c5b526a
Merge pull request #3532 from thaJeztah/20.10_update_engine_20.10.14
[20.10] vendor: docker/docker 20.10.14, docker/distribution v2.8.1, image-spec v1.0.2
2022-04-19 17:50:26 +02:00
Sebastiaan van Stijn c73edb36ca
Merge pull request #3556 from thaJeztah/20.10_update_go_1.17
[20.10 backport] update go to 1.17
2022-04-19 17:33:14 +02:00