Commit Graph

125 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 3dd7621240
Dockerfile: update compose to v2.30.3
Update the compose cli plugin used in the dev-container

full diff: https://github.com/docker/compose/compare/v2.29.7...v2.30.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-11-14 10:35:52 +01:00
Sebastiaan van Stijn 4242cda826
Dockerfile: update buildx to v0.18.0
Update the buildx cli plugin used in the dev-container

full diff: https://github.com/docker/buildx/compare/0.17.1..0.18.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-11-14 10:35:25 +01:00
Paweł Gronowski 382d4c34a9
update to go1.23.3
- https://github.com/golang/go/issues?q=milestone%3AGo1.23.3+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.2...go1.23.3

go1.23.3 (released 2024-11-06) includes fixes to the linker, the
runtime, and the net/http, os, and syscall packages. See the
[Go 1.23.3 milestone](https://github.com/golang/go/issues?q=milestone%3AGo1.23.3+label%3ACherryPickApproved)
for details.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-11-07 13:24:16 +01:00
Sebastiaan van Stijn 42cda38840
update to go1.23.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-31 13:04:02 +01:00
Austin Vazquez a6ab65948e
ci: update to go1.22.8
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-10-04 20:20:16 +00:00
Sebastiaan van Stijn ce26ebc0e9
Dockerfile: update compose to v2.29.7
Update the compose cli plugin used in the dev-container

full diff: https://github.com/docker/compose/compare/v2.29.4...v2.29.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-20 12:22:39 +02:00
Sebastiaan van Stijn f7a513cff0
Dockerfile: update compose to v2.29.4
Update the compose cli plugin used in the dev-container

full diff: https://github.com/docker/compose/compare/v2.29.0...v2.29.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-16 15:03:15 +02:00
Sebastiaan van Stijn 42ce06aa5b
Dockerfile: update buildx to v0.17.1
Update the buildx cli plugin used in the dev-container

full diff: https://github.com/docker/buildx/compare/0.16.1...0.17.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-16 15:01:56 +02:00
Paweł Gronowski 3bf39d25a0
update to go1.22.7
- https://github.com/golang/go/issues?q=milestone%3AGo1.22.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.22.6...go1.22.7

These minor releases include 3 security fixes following the security policy:

- go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

    This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

- encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

    This is a follow-up to CVE-2022-30635.

    Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue.

    This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

- go/build/constraint: stack exhaustion in Parse

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

    This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-09-05 17:51:27 +02:00
Sebastiaan van Stijn d7d56599ca
update to go1.22.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-03 12:29:03 +02:00
Sebastiaan van Stijn 1e6cbbc3f1
Dockerfile: update xx to v1.5.0
full diff: https://github.com/tonistiigi/xx/compare/v1.4.0...v1.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-02 16:48:29 +02:00
Paweł Gronowski 434d8b75e8
update to go1.21.13
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.13+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.12...go1.21.13

go1.21.13 (released 2024-08-06) includes fixes to the go command, the
covdata command, and the bytes package. See the [Go 1.21.13 milestone](https://github.com/golang/go/issues?q=milestone%3AGo1.21.13+label%3ACherryPickApproved)
on our issue tracker for details.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-07 11:49:40 +02:00
Sebastiaan van Stijn 77c0d83602
Dockerfile: update compose to v2.29.0
This is the version used in the dev-container, and for testing.

release notes: https://github.com/docker/compose/releases/tag/v2.29.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 02:44:06 +02:00
Sebastiaan van Stijn d00e1abf55
Dockerfile: update buildx to v0.16.1
This is the version used in the dev-container, and for testing.

release notes:
https://github.com/docker/buildx/releases/tag/v0.16.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 02:42:47 +02:00
Paweł Gronowski d73d7d4ed3
update to go1.21.12
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.11...go1.21.12

These minor releases include 1 security fixes following the security policy:

net/http: denial of service due to improper 100-continue handling

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Thanks to Geoff Franks for reporting this issue.

This is CVE-2024-24791 and Go issue https://go.dev/issue/67555.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.21.12

**- Description for the changelog**

```markdown changelog
Update Go runtime to 1.21.12
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-07-03 10:59:37 +02:00
Sebastiaan van Stijn 1f7561ecbb
Dockerfile: update compose to v2.28.0
release notes: https://github.com/docker/compose/releases/tag/v2.28.0

full diff: https://github.com/docker/compose/compare/v2.27.1...v2.28.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-21 14:52:22 +02:00
Sebastiaan van Stijn b0793613a6
Dockerfile: update buildx to v0.15.1
This is the version used in the dev-container, and for testing.

release notes:
https://github.com/docker/buildx/releases/tag/v0.15.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-18 21:33:02 +02:00
Sebastiaan van Stijn 630e1d3e95
update to go1.21.11
go1.21.11 (released 2024-06-04) includes security fixes to the archive/zip
and net/netip packages, as well as bug fixes to the compiler, the go command,
the runtime, and the os package. See the Go 1.21.11 milestone on our issue
tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.11+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.10...go1.21.11

From the security announcement;

We have just released Go versions 1.22.4 and 1.21.11, minor point releases.
These minor releases include 2 security fixes following the security policy:

- archive/zip: mishandling of corrupt central directory record

  The archive/zip package's handling of certain types of invalid zip files
  differed from the behavior of most zip implementations. This misalignment
  could be exploited to create an zip file with contents that vary depending
  on the implementation reading the file. The archive/zip package now rejects
  files containing these errors.

  Thanks to Yufan You for reporting this issue.

  This is CVE-2024-24789 and Go issue https://go.dev/issue/66869.

- net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

  The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected
  for IPv4-mapped IPv6 addresses, returning false for addresses which would
  return true in their traditional IPv4 forms.

  Thanks to Enze Wang of Alioth and Jianjun Chen of Zhongguancun Lab
  for reporting this issue.

  This is CVE-2024-24790 and Go issue https://go.dev/issue/67680.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-04 23:39:27 +02:00
Sebastiaan van Stijn 358d499681
Merge pull request #5090 from thaJeztah/update_alpine
Dockerfile: update ALPINE_VERSION to 3.20
2024-05-27 17:52:03 +02:00
Sebastiaan van Stijn e70f68595d
Dockerfile: update ALPINE_VERSION to 3.20
Update to the current version of Alpine, which is also the default for
the golang:alpine image

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-05-26 11:37:01 +02:00
Sebastiaan van Stijn 0b7aff333b
Dockerfile: update compose to v2.27.1
release notes: https://github.com/docker/compose/releases/tag/v2.27.1

full diff: https://github.com/docker/compose/compare/v2.24.3...v2.27.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-05-26 11:26:36 +02:00
Sebastiaan van Stijn f0e7e07b8b
Dockerfile: update buildx to v0.14.1
- 0.14.1 release notes: https://github.com/docker/buildx/releases/tag/v0.14.1
- 0.14.0 release notes: https://github.com/docker/buildx/releases/tag/v0.14.0
- 0.13.1 release notes: https://github.com/docker/buildx/releases/tag/v0.13.1
- 0.13.0 release notes: https://github.com/docker/buildx/releases/tag/v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-05-26 11:16:57 +02:00
Bjorn Neergaard 997cfa699b
Merge pull request #4996 from vvoland/cli-bin-darwin
bake/bin-image-cross: Add darwin
2024-05-21 06:25:30 -06:00
Paweł Gronowski eb99994c75
update to go1.21.10
These minor releases include 2 security fixes following the security policy:

- cmd/go: arbitrary code execution during build on darwin
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to
usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2024-24787 and Go issue https://go.dev/issue/67119.

- net: malformed DNS message can cause infinite loop
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
Thanks to long-name-let-people-remember-you on GitHub for reporting this issue, and to Mateusz Poliwczak for bringing the issue to
our attention.
This is CVE-2024-24788 and Go issue https://go.dev/issue/66754.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.3

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.10+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.9...go1.21.10

**- Description for the changelog**

```markdown changelog
Update Go runtime to 1.21.10
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-05-08 09:50:01 +02:00
Paweł Gronowski 718203d50b
cli-bin/windows: Add .exe extension
Before this commit, the CLI binary in `dockereng/cli-bin` image was
named `docker` regardless of platform.

Change the binary name to `docker.exe` in Windows images.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-04-10 18:48:37 +02:00
Paweł Gronowski 0c2697d779
Dockerfile: Remove xx-sdk-extras
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-04-10 17:28:49 +02:00
Paweł Gronowski 0a5bd6c75b
update to go1.21.9
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages. See the Go 1.21.9 milestone on our issue tracker for
details.

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.8...go1.21.9

**- Description for the changelog**

```markdown changelog
Update Go runtime to 1.21.9
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-04-05 12:43:24 +02:00
CrazyMax adb018084c
Dockerfile: update to xx 1.4.0
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2024-03-11 14:24:26 +01:00
Paweł Gronowski 3b77477943
update to go1.21.8
go1.21.8 (released 2024-03-05) includes 5 security fixes:

- crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783, https://go.dev/issue/65390)
- net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290, https://go.dev/issue/65383)
- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289, https://go.dev/issue/65065)
- html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785, https://go.dev/issue/65697)
- net/mail: comments in display names are incorrectly handled (CVE-2024-24784, https://go.dev/issue/65083)

View the release notes for more information:
https://go.dev/doc/devel/release#go1.21.8

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.8+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.6...go1.21.8

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-05 22:08:26 +01:00
Sebastiaan van Stijn 20b9d489e0
update to go1.21.7
go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command,
the runtime, and the crypto/x509 package. See the Go 1.21.7 milestone on our
issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.6...go1.21.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-02-19 14:13:51 +01:00
Sebastiaan van Stijn 53e2e54c29
Dockerfile: update docker compose to v2.24.3
Update the version of compose used in CI to the latest version.

- full diff: https://github.com/docker/compose/compare/v2.24.2...v2.24.3
- release notes: https://github.com/docker/compose/releases/tag/v2.24.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-26 11:06:44 +01:00
Sebastiaan van Stijn 091af560ca
Dockerfile: update docker compose to v2.24.2
Update the version of compose used in CI to the latest version.

- full diff: docker/compose@v2.24.0...v2.24.2
- release notes: https://github.com/docker/compose/releases/tag/v2.24.1
- release notes: https://github.com/docker/compose/releases/tag/v2.24.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-23 10:32:22 +01:00
Paweł Gronowski dfa2930afc ci: Add bin-image workflow
Build and push an image containing a static CLI binary for master branch
and every release branch and tag.

This is a slightly adjusted copy of the bin-image workflow from
docker/buildx (by @crazy-max).

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-01-15 12:05:10 +01:00
Sebastiaan van Stijn 1609916f2c
Revert "Dockerfile/binary: Output the binary directly"
Looks like this change caused docker-ce-packaging to fail;

    dest=$PWD/build/mac; cd /home/ubuntu/workspace/release-packaging_ce-nightly/packaging/src/github.com/docker/cli/build && for platform in *; do \
        arch=$(echo $platform | cut -d_ -f2); \
        mkdir -p $dest/$arch/docker; \
        cp $platform/docker-darwin-* $dest/$arch/docker/docker && \
        tar -C $dest/$arch -c -z -f $dest/$arch/docker-25.0.0-rc.2.tgz docker; \
    done
    cp: cannot stat 'darwin_amd64/docker-darwin-*': No such file or directory
    cp: cannot stat 'darwin_arm64/docker-darwin-*': No such file or directory

This reverts commit 6ad07f2a4b.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-12 22:39:30 +01:00
Sebastiaan van Stijn 52b740ac27
Merge pull request #4781 from thaJeztah/bump_buildx_compose
Dockerfile: update buildx to v0.12.1
2024-01-12 18:32:47 +01:00
Sebastiaan van Stijn d469be256e
Merge pull request #4752 from vvoland/ci-bin-image
ci: Add bin-image workflow
2024-01-12 15:50:30 +01:00
Sebastiaan van Stijn ccc7ad2f2c
Dockerfile: update buildx to v0.12.1
Update the version of buildx used in CI to the latest version.

- full diff: https://github.com/docker/buildx/compare/v0.12.0...v0.12.1
- release notes: https://github.com/docker/buildx/releases/tag/v0.12.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-12 15:29:58 +01:00
Sebastiaan van Stijn fdcb78a0fe
Dockerfile: update docker compose to v2.24.0
Update the version of compose used in CI to the latest version.

- full diff: https://github.com/docker/compose/compare/v2.22.0...v2.24.0
- release notes: https://github.com/docker/compose/releases/tag/v2.24.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-12 14:39:08 +01:00
Paweł Gronowski 6ad07f2a4b
Dockerfile/binary: Output the binary directly
`scripts/make/binary` produces `docker` file that is a symlink to a
`docker-<platform>` file.
Make the `binary` Dockerfile target produce an image that only contains
the `docker` binary and not the symlink.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-01-12 12:28:15 +01:00
Sebastiaan van Stijn 4f49508861
update to go1.21.6
go1.21.6 (released 2024-01-09) includes fixes to the compiler, the runtime, and
the crypto/tls, maps, and runtime/pprof packages. See the Go 1.21.6 milestone on
our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.6+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.5...go1.21.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-10 09:41:03 +01:00
Sebastiaan van Stijn bdb45a9c2d
update to go1.21.5
go1.21.5 (released 2023-12-05) includes security fixes to the go command,
and the net/http and path/filepath packages, as well as bug fixes to the
compiler, the go command, the runtime, and the crypto/rand, net, os, and
syscall packages. See the Go 1.21.5 milestone on our issue tracker for
details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.5+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.5...go1.21.5

from the security mailing:

[security] Go 1.21.5 and Go 1.20.12 are released

Hello gophers,

We have just released Go versions 1.21.5 and 1.20.12, minor point releases.

These minor releases include 3 security fixes following the security policy:

- net/http: limit chunked data overhead

  A malicious HTTP sender can use chunk extensions to cause a receiver
  reading from a request or response body to read many more bytes from
  the network than are in the body.

  A malicious HTTP client can further exploit this to cause a server to
  automatically read a large amount of data (up to about 1GiB) when a
  handler fails to read the entire body of a request.

  Chunk extensions are a little-used HTTP feature which permit including
  additional metadata in a request or response body sent using the chunked
  encoding. The net/http chunked encoding reader discards this metadata.
  A sender can exploit this by inserting a large metadata segment with
  each byte transferred. The chunk reader now produces an error if the
  ratio of real body to encoded bytes grows too small.

  Thanks to Bartek Nowotarski for reporting this issue.

  This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.

- cmd/go: go get may unexpectedly fallback to insecure git

  Using go get to fetch a module with the ".git" suffix may unexpectedly
  fallback to the insecure "git://" protocol if the module is unavailable
  via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE
  is not set for said module. This only affects users who are not using
  the module proxy and are fetching modules directly (i.e. GOPROXY=off).

  Thanks to David Leadbeater for reporting this issue.

  This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.

- path/filepath: retain trailing \ when cleaning paths like \\?\c:\

  Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the
  volume name in Windows paths starting with \\?\, resulting in
  filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among
  other effects). The previous behavior has been restored.

  This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-05 23:53:29 +01:00
Sebastiaan van Stijn afc62d8d1c
update to go1.21.4
Reverts "update to go1.21.4" due to regressions / breaking changes."

This reverts commit 4cf1c50ad1.
This re-applies commit 6472dabe4c.

----

update to go1.21.4

go1.21.4 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker, the runtime, the compiler, and the go/types, net/http, and runtime/cgo packages. See the Go 1.21.4 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.4+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.3...go1.21.4

from the security mailing:

[security] Go 1.21.4 and Go 1.20.11 are released

Hello gophers,

We have just released Go versions 1.21.4 and 1.20.11, minor point releases.

These minor releases include 2 security fixes following the security policy:

- path/filepath: recognize `\??\` as a Root Local Device path prefix.

  On Windows, a path beginning with `\??\` is a Root Local Device path equivalent
  to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to
  access arbitrary locations on the system. For example, the path `\??\c:\x`
  is equivalent to the more common path c:\x.

  The filepath package did not recognize paths with a `\??\` prefix as special.

  Clean could convert a rooted path such as `\a\..\??\b` into
  the root local device path `\??\b`. It will now convert this
  path into `.\??\b`.

  `IsAbs` did not report paths beginning with `\??\` as absolute.
  It now does so.

  VolumeName now reports the `\??\` prefix as a volume name.

  `Join(`\`, `??`, `b`)` could convert a seemingly innocent
  sequence of path elements into the root local device path
  `\??\b`. It will now convert this to `\.\??\b`.

  This is CVE-2023-45283 and https://go.dev/issue/63713.

- path/filepath: recognize device names with trailing spaces and superscripts

  The `IsLocal` function did not correctly detect reserved names in some cases:

  - reserved names followed by spaces, such as "COM1 ".
  - "COM" or "LPT" followed by a superscript 1, 2, or 3.

  `IsLocal` now correctly reports these names as non-local.

  This is CVE-2023-45284 and https://go.dev/issue/63713.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-05 23:52:56 +01:00
Sebastiaan van Stijn 6d820e817b
Merge pull request #4354 from thaJeztah/update_alpine_3.18
Dockerfile: update ALPINE_VERSION to 3.18
2023-11-23 23:51:30 +01:00
Sebastiaan van Stijn 6a74a63ee2
Dockerfile: update ALPINE_VERSION to 3.18
This also moves `musl-dev` to the alpine-base stage, due to changes in
Alpine 3.18 causing gotestsum build to fail because stdlib.h was missing;

    #17 5.065 # runtime/cgo
    #17 5.065 In file included from _cgo_export.c:3:
    #17 5.065 /usr/include/fortify/stdlib.h:23:15: fatal error: stdlib.h: No such file or directory
    #17 5.065    23 | #include_next <stdlib.h>
    #17 5.065       |               ^~~~~~~~~~

alpine 3.17:

    / # find / | grep stdlib.h
    /usr/include/c++/12.2.1/tr1/stdlib.h
    /usr/include/c++/12.2.1/stdlib.h

alpine 3.18

    / # find / | grep stdlib.h
    /usr/lib/llvm16/lib/clang/16/include/__clang_hip_stdlib.h
    /usr/include/fortify/stdlib.h
    /usr/include/c++/12.2.1/tr1/stdlib.h
    /usr/include/c++/12.2.1/stdlib.h

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-23 23:37:48 +01:00
Sebastiaan van Stijn 35c6e915d1
Dockerfile: update buildx to v0.12.0
Release notes: https://github.com/docker/buildx/releases/tag/v0.12.0

Full diff: https://github.com/docker/buildx/compare/v0.11.1...v0.12.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-23 23:32:14 +01:00
CrazyMax 0d95231ccb
Dockerfile: use "debian" in stages instead of distro name
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-11-23 23:11:42 +01:00
CrazyMax c5194a9e5d
Dockerfile: update to debian bookworm
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-11-23 23:11:35 +01:00
Sebastiaan van Stijn 4cf1c50ad1
Revert "update to go1.21.4" due to regressions / breaking changes.
Unfortunately, the go1.21.4 security update exposed some regressions / breaking
changes in moby (docker engine) and containerd. These issues are looked into,
but in the meantime we should revert this patch.

This temporarily reintroduces CVE-2023-45284 and CVE-2023-45283.

This reverts commit 6472dabe4c.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-09 10:54:54 +01:00
Sebastiaan van Stijn 6472dabe4c
update to go1.21.4
go1.21.4 (released 2023-11-07) includes security fixes to the path/filepath
package, as well as bug fixes to the linker, the runtime, the compiler, and
the go/types, net/http, and runtime/cgo packages. See the Go 1.21.4 milestone
on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.4+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.3...go1.21.4

from the security mailing:

[security] Go 1.21.4 and Go 1.20.11 are released

Hello gophers,

We have just released Go versions 1.21.4 and 1.20.11, minor point releases.

These minor releases include 2 security fixes following the security policy:

- path/filepath: recognize `\??\` as a Root Local Device path prefix.

  On Windows, a path beginning with `\??\` is a Root Local Device path equivalent
  to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to
  access arbitrary locations on the system. For example, the path `\??\c:\x`
  is equivalent to the more common path c:\x.

  The filepath package did not recognize paths with a `\??\` prefix as special.

  Clean could convert a rooted path such as `\a\..\??\b` into
  the root local device path `\??\b`. It will now convert this
  path into `.\??\b`.

  `IsAbs` did not report paths beginning with `\??\` as absolute.
  It now does so.

  VolumeName now reports the `\??\` prefix as a volume name.

  `Join(`\`, `??`, `b`)` could convert a seemingly innocent
  sequence of path elements into the root local device path
  `\??\b`. It will now convert this to `\.\??\b`.

  This is CVE-2023-45283 and https://go.dev/issue/63713.

- path/filepath: recognize device names with trailing spaces and superscripts

  The `IsLocal` function did not correctly detect reserved names in some cases:

  - reserved names followed by spaces, such as "COM1 ".
  - "COM" or "LPT" followed by a superscript 1, 2, or 3.

  `IsLocal` now correctly reports these names as non-local.

  This is CVE-2023-45284 and https://go.dev/issue/63713.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-08 18:39:54 +01:00
Sebastiaan van Stijn ceab9b5e8e
update to go1.21.3
go1.21.3 (released 2023-10-10) includes a security fix to the net/http package.
See the Go 1.21.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.21.3+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.21.2...go1.21.3

From the security mailing:

[security] Go 1.21.3 and Go 1.20.10 are released

Hello gophers,

We have just released Go versions 1.21.3 and 1.20.10, minor point releases.

These minor releases include 1 security fixes following the security policy:

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 20:02:33 +02:00