Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit fe7afb700f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Changes the `Read` and `Write` error handling
logic to return the original error while closing
the connection. We still skip calling `handleEOF`
if already closing the connection.
Fixes the flaky `TestCloseWhileWriting` and
`TestCloseWhileReading` tests.
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
(cherry picked from commit d5f564adaa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
commandconn: fix race on `Close()`
During normal operation, if a `Read()` or `Write()` call results
in an EOF, we call `onEOF()` to handle the terminating command,
and store it's exit value.
However, if a Read/Write call was blocked while `Close()` is called
the in/out pipes are immediately closed which causes an EOF to be
returned. Here, we shouldn't call `onEOF()`, since the reason why
we got an EOF is because we're already terminating the connection.
This also prevents a race between two calls to the commands `Wait()`,
in the `Close()` call and `onEOF()`
---
Add CLI init timeout to SSH connections
---
connhelper: add 30s ssh default dialer timeout
(same as non-ssh dialer)
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
(cherry picked from commit a5ebe2282a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The daemon collects this information regardless if "debug" is
enabled. Print the debugging information if either the daemon,
or the client has debug enabled.
We should probably improve this logic and print any of these if
set (but some special rules are needed for file-descriptors, which
may use "-1".
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 92d7a234dd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
File location changes in docker/docs#17176
Signed-off-by: David Karlsson <david.karlsson@docker.com>
(cherry picked from commit 035e26fb0b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
(cherry picked from commit 5936fd2a86)
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
(cherry picked from commit b85d6a8f9e)
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
I'm considering deprecating the "Key()" utility, as it was only
used in tests.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 79ff64f06d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
(cherry picked from commit 6c7d17fa01)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5
These minor releases include 3 security fixes following the security policy:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This
may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories with
newline characters in their names. Modules which are retrieved using the go command,
i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
I/O file descriptors closed, opening any files could result in unexpected
content being read/written with elevated prilieges. Similarly if a setuid/setgid
program was terminated, either via panic or signal, it could leak the contents
of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3b8d5da66b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Official Golang images are now only available for 3.18 and 3.17;
3.18 doesn't look to play well with gotestsum, so sticking to
an older version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit acb248f8d5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is a copy of the section we have on the "docker attach" reference page.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 47951ff446)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Also adds a named anchor, so that the section gets linked from the
options table.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c17b0df2a5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Use the default proxy, to assist with vanity domains mis-behaving, but keep
a fallback for situations where we need to get modules from GitHub directly.
This should hopefully help with the gopkg.in/yaml.v2 domain often going AWOL;
#14 245.9 gopkg.in/yaml.v2@v2.4.0: unrecognized import path "gopkg.in/yaml.v2": reading https://gopkg.in/yaml.v2?go-get=1: 502 Bad Gateway
#14 245.9 server response: Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/go-yaml/yaml.git/info/refs?service=git-upload-pack: write tcp 10.131.9.188:60820->140.82.121.3:443: write: broken pipe
curl 'https://gopkg.in/yaml.v2?go-get=1'
Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/go-yaml/yaml.git/info/refs?service=git-upload-pack: write tcp 10.131.9.188:60820->140.82.121.3:443: write: broken pipe
From the Go documentation; https://go.dev/ref/mod#goproxy-protocol
> List elements may be separated by commas (,) or pipes (|), which determine error
> fallback behavior. When a URL is followed by a comma, the go command falls back
> to later sources only after a 404 (Not Found) or 410 (Gone) response. When a URL
> is followed by a pipe, the go command falls back to later sources after any error,
> including non-HTTP errors such as timeouts. This error handling behavior lets a
> proxy act as a gatekeeper for unknown modules. For example, a proxy could respond
> with error 403 (Forbidden) for modules not on an approved list (see Private proxy
> serving private modules).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6458dcbe51)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
commit c846428cb6 added proxies to the
example `daemon.json`, based on the implementation that was added in
427c7cc5f8.
However, a follow-up pull request changed the proxy-configuration in`daemon.json`
to nest the configuration in a "proxies" struct, and the documentation was
not updated accordingly; see:
101dafd049
This patch fixes the example.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2713d0bcde)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>