Commit Graph

117 Commits

Author SHA1 Message Date
Sebastiaan van Stijn a27466fb6f
vendor: golang.org/x/net v0.17.0
full diff: https://github.com/golang/net/compare/v0.10.0...v0.17.0

This fixes the same CVE as go1.21.3 and go1.20.10;

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 20:56:02 +02:00
Sebastiaan van Stijn 392db31e2a
vendor: golang.org/x/term v0.13.0
- term: consistently return zeroes on GetSize error

full diff: https://github.com/golang/term/compare/v0.8.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 20:53:19 +02:00
Sebastiaan van Stijn ac307788a6
vendor: golang.org/x/text v0.13.0
full diff: https://github.com/golang/text/compare/v0.9.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 20:50:23 +02:00
Sebastiaan van Stijn 48655f794c
vendor: golang.org/x/sys v0.13.0
full diff: https://github.com/golang/sys/compare/v0.10.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-13 20:49:37 +02:00
Sebastiaan van Stijn 56396ba357
vendor: golang.org/x/tools v0.8.0
full diff:

- https://github.com/golang/mod/compare/v0.9.0...v0.10.0
- https://github.com/golang/tools/compare/v0.7.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:36:16 +02:00
Sebastiaan van Stijn ffea6940e7
vendor: golang.org/x/sys v0.10.0
full diff: https://github.com/golang/sys/compare/v0.8.0...v0.10.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:29:33 +02:00
Sebastiaan van Stijn 1554b49329
vendor: golang.org/x/sync v0.3.0
full diff: https://github.com/golang/sync/compare/v0.1.0...v0.3.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-19 16:28:31 +02:00
Sebastiaan van Stijn 92906a9936
vendor: github.com/Microsoft/go-winio v0.6.1
Unfortunately also brings in golang.org/x/tools and golang.org/x/mod as
a dependency, due to go-winio using a "tools.go" file.

full diff: https://github.com/Microsoft/go-winio/compare/v0.5.2...v0.6.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-20 13:10:06 +02:00
Sebastiaan van Stijn 78e4633929
vendor: github.com/docker/docker-credential-helpers v0.8.0
full diff: https://github.com/docker/docker-credential-helpers/compare/v0.7.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 16:06:44 +02:00
Sebastiaan van Stijn e15ae9e2ee
vendor: golang.org/x/net v0.10.0
full diff: https://github.com/golang/net/compare/v0.8.0...v0.10.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:19:45 +02:00
Sebastiaan van Stijn 45fd37aaac
vendor: golang.org/x/sys v0.8.0
full diff: https://github.com/golang/sys/compare/v0.6.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:11:33 +02:00
Sebastiaan van Stijn 6e2163a712
vendor: golang.org/x/text v0.8.0
full diff: https://github.com/golang/text/compare/v0.7.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-17 23:11:05 +02:00
Kevin Alvarez 89583b92b7
improve plugins listing performance
We can slightly improve plugins listing by spawning a
goroutine for each iteration.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-04-01 16:02:34 +02:00
CrazyMax e14f5fc1a7
revert "improve plugins discovery performance"
This reverts commit 62f2358b99.

Spawning a goroutine for each iteration in the loop when listing
plugins is racy unfortunately. `plugins` slice is protected with
a mutex so not sure why it fails.

I tried using a channel to collect the plugins instead of a slice
to guarantee that they will be appended to the list in the order
they are processed but no dice.

I also tried without errgroup package and simply use sync.WaitGroup
but same. I have also created an extra channel to receive errors
from the goroutines but racy too.

I think the change in this function is not related to the race
condition but newPlugin is. So revert in the meantime :(

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-03-31 16:20:42 +02:00
Sebastiaan van Stijn 149d289638
vendor: golang.org/x/sys v0.6.0
full diff: https://github.com/golang/sys/compare/v0.5.0..v0.6.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-30 19:56:27 +02:00
CrazyMax 62f2358b99
improve plugins discovery performance
We are currently loading plugin commands stubs for every
command invocation to add support for Cobra v2 completion.
This cause a significant performance hit if there is a
lot of plugins in the user space (7 atm in Docker Desktop):

`docker --version` takes in current 23.0.1 ~93ms

Instead of removing completion for plugins to fix the
regression, we can slightly improve plugins discovery by
spawning a goroutine for each iteration in the loop when
listing plugins:

`docker --version` now takes ~38ms

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-03-28 06:16:55 +02:00
Sebastiaan van Stijn d213548bd0
vendor: golang.org/x/net v0.7.0
full diff: https://github.com/golang/net/compare/v0.5.0...v0.7.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-15 01:42:00 +01:00
Sebastiaan van Stijn f40bbf4f7f
vendor: golang.org/x/time v0.3.0
full diff: https://github.com/golang/time/compare/v0.1.0...v0.3.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-15 01:35:57 +01:00
Sebastiaan van Stijn 3e9c6e84ce
vendor: golang.org/x/sys v0.5.0
full diff: https://github.com/golang/sys/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-15 01:32:29 +01:00
Sebastiaan van Stijn 526e5e7c95
vendor: golang.org/x/net v0.5.0
full diff: https://github.com/golang/net/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-23 11:59:15 +01:00
Sebastiaan van Stijn caf8b152c6
vendor: golang.org/x/sys v0.4.0
full diff: https://github.com/golang/sys/compare/v0.3.0...v0.4.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-23 11:45:55 +01:00
Sebastiaan van Stijn 929f23fcf9
vendor: golang.org/x/net v0.4.0
full diff: https://github.com/golang/net/compare/v0.1.0...v0.4.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-22 23:00:49 +01:00
Sebastiaan van Stijn 2df9ff91e1
vendor: golang.org/x/term v0.3.0
full diff: https://github.com/golang/term/compare/v0.1.0...v0.3.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-22 22:59:45 +01:00
Sebastiaan van Stijn 1b75c7c52a
vendor: golang.org/x/text v0.5.0
full diff: https://github.com/golang/text/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-22 22:53:24 +01:00
Sebastiaan van Stijn e3e0b7a6c8
vendor: golang.org/x/sys v0.3.0
full diff: https://github.com/golang/sys/compare/v0.2.0...v0.3.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-22 22:51:19 +01:00
Sebastiaan van Stijn 722cde068f
vendor: golang.org/x/sys v0.2.0
full diff: https://github.com/golang/sys/compare/v0.1.0...v0.2.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-17 11:01:16 +01:00
Sebastiaan van Stijn 633ef7a093
vendor: golang.org/x/crypto v0.1.0 (fix OpenSSL > 9.3 compatibility)
- fixes compatibility with OpenSSH >= 8.9 (https://github.com/moby/buildkit/issues/3273)
- relates to https://github.com/golang/go/issues/51689#issuecomment-1197085791

full diff: https://github.com/golang/crypto/compare/3147a52a75dd...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-16 16:05:32 +01:00
Sebastiaan van Stijn 880b7fc671
vendor: golang.org/x/net v0.1.0
The golang.org/x/ projects are now doing tagged releases.

full diff: https://github.com/golang/net/compare/f3363e06e74c...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-16 16:02:41 +01:00
Sebastiaan van Stijn 0f568cfa97
vendor: golang.org/x/text v0.4.0
full diff: https://github.com/golang/text/compare/v0.3.7...v0.4.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-16 16:00:18 +01:00
Sebastiaan van Stijn 63ea1e4242
vendor: golang.org/x/term v0.1.0
full diff: https://github.com/golang/term/compare/03fcf44c2211...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-16 15:58:54 +01:00
Sebastiaan van Stijn 57b6ed34cc
vendor: golang.org/x/time v0.1.0
The golang.org/x/ projects are now doing tagged releases.

full diff: https://github.com/golang/time/compare/1f47c861a9ac...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-16 15:53:35 +01:00
Sebastiaan van Stijn 7b3900145e
vendor: golang.org/x/sys v0.1.0
The golang.org/x/ projects are now doing tagged releases.

full diff: c680a09ffe...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-16 15:48:59 +01:00
Sebastiaan van Stijn 46ba87dcf1
vendor: github.com/google/go-cmp v0.5.9 to remove golang.org/x/xerrors
full diff: https://github.com/google/go-cmp/compare/v0.5.7...v0.5.9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-05 23:24:04 +01:00
Sebastiaan van Stijn fc7e831a6a
vendor: golang.org/x/net v0.0.0-20220906165146-f3363e06e74c
Update to the latest version that contains a fix for CVE-2022-27664;
f3363e06e7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 23:14:47 +02:00
Sebastiaan van Stijn eaf6461ee6
vendor: golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64
full diff: 3c1f35247d...c680a09ffe

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-29 15:58:05 +02:00
Sebastiaan van Stijn 649aa6175b
vendor: golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10
full diff: bc2c85ada1...3c1f35247d

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-20 17:04:20 +02:00
Sebastiaan van Stijn 65d45664b1
vendor: golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a
full diff: 33da011f77...bc2c85ada1

notable changes;

- unix: use ByteSliceFromString in (*Ifreq).Name
- unix: update openbsd Statfs_t fields

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-21 17:32:13 +02:00
Sebastiaan van Stijn 05279c7c6a
vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

full diff: 1e041c57c4...33da011f77

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-11 14:33:05 +02:00
Sebastiaan van Stijn acf6aee911
vendor: golang.org/x/sys v0.0.0-20220405210540-1e041c57c461
full diff: da31bd327a...1e041c57c4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-30 12:01:42 +02:00
Sebastiaan van Stijn f3a05eb800
vendor dependencies with go1.17
Some warnings about go1.16 compatibility, so including them here:

     + go mod tidy -modfile=vendor.mod
     github.com/docker/cli/cli/registry/client imports
           github.com/docker/distribution/registry/api/v2 imports
           github.com/gorilla/mux loaded from github.com/gorilla/mux@v1.7.0,
        but go 1.16 would select v1.8.0
     github.com/docker/cli/cli/compose/loader imports
        gopkg.in/yaml.v2 tested by
        gopkg.in/yaml.v2.test imports
        gopkg.in/check.v1 loaded from gopkg.in/check.v1@v1.0.0-20200227125254-8fa46927fb4f,
        but go 1.16 would select v1.0.0-20201130134442-10cb98267c6c
     github.com/docker/cli/cli/command imports
        github.com/theupdateframework/notary/client tested by
        github.com/theupdateframework/notary/client.test imports
        github.com/theupdateframework/notary/server imports
        github.com/theupdateframework/notary/utils imports
        github.com/Shopify/logrus-bugsnag loaded from github.com/Shopify/logrus-bugsnag@v0.0.0-20170309145241-6dbc35f2c30d,
        but go 1.16 would select v0.0.0-20171204204709-577dee27f20d
     github.com/docker/cli/cli/command imports
        github.com/theupdateframework/notary/client tested by
        github.com/theupdateframework/notary/client.test imports
        github.com/theupdateframework/notary/server/storage imports
        gopkg.in/rethinkdb/rethinkdb-go.v6 imports
        github.com/opentracing/opentracing-go loaded from github.com/opentracing/opentracing-go@v1.1.0,
        but go 1.16 would select v1.2.0
     github.com/docker/cli/cli/command imports
        github.com/theupdateframework/notary/client tested by
        github.com/theupdateframework/notary/client.test imports
        github.com/theupdateframework/notary/server/storage imports
        gopkg.in/rethinkdb/rethinkdb-go.v6 imports
        github.com/opentracing/opentracing-go/ext loaded from github.com/opentracing/opentracing-go@v1.1.0,
        but go 1.16 would select v1.2.0
     github.com/docker/cli/cli/command imports
        github.com/theupdateframework/notary/client tested by
        github.com/theupdateframework/notary/client.test imports
        github.com/theupdateframework/notary/server/storage imports
        gopkg.in/rethinkdb/rethinkdb-go.v6 imports
        github.com/opentracing/opentracing-go/log loaded from github.com/opentracing/opentracing-go@v1.1.0,
        but go 1.16 would select v1.2.0
     github.com/docker/cli/cli/command imports
        github.com/theupdateframework/notary/client tested by
        github.com/theupdateframework/notary/client.test imports
        github.com/theupdateframework/notary/server imports
        github.com/theupdateframework/notary/utils imports
        github.com/spf13/viper imports
        github.com/spf13/afero loaded from github.com/spf13/afero@v1.1.2,
        but go 1.16 would select v1.2.2
     github.com/docker/cli/cli/command imports
        github.com/theupdateframework/notary/client tested by
        github.com/theupdateframework/notary/client.test imports
        github.com/theupdateframework/notary/server imports
        github.com/theupdateframework/notary/utils imports
        github.com/spf13/viper imports
        github.com/spf13/cast loaded from github.com/spf13/cast@v1.3.0,
        but go 1.16 would select v1.3.1
     github.com/docker/cli/cli/command imports
        github.com/theupdateframework/notary/client tested by
        github.com/theupdateframework/notary/client.test imports
        github.com/theupdateframework/notary/server imports
        github.com/theupdateframework/notary/utils imports
        github.com/spf13/viper imports
        github.com/spf13/jwalterweatherman loaded from github.com/spf13/jwalterweatherman@v1.0.0,
        but go 1.16 would select v1.1.0
     github.com/docker/cli/cli/command imports
        github.com/theupdateframework/notary/client tested by
        github.com/theupdateframework/notary/client.test imports
        github.com/theupdateframework/notary/server imports
        github.com/theupdateframework/notary/utils imports
        github.com/spf13/viper imports
        gopkg.in/ini.v1 loaded from gopkg.in/ini.v1@v1.51.0,
        but go 1.16 would select v1.56.0
     github.com/docker/cli/cli/command imports
        github.com/theupdateframework/notary/client tested by
        github.com/theupdateframework/notary/client.test imports
        github.com/theupdateframework/notary/server imports
        github.com/theupdateframework/notary/utils imports
        github.com/spf13/viper imports
        github.com/spf13/afero imports
        github.com/spf13/afero/mem loaded from github.com/spf13/afero@v1.1.2,
        but go 1.16 would select v1.2.2

     To upgrade to the versions selected by go 1.16:
        go mod tidy -go=1.16 && go mod tidy -go=1.17
     If reproducibility with go 1.16 is not needed:
        go mod tidy -compat=1.17
     For other options, see:
        https://golang.org/doc/modules/pruning

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-26 19:48:14 +01:00
Sebastiaan van Stijn bc2c8d7599
vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd
full diff: 5770296d90...3147a52a75

This version contains a fix for CVE-2022-27191 (not sure if it affects us).

From the golang mailing list:

    Hello gophers,

    Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
    client authentication support for signature algorithms based on SHA-2 for use with
    existing RSA keys.

    Previously, a client would fail to authenticate with RSA keys to servers that
    reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default
    and—starting today March 15, 2022 for recently uploaded keys.

    We are providing this announcement as the error (“ssh: unable to authenticate”)
    might otherwise be difficult to troubleshoot.

    Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also
    fixes a potential security issue where an attacker could cause a crash in a
    golang.org/x/crypto/ssh server under these conditions:

    - The server has been configured by passing a Signer to ServerConfig.AddHostKey.
    - The Signer passed to AddHostKey does not also implement AlgorithmSigner.
    - The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.

    Servers that only use Signer implementations provided by the ssh package are
    unaffected. This is CVE-2022-27191.

    Alla prossima,

    Filippo for the Go Security team

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-17 14:03:33 +01:00
Sebastiaan van Stijn 02a06cf9aa
vendor: golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac
intermediate bump for easier review

full diff: 3af7569d3a...1f47c861a9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-16 15:25:40 +01:00
Sebastiaan van Stijn bc54802f5e
vendor: golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b
full diff: 7de9c90e9d...6886f2dfbf

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-16 15:24:03 +01:00
Sebastiaan van Stijn 1bb2591444
vendor: golang.org/x/net v0.0.0-20211216030914-fe4d6282115f
intermediate bump for easier review

full diff: e18ecbb051...fe4d628211

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-16 15:21:39 +01:00
Sebastiaan van Stijn 576e4dce44
vendor: golang.org/x/text v0.3.7
full diff: https://github.com/golang/text/compare/v0.3.4...v0.3.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-09 18:17:13 +01:00
Sebastiaan van Stijn 7880acb052
vendor: golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
full diff: 69cdffdb93...da31bd327a

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-09 18:17:12 +01:00
Sebastiaan van Stijn 58747a6316
vendor: github.com/google/go-cmp v0.5.5
it was downgraded to v0.2.0, but should be safe to upgrade

full diff: https://github.com/google/go-cmp/compare/v0.2.0...v0.5.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-01 16:34:33 +01:00
Sebastiaan van Stijn a26de1de0f
vendor: golang.org/x/text v0.3.4
remove the replace rule to update it to the actual version specified:

full diff: https://github.com/golang/text/compare/v0.3.3...v0.3.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-01 15:40:16 +01:00
Sebastiaan van Stijn 7917946a5c
vendor: golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1
remove the replace rule to use the actual version (no changes in vendored code)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-01 15:37:48 +01:00
Sebastiaan van Stijn 109cc4ea4f
vendor: golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359
remove the replace rule to update it to the actual version specified:

full diff: 63515b42dc...69cdffdb93

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-01 15:35:55 +01:00