nemunaire/minifaas
Archived
1
0
Fork 0
Code Issues Pull Requests 3 Releases Activity

Update module github.com/docker/docker to v20.10.20 #22

Merged
nemunaire merged 1 commits from renovate/github.com-docker-docker-20.x into master 2022-10-19 22:28:07 +00:00
Conversation 0 Commits 1 Files Changed 2 +3 -1
renovate-bot commented 2022-10-19 21:17:45 +00:00
Contributor
Copy Link

This PR contains the following updates:

Package Type Update Change
github.com/docker/docker require patch v20.10.19+incompatible -> v20.10.20

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the logs for more information.

Release Notes

docker/docker

v20.10.20

Compare Source

This release of Docker Engine contains partial mitigations for a Git vulnerability
(CVE-2022-39253), and has updated handling of image:tag@digest image references.

The Git vulnerability allows a maliciously crafted Git repository, when used as a
build context, to copy arbitrary filesystem paths into resulting containers/images;
this can occur in both the daemon, and in API clients, depending on the versions and
tools in use.

The mitigations available in this release and in other consumers of the daemon API
are partial and only protect users who build a Git URL context (e.g. git+protocol://).
As the vulnerability could still be exploited by manually run Git commands that interact
with and check out submodules, users should immediately upgrade to a patched version of
Git to protect against this vulernability. Further details are available from the GitHub
blog ("Git security vulnerabilities announced").

Client
  • Added a mitigation for CVE-2022-39253,
    when using the classic Builder with a Git URL as the build context.
Daemon
  • Updated handling of image:tag@digest references. When pulling an image using
    the image:tag@digest ("pull by digest"), image resolution happens through
    the content-addressable digest and the image and tag are not used. While
    this is expected, this could lead to confusing behavior, and could potentially
    be exploited through social engineering to run an image that is already present
    in the local image store. Docker now checks if the digest matches the repository
    name used to pull the image, and otherwise will produce an error.
Builder
  • Updated handling of image:tag@digest references. Refer to the "Daemon" section
    above for details.
  • Added a mitigation to the classic Builder and updated BuildKit to v0.8.3-31-gc0149372,
    for CVE-2022-39253.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/docker/docker](https://github.com/docker/docker) | require | patch | `v20.10.19+incompatible` -> `v20.10.20` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the logs for more information. --- ### Release Notes <details> <summary>docker/docker</summary> ### [`v20.10.20`](https://github.com/moby/moby/releases/tag/v20.10.20) [Compare Source](https://github.com/docker/docker/compare/v20.10.19...v20.10.20) This release of Docker Engine contains partial mitigations for a Git vulnerability ([CVE-2022-39253](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253)), and has updated handling of `image:tag@digest` image references. The Git vulnerability allows a maliciously crafted Git repository, when used as a build context, to copy arbitrary filesystem paths into resulting containers/images; this can occur in both the daemon, and in API clients, depending on the versions and tools in use. The mitigations available in this release and in other consumers of the daemon API are partial and only protect users who build a Git URL context (e.g. `git+protocol://`). As the vulnerability could still be exploited by manually run Git commands that interact with and check out submodules, users should immediately upgrade to a patched version of Git to protect against this vulernability. Further details are available from the GitHub blog (["Git security vulnerabilities announced"](https://github.blog/2022-10-18-git-security-vulnerabilities-announced/)). ##### Client - Added a mitigation for [CVE-2022-39253](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253), when using the classic Builder with a Git URL as the build context. ##### Daemon - Updated handling of `image:tag@digest` references. When pulling an image using the `image:tag@digest` ("pull by digest"), image resolution happens through the content-addressable digest and the `image` and `tag` are not used. While this is expected, this could lead to confusing behavior, and could potentially be exploited through social engineering to run an image that is already present in the local image store. Docker now checks if the digest matches the repository name used to pull the image, and otherwise will produce an error. ##### Builder - Updated handling of `image:tag@digest` references. Refer to the "Daemon" section above for details. - Added a mitigation to the classic Builder and updated BuildKit to [v0.8.3-31-gc0149372](https://github.com/moby/buildkit/commit/c014937225cba29cfb1d5161fd134316c0e9bdaa), for [CVE-2022-39253](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253). </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzMi4yMzYuNCIsInVwZGF0ZWRJblZlciI6IjMyLjIzNi40In0=-->
renovate-bot added 1 commit 2022-10-19 21:17:47 +00:00
nemunaire merged commit b18e07c2ce into master 2022-10-19 22:28:07 +00:00
nemunaire deleted branch renovate/github.com-docker-docker-20.x 2022-10-19 22:28:07 +00:00
This repo is archived. You cannot comment on pull requests.
Reviewers
No reviewers
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: nemunaire/minifaas#22
No description provided.
Delete Branch "renovate/github.com-docker-docker-20.x"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?