Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vendor: github.com/docker/docker 70e46f2c7c2d (v26.0.0-rc3-dev) #4944

Merged
merged 3 commits into from Mar 19, 2024
Merged

vendor: github.com/docker/docker 70e46f2c7c2d (v26.0.0-rc3-dev) #4944

merged 3 commits into from Mar 19, 2024

Commits on Mar 16, 2024

  1. vendor: github.com/containerd/containerd v1.7.14 

    no changes in vendored files, but now requires go1.21

full diff: containerd/containerd@v1.7.13...v1.7.14

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    @thaJeztah
    thaJeztah committed Mar 16, 2024
    Configuration menu
    Copy the full SHA
    115c8d5 View commit details
    Browse the repository at this point in the history

  2. vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobu… 

    …f v1.5.4

full diffs:

- protocolbuffers/protobuf-go@v1.31.0...v1.33.0
- golang/protobuf@v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

govulncheck results in our code shows that this does not affect the CLI:

    govulncheck ./...
    Scanning your code and 448 packages across 72 dependent modules for known vulnerabilities...

    === Symbol Results ===

    No vulnerabilities found.

    Your code is affected by 0 vulnerabilities.
    This scan also found 1 vulnerability in packages you import and 0
    vulnerabilities in modules you require, but your code doesn't appear to call
    these vulnerabilities.
    Use '-show verbose' for more details.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    @thaJeztah
    thaJeztah committed Mar 16, 2024
    Configuration menu
    Copy the full SHA
    a4a79d7 View commit details
    Browse the repository at this point in the history

  3. vendor: github.com/docker/docker 70e46f2c7c2d (v26.0.0-rc3-dev) 

    full diff: moby/moby@v26.0.0-rc2...70e46f2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
    @thaJeztah
    thaJeztah committed Mar 16, 2024
    Configuration menu
    Copy the full SHA
    38c3ff6 View commit details
    Browse the repository at this point in the history