You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix "Rootful-in-Rootless" Docker-in-Docker on systemd version 250 and later. moby/moby#46626
Fix dockerd-rootless-setuptools.sh when username contains a backslash. moby/moby#46407
Fix a bug that would prevent network sandboxes to be fully deleted when stopping containers with no network attachments and when dockerd --bridge=none is used. moby/moby#46702
Fix a bug where cancelling an API request could interrupt container restart. moby/moby#46697
Fix an issue where containers would fail to start when providing --ip-range with a range larger than the subnet. docker/for-mac#6870
containerd storage backend: Fix docker ps failing when a container image is no longer present in the content store. moby/moby#46095
containerd storage backend: Fix docker ps -s -a and docker container prune failing when a container image config is no longer present in the content store. moby/moby#46097
containerd storage backend: Fix docker inspect failing when a container image config is no longer (or was never) present in the content store. moby/moby#46244
containerd storage backend: Fix diff and export with the overlayfs snapshotter by using reference-counted rootfs mounts. moby/moby#46266
containerd storage backend: Fix a misleading error message when the image platforms available locally do not match the desired platform. moby/moby#46300
containerd storage backend: Fix the FROM scratch Dockerfile instruction with the classic builder. moby/moby#46302
containerd storage backend: Fix mismatched image rootfs and manifest layers errors with the classic builder. moby/moby#46310
Warn when pulling Docker Image Format v1, and Docker Image manifest version 2, schema 1 images from all registries. moby/moby#46290
Fix live-restore of volumes with custom volume options. moby/moby#46366
Fix incorrectly dropping capabilities bits when running a container as a non-root user (note: this change was already effectively present due to a regression). moby/moby#46221
Fix network isolation iptables rules preventing IPv6 Neighbor Solicitation packets from being exchanged between containers. moby/moby#46214
Fix dockerd.exe --register-service not working when the binary is in the current directory on Windows. moby/moby#46215
Add a hint suggesting the use of a PAT to docker login against Docker Hub. docker/cli#4500
Improve shell startup time for users of Bash completion for the CLI. docker/cli#4517
Improve the speed of some commands by skipping GET /_ping when possible. docker/cli#4508
Fix credential scopes when using a PAT to docker manifest inspect an image on Docker Hub. docker/cli#4512
Fix docker events not supporting --format=json. docker/cli#4544
The Go client now avoids using UNIX socket paths in the HTTP Host: header, in order to be compatible with changes introduced in go1.20.6. moby/moby#45962, moby/moby#45990
containerd storage backend: Fix Variant not being included in docker image inspect and GET /images/{name}/json. moby/moby#46025
containerd storage backend: Prevent potential garbage collection of content during image export. moby/moby#46021
containerd storage backend: Prevent duplicate digest entries in RepoDigests. moby/moby#46014
containerd storage backend: Fix operations taking place against the incorrect tag when working with an image referenced by tag and digest. moby/moby#46013
containerd storage backend: Fix a panic caused by EXPOSE when building containers with the legacy builder. moby/moby#45921
Fix a regression causing unintuitive errors to be returned when attempting to create an overlay network on a non-Swarm node. moby/moby#45974
Properly report errors parsing volume specifications from the command line. docker/cli#4423
Fix a panic caused when auths: null is found in the CLI config file. docker/cli#4450
containerd image store: Fix an issue where multi-platform images that did not include a manifest for the default platform could not be interacted with. moby/moby#45849
containerd image store: Fix specious attempts to cache FROM scratch in container builds. moby/moby#45822
containerd image store: Fix docker cp with snapshotters that cannot mount the same content multiple times. moby/moby#45780, moby/moby#45786
containerd image store: Fix builds with type=image not being correctly unpacked/stored. moby/moby#45692
containerd image store: Fix incorrectly attempting to unpack pseudo-images (including attestations) in docker load. moby/moby#45688
containerd image store: Correctly set the user agent, and include additional information like the snapshotter when interacting with registries. moby/moby#45671, moby/moby#45684
containerd image store: Fix a failure to unpack already-pulled content after switching between snapshotters. moby/moby#45678
containerd image store: Fix images that have been re-tagged or with all tags removed being pruned while still in use. moby/moby#45857
Fix a Swarm CSI issue where the Topology field was not propagated into NodeCSIInfo. moby/moby#45810
Fix an issue where POST /containers/{id}/stop would forcefully terminate the container when the request was canceled, instead of waiting until the specified timeout for a 'graceful' stop. moby/moby#45774
Fix an issue where docker cp -a from the root (/) directory would fail. moby/moby#45748
Improve compatibility with non-runc container runtimes by more correctly setting resource constraint parameters in the OCI config. moby/moby#45746
Fix builds potentially failing with exit code: 4294967295 when performing many concurrent build stages. moby/moby#45620
Fix DNS resolution on Windows ignoring etc/hosts (%WINDIR%\System32\Drivers\etc\hosts), including resolution of localhost. moby/moby#45562
Apply a workaround for a containerd bug that causes concurrent docker exec commands to take significantly longer than expected. moby/moby#45625
containerd image store: Fix an issue where the image Created field would contain an incorrect value. moby/moby#45623
containerd image store: Adjust the output of image pull progress so that the output has the same format regardless of whether the containerd image store is enabled. moby/moby#45602
containerd image store: Switching between the default and containerd image store now requires a daemon restart. moby/moby#45616
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Uncontrolled Resource Consumption
Affected range
<0.7.0
Fixed version
0.7.0
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range
<0.13.0
Fixed version
0.13.0
CVSS Score
6.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
Uncontrolled Resource Consumption
Affected range
<0.17.0
Fixed version
0.17.0
CVSS Score
5.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Description
HTTP/2 Rapid reset attack
The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.
Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open.
The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.
The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.
In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.
Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the swift-nio-http2 repo advisory and their original conent follows.
swift-nio-http2 specific advisory
swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new Channels to serve the traffic. This can easily overwhelm an EventLoop and prevent it from making forward progress.
swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.
Affected range
<0.4.0
Fixed version
0.4.0
Description
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.
HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<0.7.0
Fixed version
0.7.0
Description
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
google.golang.org/grpc1.50.1 (golang)
pkg:golang/google.golang.org/grpc@1.50.1
Affected range
<1.56.3
Fixed version
1.56.3
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Impact
In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.
Patches
This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.
Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.
The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.
Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open.
The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.
The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.
In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.
Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the swift-nio-http2 repo advisory and their original conent follows.
swift-nio-http2 specific advisory
swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new Channels to serve the traffic. This can easily overwhelm an EventLoop and prevent it from making forward progress.
swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<1.56.3
Fixed version
1.56.3, 1.57.1, 1.58.3
Description
Impact
In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.
Patches
This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.
Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it.
Details
HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent.
PoC
Send many requests with long randomly generated HTTP methods or/and User agents (e.g. a million) and observe how memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use otelhttp.NewHandler wrapper, and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc.
As a workaround to stop being affected otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely.
For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.
In PR open-telemetry/opentelemetry-go-contrib#4277, released with package version 0.44.0, the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed.
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it.
Details
HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent.
PoC
Send many requests with long randomly generated HTTP methods or/and User agents (e.g. a million) and observe how memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use otelhttp.NewHandler wrapper, and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc.
As a workaround to stop being affected otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely.
For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.
In PR open-telemetry/opentelemetry-go-contrib#4277, released with package version 0.44.0, the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed.
// UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable
// for use in a grpc.NewServer call.
func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
out of the box adds labels
net.peer.sock.addr
net.peer.sock.port
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent.
Details
An attacker can easily flood the peer address and port for requests.
PoC
Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc.
Others
It is similar to already reported vulnerabilities.
On Windows, The IsLocal function does not correctly detect reserved device names in some cases.
Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local.
With fix, IsLocal now correctly reports these names as non-local.
Affected range
<1.20.12
Fixed version
1.20.12
Description
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.
A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.
Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs.
It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.
Thanks to @pjbgf for discovering, debugging, and fixing this issue (as well as writing some tests for it).
Patches
c121231e1276e11049547bee5ce68d5a2cfe2d9b is the patch fixing this issue. v0.2.4 contains the fix.
Workarounds
Users could use filepath.FromSlash() on all unsafe paths before passing them to filepath-securejoin.
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
Fixed version
v0.2.4
Description
Impact
For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs.
It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.
Thanks to @pjbgf for discovering, debugging, and fixing this issue (as well as writing some tests for it).
Patches
c121231e1276e11049547bee5ce68d5a2cfe2d9b is the patch fixing this issue. v0.2.4 contains the fix.
Workarounds
Users could use filepath.FromSlash() on all unsafe paths before passing them to filepath-securejoin.
/sys/devices/virtual/powercap accessible by default to containers
Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via sysfs. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel.
By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912.
Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios:
Unless using user namespaces, root inside a container has the same level of privilege as root outside the container, but with a slightly more narrow view of the system
sysfs is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPU
While this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments. This is provided by masking /sys/devices/virtual/powercap in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile.
While sysfs is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such as CAP_SYS_RAWIO which is not available to containers by default, or perf paranoia level less than 1, which is a non-default kernel tunable.
Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.
Mitigations
To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes.
Warning: To take effect, both the client and server must support this countermeasure.
As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available.
Details
The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario.
The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange.
In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers.
This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
23.0.6->24.0.7Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
moby/moby (moby/moby)
v24.0.7Compare Source
24.0.7
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
dockerd-rootless-setuptools.shwhen username contains a backslash. moby/moby#46407dockerd --bridge=noneis used. moby/moby#46702--ip-rangewith a range larger than the subnet. docker/for-mac#6870Packaging updates
docker.socketnot getting disabled when uninstalling thedocker-ceRPM package. docker/docker-ce-packaging#852go1.20.10. docker/docker-ce-packaging#951v1.7.6(static binaries only). moby/moby#46103containerd.iopackage tov1.6.24.Security
/sys/devices/virtual/powercapby default. This change hardens against CVE-2020-8694, CVE-2020-8695, and CVE-2020-12912, and an attack known as the PLATYPUS attack. For more details, see advisory, commit.v24.0.6Compare Source
24.0.6
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
docker psfailing when a container image is no longer present in the content store. moby/moby#46095docker ps -s -aanddocker container prunefailing when a container image config is no longer present in the content store. moby/moby#46097docker inspectfailing when a container image config is no longer (or was never) present in the content store. moby/moby#46244overlayfssnapshotter by using reference-counted rootfs mounts. moby/moby#46266FROM scratchDockerfile instruction with the classic builder. moby/moby#46302mismatched image rootfs and manifest layerserrors with the classic builder. moby/moby#46310dockerd.exe --register-servicenot working when the binary is in the current directory on Windows. moby/moby#46215docker loginagainst Docker Hub. docker/cli#4500GET /_pingwhen possible. docker/cli#4508docker manifest inspectan image on Docker Hub. docker/cli#4512docker eventsnot supporting--format=json. docker/cli#4544Packaging updates
go1.20.7. moby/moby#46140, docker/cli#4476, docker/docker-ce-packaging#932v1.7.3(static binaries only). moby/moby#46103v2.21.0. docker/docker-ce-packaging#936v24.0.5Compare Source
24.0.5
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
Host:header, in order to be compatible with changes introduced ingo1.20.6. moby/moby#45962, moby/moby#45990Variantnot being included indocker image inspectandGET /images/{name}/json. moby/moby#46025RepoDigests. moby/moby#46014EXPOSEwhen building containers with the legacy builder. moby/moby#45921overlaynetwork on a non-Swarm node. moby/moby#45974auths: nullis found in the CLI config file. docker/cli#4450Packaging updates
contrib/init. docker/docker-ce-packaging#914, docker/docker-ce-packaging#926contrib/init. moby/moby#46044go1.20.6. docker/cli#4428, moby/moby#45970, docker/docker-ce-packaging#921v2.20.2. docker/docker-ce-packaging#924v0.11.2. docker/docker-ce-packaging#922v24.0.4Compare Source
24.0.4
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
v24.0.3Compare Source
24.0.3
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
FROM scratchin container builds. moby/moby#45822docker cpwith snapshotters that cannot mount the same content multiple times. moby/moby#45780, moby/moby#45786type=imagenot being correctly unpacked/stored. moby/moby#45692docker load. moby/moby#45688name_to_handle_at(2)is now always allowed in the default seccomp profile. moby/moby#45833host-gatewaywith BuildKit by passing the IP as a label (also requires docker/buildx#1894). moby/moby#45790POST /containers/{id}/stopwould forcefully terminate the container when the request was canceled, instead of waiting until the specified timeout for a 'graceful' stop. moby/moby#45774docker cp -afrom the root (/) directory would fail. moby/moby#45748GET /info. moby/moby#45856docker infowhen only the client is in debug mode. docker/cli#4393Packaging updates
go1.20.5. moby/moby#45745, docker/cli#4351, docker/docker-ce-packaging#904v2.19.1. docker/docker-ce-packaging#916v0.11.1. docker/docker-ce-packaging#918v24.0.2Compare Source
24.0.2
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes and enhancements
exit code: 4294967295when performing many concurrent build stages. moby/moby#45620etc/hosts(%WINDIR%\System32\Drivers\etc\hosts), including resolution oflocalhost. moby/moby#45562docker execcommands to take significantly longer than expected. moby/moby#45625Createdfield would contain an incorrect value. moby/moby#45623v24.0.1Compare Source
24.0.1
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Removed
Bug fixes and enhancements
docker pull --platformwould reportNo such imageregarding another tag pointing to the same image. moby/moby#45562docker images -amoby/moby#45588GET /images/{id}/jsonwould returnnullinstead of emptyRepoTagsandRepoDigests. moby/moby#45564POST /commitdid not accept an empty request body. moby/moby#45568Packaging updates
v2.18.1. [master] bump compose to v2.18.1 docker/docker-ce-packaging#896Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.