mirrors/woodpecker
1
0
Fork 0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2024-06-22 23:30:45 +00:00
Code Issues Projects Releases Wiki Activity

fix(deps): update module github.com/moby/moby to v24.0.9+incompatible [security] (#3323)

Browse source 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/moby/moby](https://togithub.com/moby/moby) |
`v24.0.8+incompatible` -> `v24.0.9+incompatible` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fmoby%2fmoby/v24.0.9+incompatible?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fmoby%2fmoby/v24.0.9+incompatible?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fmoby%2fmoby/v24.0.8+incompatible/v24.0.9+incompatible?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fmoby%2fmoby/v24.0.8+incompatible/v24.0.9+incompatible?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-24557](https://togithub.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc)

The classic builder cache system is prone to cache poisoning if the
image is built `FROM scratch`.
Also, changes to some instructions (most important being `HEALTHCHECK`
and `ONBUILD`) would not cause a cache miss.

An attacker with the knowledge of the Dockerfile someone is using could
poison their cache by making them pull a specially crafted image that
would be considered as a valid cache candidate for some build steps.

For example, an attacker could create an image that is considered as a
valid cache candidate for:
```
FROM scratch
MAINTAINER Pawel
```

when in fact the malicious image used as a cache would be an image built
from a different Dockerfile.

In the second case, the attacker could for example substitute a
different `HEALTCHECK` command.

### Impact

23.0+ users are only affected if they explicitly opted out of Buildkit
(`DOCKER_BUILDKIT=0` environment variable) or are using the `/build` API
endpoint (which uses the classic builder by default).

All users on versions older than 23.0 could be impacted. An example
could be a CI with a shared cache, or just a regular Docker user pulling
a malicious image due to misspelling/typosquatting.

Image build API endpoint (`/build`) and `ImageBuild` function from
`github.com/docker/docker/client` is also affected as it the uses
classic builder by default.

### Patches

Patches are included in Moby releases:

- v25.0.2
- v24.0.9

### Workarounds

- Use `--no-cache` or use Buildkit if possible (`DOCKER_BUILDKIT=1`,
it's default on 23.0+ assuming that the buildx plugin is installed).
- Use `Version = types.BuilderBuildKit` or `NoCache = true` in
`ImageBuildOptions` for `ImageBuild` call.

---

### Release Notes

<details>
<summary>moby/moby (github.com/moby/moby)</summary>

###
[`v24.0.9+incompatible`](https://togithub.com/moby/moby/compare/v24.0.8...v24.0.9)

[Compare
Source](https://togithub.com/moby/moby/compare/v24.0.8...v24.0.9)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "before 4am"
(UTC).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/woodpecker-ci/woodpecker).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com>
This commit is contained in:
renovate[bot] 2024-02-04 07:53:53 +01:00 committed by GitHub
parent 7ff0d8e148
commit 6ffb3b1bd6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
go.mod
View file

@ -32,7 +32,7 @@ require (
github.com/kinbiko/jsonassert v1.1.1
github.com/lib/pq v1.10.9
github.com/mattn/go-sqlite3 v1.14.20
github.com/moby/moby v24.0.8+incompatible
github.com/moby/moby v24.0.9+incompatible
github.com/moby/term v0.5.0
github.com/muesli/termenv v0.15.2
github.com/oklog/ulid/v2 v2.1.0

2
go.sum
View file

@ -320,6 +320,8 @@ github.com/moby/moby v24.0.7+incompatible h1:RrVT5IXBn85mRtFKP+gFwVLCcnNPZIgN3NV
github.com/moby/moby v24.0.7+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
github.com/moby/moby v24.0.8+incompatible h1:lTOrmnT/ZwYrhTbcmkWMTd2Pk65vV+4YuEdIG04shac=
github.com/moby/moby v24.0.8+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
github.com/moby/moby v24.0.9+incompatible h1:Z/hFbZJqC5Fmuf6jesMLdHU71CMAgdiSJ1ZYey+bFmg=
github.com/moby/moby v24.0.9+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=