This includes 1 security fix:
- net/http: CrossOriginProtection bypass patterns are over-broad
When passing patterns to CrossOriginProtection.AddInsecureBypassPattern,
requests that would have redirected to those patterns (e.g. without a trailing
slash) were also exempted, which might be unexpected.
Thanks to Marco Gazerro for reporting this issue.
This is CVE-2025-47910 and Go issue https://go.dev/issue/75054.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.7
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
hostVar is used for the '--host' / '-H' flag to set [ClientOptions.Hosts].
The [ClientOptions.Hosts] field is a slice because it was originally shared
with the daemon config. However, the CLI only allows for a single host to
be specified.
hostVar presents itself as a "string", but stores the value in a string
slice. It produces an error when trying to set multiple values, matching
the check in [getServerHost].
[getServerHost]: 7eab668982/cli/command/cli.go (L542-L551)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test was recently rewritten from testing plugin upgrade with
DCT enabled to just "plugin upgrade", but there's a fair amount of
complexity in the e2e tests that set up different daemons and registries.
It's possible that tests are affecting each-other, and some state (config)
is left behind.
Let's skip the test for now, and add a tracking ticket to dig deeper.
=== FAIL: e2e/global TestPromptExitCode/plugin_upgrade (7.55s)
cli_test.go:205: assertion failed:
Command: docker plugin push registry:5000/plugin-upgrade-test:latest
ExitCode: 1
Error: exit status 1
Stdout: The push refers to repository [registry:5000/plugin-upgrade-test]
459089aa5943: Preparing
adc41078d1d9: Preparing
d7bff979db13: Preparing
459089aa5943: Preparing
Stderr: error pushing plugin: failed to do request: Head "https://registry:5000/v2/plugin-upgrade-test/blobs/sha256:adc41078d1d937495df2f90444e5414a01db31e5a080f8aa4f163c64d41abd11": http: server gave HTTP response to HTTPS client
Failures:
ExitCode was 1 expected 0
Expected no error
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- https://github.com/golang/go/issues?q=milestone%3AGo1.24.6+label%3ACherryPickApproved
- full diff: golang/go@go1.24.5...go1.24.6
These minor releases include 2 security fixes following the security policy:
- os/exec: LookPath may return unexpected paths
If the PATH environment variable contains paths which are executables (rather
than just directories), passing certain strings to LookPath ("", ".", and ".."),
can result in the binaries listed in the PATH being unexpectedly returned.
Thanks to Olivier Mengué for reporting this issue.
This is CVE-2025-47906 and Go issue https://go.dev/issue/74466.
- database/sql: incorrect results returned from Rows.Scan
Cancelling a query (e.g. by cancelling the context passed to one of the query
methods) during a call to the Scan method of the returned Rows can result in
unexpected results if other queries are being made in parallel. This can result
in a race condition that may overwrite the expected results with those of
another query, causing the call to Scan to return either unexpected results
from the other query or an error.
We believe this affects most database/sql drivers.
Thanks to Spike Curtis from Coder for reporting this issue.
This is CVE-2025-47907 and https://go.dev/issue/74831.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.6
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
Plugins are not widely used, and there's no known plugins that use
content-trust. We're working on updating the authentication stack
in the CLI, and the trust implementation hinders us in making
changes, so removing parts that are not high-priority (ahead of
full deprecation of DCT).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Use names for the plugin that don't refer to content-trust, as that's
not related to this test.
Make it slightly more clear which steps are preparation and which
are the actual test. The test sometimes fails in the preparation
step, and we could consider moving those separate and XFail the
test if the preparation fails;
Stderr: error pushing plugin: failed to do request: Head "https://registry:5000/v2/plugin-content-trust-upgrade/blobs/sha256:af932a31d4df3a2890f900bcf28e16cea87b2b440b8036ba86ab3418f3e50a35": http: server gave HTTP response to HTTPS client
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The gotest.tools `fs.NewDir` utility already sets up a `t.Cleanup`,
so we can treat it the same as `t.TempDir()` and let it handle
cleaning up by itself.
We should probably consider replacing some of this with `t.TempDir`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Experimental is always enabled (977d3ae046),
and the `Experimental` field in plugin metadata was deprecated in
977d3ae046 and removed in commit
6a50c4f700.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Docker Content Trust is currently only implemented for the classic
builder, but is known to not work with multi-stage builds, and
requires rewriting the Dockerfile, which is brittle because the
Dockerfile syntax evolved with the introduction of BuildKit as
default builder.
Given that the classic builder is deprecated, and only used for
Windows images, which are not verified by content trust;
# docker pull --disable-content-trust=false mcr.microsoft.com/windows/servercore:ltsc2025
Error: remote trust data does not exist for mcr.microsoft.com/windows/servercore: mcr.microsoft.com does not have trust data for mcr.microsoft.com/windows/servercore
With content trust not implemented in BuildKit, and not implemented
in docker compose, this resulted in an inconsistent behavior.
This patch removes content-trust support for "docker build". As this
is a client-side feature, users who require this feature can still
use an older CLI to to start the build.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Make the test slightly more permissive; we're looking for a trailing
newline, not necessarily an empty line.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- https://github.com/golang/go/issues?q=milestone%3AGo1.24.5+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.24.4...go1.24.5
This minor releases include 1 security fixes following the security policy:
- cmd/go: unexpected command execution in untrusted VCS repositories
Various uses of the Go toolchain in untrusted VCS repositories can result in
unexpected code execution. When using the Go toolchain in directories fetched
using various VCS tools (such as directly cloning Git or Mercurial repositories)
can cause the toolchain to execute unexpected commands, if said directory
contains multiple VCS configuration metadata (such as a '.hg' directory in a Git
repository). This is due to how the Go toolchain attempts to resolve which VCS
is being used in order to embed build information in binaries and determine
module versions.
The toolchain will now abort attempting to resolve which VCS is being used if it
detects multiple VCS configuration metadata in a module directory or nested VCS
configuration metadata (such as a '.git' directoy in a parent directory and a
'.hg' directory in a child directory). This will not prevent the toolchain from
building modules, but will result in binaries omitting VCS related build
information.
If this behavior is expected by the user, the old behavior can be re-enabled by
setting GODEBUG=allowmultiplevcs=1. This should only be done in trusted
repositories.
Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting
this issue.
This is CVE-2025-4674 and https://go.dev/issue/74380.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.5
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
- https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.24.3...go1.24.4
This release includes 3 security fixes following the security policy:
- net/http: sensitive headers not cleared on cross-origin redirect
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.
This is CVE-2025-4673 and Go issue https://go.dev/issue/73816.
- os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location.
OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.
Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue.
This is CVE-2025-0913 and Go issue https://go.dev/issue/73702.
- crypto/x509: usage of ExtKeyUsageAny disables policy validation
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this issue.
This is CVE-2025-22874 and Go issue https://go.dev/issue/73612.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
full diff: https://github.com/golang/go/compare/go1.23.7...go1.23.8
release notes: https://go.dev/doc/devel/release#go1.24.2
go1.23.8 (released 2025-04-01) includes security fixes to the net/http package,
as well as bug fixes to the runtime and the go command. See the Go 1.23.8
milestone on our issue tracker for details;
https://github.com/golang/go/issues?q=milestone%3AGo1.23.8+label%3ACherryPickApproved
From the mailing list:
Hello gophers,
We have just released Go versions 1.24.2 and 1.23.8, minor point releases.
These minor releases include 1 security fixes following the security policy:
- net/http: request smuggling through invalid chunked data
The net/http package accepted data in the chunked transfer encoding
containing an invalid chunk-size line terminated by a bare LF.
When used in conjunction with a server or proxy which incorrectly
interprets a bare LF in a chunk extension as part of the extension,
this could permit request smuggling.
The net/http package now rejects chunk-size lines containing a bare LF.
Thanks to Jeppe Bonde Weikop for reporting this issue.
This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fix a regression introduced by 30c4637f03
which made the `docker run` command produce potentially truncated
stdout/stderr output.
Previous implementation stopped the content streaming as soon as the
container exited which would potentially truncate a long outputs.
This change fixes the issue by only canceling the IO stream immediately
if neither stdout nor stderr is attached.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
- set default to 28
- remove minor version from matrix; docker:dind images also provide a
"docker:28-dind" which point to the latest minor version.
- remove TODO for 19.03, which is really out of scope now.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- use Println to print newline instead of custom format
- suppress some errors to make my IDE and linters happier
- use res.Assert() with icmd.Expected{} where possible to make
assertions not depend on newline / whitespace randomness
- use apiClient instead of client for the API client to
prevent shadowing imports.
- use dockerCLI with Go's standard camelCase casing.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While there may be reasons to keep pkg/errors in production code,
we don't need them for these tests.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and
net/http packages, as well as bug fixes to the compiler, the runtime, and the
net package. See the Go 1.23.5 milestone on our issue tracker for details;
- https://github.com/golang/go/issues?q=milestone%3AGo1.23.5+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.4...go1.23.5
Hello gophers,
We have just released Go versions 1.23.5 and 1.22.11, minor point releases.
These minor releases include 2 security fixes following the security policy:
- crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
A certificate with a URI which has a IPv6 address with a zone ID may
incorrectly satisfy a URI name constraint that applies to the certificate
chain.
Certificates containing URIs are not permitted in the web PKI, so this
only affects users of private PKIs which make use of URIs.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2024-45341 and Go issue https://go.dev/issue/71156.
- net/http: sensitive headers incorrectly sent after cross-domain redirect
The HTTP client drops sensitive headers after following a cross-domain redirect.
For example, a request to a.com/ containing an Authorization header which is
redirected to b.com/ will not send that header to b.com.
In the event that the client received a subsequent same-domain redirect, however,
the sensitive headers would be restored. For example, a chain of redirects from
a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization
header to b.com/2.
Thanks to Kyle Seely for reporting this issue.
This is CVE-2024-45336 and Go issue https://go.dev/issue/70530.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If STDOUT or STDERR are attached and the container exits, the streams
will be closed by the daemon while the container is exiting, causing
the streamer to return an error
61b02e636d/cli/command/container/hijack.go (L53)
that gets sent
61b02e636d/cli/command/container/run.go (L278)
and received
61b02e636d/cli/command/container/run.go (L225)
on `errCh`.
However, if only STDIN is attached, it's not closed (since this is
attached to the user's TTY) when the container exits, so the streamer
doesn't exit and nothing gets sent on `errCh`, meaning the CLI execution
hangs receiving on `errCh` on L231.
Change the logic to receive on both `errCh` and `statusChan` – this way,
if the container exits, we get notified on `statusChan` (even if only
STDIN is attached), and can cancel the streamer and exit.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
There's no need for `case=[xxx]` in table tests, Go does a good job of
formatting the test output and we're just adding the same information
for every test output line.
Previously:
```console
$ go test -count=1 -v -run=TestPromptForConfirmation ./cli/command
=== RUN TestPromptForConfirmation
=== RUN TestPromptForConfirmation/case=SIGINT
=== RUN TestPromptForConfirmation/case=no
=== RUN TestPromptForConfirmation/case=yes
=== RUN TestPromptForConfirmation/case=any
=== RUN TestPromptForConfirmation/case=with_space
=== RUN TestPromptForConfirmation/case=reader_closed
--- PASS: TestPromptForConfirmation (0.00s)
--- PASS: TestPromptForConfirmation/case=SIGINT (0.00s)
--- PASS: TestPromptForConfirmation/case=no (0.00s)
--- PASS: TestPromptForConfirmation/case=yes (0.00s)
--- PASS: TestPromptForConfirmation/case=any (0.00s)
--- PASS: TestPromptForConfirmation/case=with_space (0.00s)
--- PASS: TestPromptForConfirmation/case=reader_closed (0.00s)
PASS
ok github.com/docker/cli/cli/command 0.013s
```
After:
```console
go test -count=1 -v -run=TestPromptForConfirmation ./cli/command
=== RUN TestPromptForConfirmation
=== RUN TestPromptForConfirmation/SIGINT
=== RUN TestPromptForConfirmation/no
=== RUN TestPromptForConfirmation/yes
=== RUN TestPromptForConfirmation/any
=== RUN TestPromptForConfirmation/with_space
=== RUN TestPromptForConfirmation/reader_closed
--- PASS: TestPromptForConfirmation (0.00s)
--- PASS: TestPromptForConfirmation/SIGINT (0.00s)
--- PASS: TestPromptForConfirmation/no (0.00s)
--- PASS: TestPromptForConfirmation/yes (0.00s)
--- PASS: TestPromptForConfirmation/any (0.00s)
--- PASS: TestPromptForConfirmation/with_space (0.00s)
--- PASS: TestPromptForConfirmation/reader_closed (0.00s)
PASS
ok github.com/docker/cli/cli/command 0.009s
```
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
go1.22 and up now produce a unique variable in loops, tehrefore no longer
requiring to capture the variable manually;
service/logs/parse_logs_test.go:50:3: The copy of the 'for' variable "tc" can be deleted (Go 1.22+) (copyloopvar)
tc := tc
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- https://github.com/golang/go/issues?q=milestone%3AGo1.22.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.22.6...go1.22.7
These minor releases include 3 security fixes following the security policy:
- go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.
- encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.
This is a follow-up to CVE-2022-30635.
Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue.
This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.
- go/build/constraint: stack exhaustion in Parse
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
e2e/global/cli_test.go:217:28: printf: non-constant format string in call to gotest.tools/v3/poll.Continue (govet)
return poll.Continue(err.Error())
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
