go1.11.13 (released 2019/08/13) includes security fixes to the net/http and net/url packages.
See the Go 1.11.13 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.13
- net/http: Denial of Service vulnerabilities in the HTTP/2 implementation
net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted
clients could be remotely made to allocate an unlimited amount of memory, until the program
crashes. Servers will now close connections if the send queue accumulates too many control
messages.
The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.
This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.
net/url: parsing validation issue
- url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary
suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses
in certain applications. Note that URLs with invalid, not numeric ports will now return an error
from url.Parse.
The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering
and reporting this issue.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 9a7c1a1e5f0858ac54f1c7577c4fca8665f70496
Component: packaging
go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package.
See the Go 1.11.11 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.11
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: f33c398df1eabda69ca05ff6c5c45351790a8696
Component: packaging
go1.11.3 (released 2018/12/14)
- crypto/x509: CPU denial of service in chain validation golang/go#29233
- cmd/go: directory traversal in "go get" via curly braces in import paths golang/go#29231
- cmd/go: remote command execution during "go get -u" golang/go#29230
See the Go 1.11.3 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.11.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 517a30b48d7b483e27eb3c3328356a8e83272988)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 17565b93d361b1b189962b3e98c431316a7cc628
Component: packaging
version 2.9 is really old; this sets the same minimal version
as is used for the containerd.io package
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a246b19b0723d41a8e58ff42d3af52fd57a7e94d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 95dea749d4cb7e474194bbe209f052e94da5df2e
Component: packaging
This commit ensures that we test the correct branches of Docker
when making packaging changes.
Signed-off-by: Dave Tucker <dt@docker.com>
(cherry picked from commit 1ef9fb3f0b2b8016b50c6c71f2d14bea16faff35)
Upstream-commit: 5e59ff8a5e8ea44444aa4f22a8baf12e091bcc76
Component: packaging
containerd is now running as a separate service, and should
no longer be started as a managed child-process of dockerd.
The dockerd service already specifies that it should be started
`After` the containerd.service, but there is still a race
condition, where containerd is started, but its socket is not yet
created.
In that situation, `dockerd` detects that the containerd socket
is missing, and will start a new instance of containerd (as a
managed child-process), which causes live-restore to fail.
This patch explicitly sets the `--containerd` daemon option.
If this option is set, `dockerd` will not start a new instance
of containerd.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1985463b1337e55c0dfcad2fb985fb5af5a10c78)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 15653df497646518ec5af5cab55ebb4461ee5b80
Component: packaging
This was removed in 662e248f680eb49a9951a8b34125506b8f82dfed. The
removal breaks usage on Debian derivatives that do not use systemd
(see https://github.com/docker/for-linux/issues/482).
Upstream-commit: 196c4028288ad241f52201d0f171c251ed13b98f
Component: packaging
The CLI package does not provide the functionality of the
"selinux" and "engine" packages (it does _conflict_ with
older engine packages though).
This removes the "obsoletes" from the CLI package, as the
Engine package already obsoletes the other ones.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d4e1ddb963a43ff9f0a06e4ed1b37307c8f26a17)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 9e6f124b6b5deba3878ad242661d1991881f33b9
Component: packaging
We don't use these spec files to actually build from anymore so we
should just go through and remove them.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
(cherry picked from commit b98d7aad1e153c18da5b488afc40ba751f90cb36)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 9d68fe72f3649fad5e3f902602c8ae9ab4a6abe5
Component: packaging
Without this the docker.socket would not start by default when starting
the docker.service leading to failures to start.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
(cherry picked from commit 88885d18b1bb0ef91eab4ad3311773f9c40838b7)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Upstream-commit: 93f125a2602b7eb72128cbc16d9d35c9d92ed18a
Component: packaging
Removes the systemd drop-in unit file for socket activation and instead
prefers socket activation by default for both RHEL based and DEBIAN
based distributions.
Socket activation for RHEL based distributions was tested on CentOS 7 and Fedora 28.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
(cherry picked from commit 91c85cd38197b9d92d5b3e8a1b577d3178d73fcc)
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: 6a7e302c260a2ff7e4d8b7a6d01249a09c140618
Component: packaging
The RPM packages list containerd as a hard dependency. While
having containerd installed allows certain features (e.g., allow
you to run `docker engine activate`), this should not be a requirement
for installing the Docker CLI, as it limits the use of this package
for situations where the CLI is installed to connect to a remote
daemon.
This patch removes the containerd dependency from the RPM packages
(the deb packages don't have this dependency, so no change is needed
in those packages)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 037349c5dc3f18d3bea3be0217e249f716a8be25)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: bc3867a8f6e59c56c967720c33c6ce9a65b64b7b
Component: packaging
During the migration to "image based builds", some dependencies
were removed.
This patch brings back those dependencies.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: a6ff66f1a51af62c9fd17a8b931f8a9b0283247a
Component: packaging
This requirement was originally added in 86f76496ce33bd6eff1737348bc44add4723ddd2,
but got removed in the migration to the new image-based packaging.
Commit f2ceca98823548e401c6cca125b7057df28c4892 added this requirement
back for `.deb` packages, but did not include the same changes for
RPMs.
This patch adds back the requirement for RPM packages as well.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 86ed6eb2cef4e7386979fc73397c1844531eb3a9
Component: packaging
Nightly builds wouldn't install correctly since our versioning scheme
for nightly builds is 0.0.0~ and 0 < 18.
Should be backwards compatible with 18.09 builds so there's no need to
actually backport this to 18.09.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
(cherry picked from commit de312224beff9c6bc7fd6def46459d531cf2ce4a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 3e383bee967aa07d35ea717544bc18aafbbad4f7
Component: packaging
Re-adds the docker.socket file for debian based distributions.
TAR-144 +review
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
(cherry picked from commit 69bd2eea398e0396c24f97d0697f9befd0f2464e)
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: aaf035970219d6ae19e22bb94adaf51e61a9ff82
Component: packaging
Packages are no longer built for Ubuntu 17.10 since
commit eb635bdb3044b008344c8318c8d727ac94662526, so
remove it from the README as well
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9cab4c43c4dd30e86efed1dfb9199ed91d766eca)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 89705eb29d9f8782cf218a6d4692dd8a34a95857
Component: packaging
Docker no longer ships packages for Ubuntu 14.04,
so remove the build scripts as well.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3a8fa7fc0acc5c3fb468ec5ec41e236e741c804e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 90fadd7b66e8696cc0d3479293bc62ea730ec51e
Component: packaging
Docker is no longer packaged for Debian Jessie,
so remove the scripts.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 49524c88c2b2ab1751941992913adcff36487f7a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 146e29aa88e8598d5a89ae29a091ff303fd4f3e5
Component: packaging
Packages for Wheezy are no longer built, so remove it
from the list of packages in the README.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c8935f360bc083ed61984a691bcfe19e9cfa1749)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 9e724cc033c392764c1bf3b37d40ccb4d2e66bcd
Component: packaging
This should ensure we don't produce builds without a valid "Built:"
field in the the version payload.
Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>
Upstream-commit: 9a071a3fbe316ea6d70bc1a5111cbe14ae99aec9
Component: packaging
People blow away `/var/lib/docker` all the time so we probably shouldn't
store important data there.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
(cherry picked from commit 9391057c9472ba24049b8645c251a4c63894522f)
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: 865140fc4155481b20f694a4528e04e48eb76de4
Component: packaging
