- https://github.com/golang/go/issues?q=milestone%3AGo1.24.5+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.24.4...go1.24.5
This minor releases include 1 security fixes following the security policy:
- cmd/go: unexpected command execution in untrusted VCS repositories
Various uses of the Go toolchain in untrusted VCS repositories can result in
unexpected code execution. When using the Go toolchain in directories fetched
using various VCS tools (such as directly cloning Git or Mercurial repositories)
can cause the toolchain to execute unexpected commands, if said directory
contains multiple VCS configuration metadata (such as a '.hg' directory in a Git
repository). This is due to how the Go toolchain attempts to resolve which VCS
is being used in order to embed build information in binaries and determine
module versions.
The toolchain will now abort attempting to resolve which VCS is being used if it
detects multiple VCS configuration metadata in a module directory or nested VCS
configuration metadata (such as a '.git' directoy in a parent directory and a
'.hg' directory in a child directory). This will not prevent the toolchain from
building modules, but will result in binaries omitting VCS related build
information.
If this behavior is expected by the user, the old behavior can be re-enabled by
setting GODEBUG=allowmultiplevcs=1. This should only be done in trusted
repositories.
Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting
this issue.
This is CVE-2025-4674 and https://go.dev/issue/74380.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.5
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
- https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.24.3...go1.24.4
This release includes 3 security fixes following the security policy:
- net/http: sensitive headers not cleared on cross-origin redirect
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.
This is CVE-2025-4673 and Go issue https://go.dev/issue/73816.
- os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location.
OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.
Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue.
This is CVE-2025-0913 and Go issue https://go.dev/issue/73702.
- crypto/x509: usage of ExtKeyUsageAny disables policy validation
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this issue.
This is CVE-2025-22874 and Go issue https://go.dev/issue/73612.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
I'm horrible at vim, and use nano as my go-to editor for quick changes.
Let's install nano in the dev-container as alternative to vim for those
like me, who are not so vim-savvy ^O^C^C:wq:
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`moby/vpnkit` now officially pushes a binary image to `moby/vpnkit-bin`
repository on Docker Hub.
Use it to fetch the vpnkit binary.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The syntax was pinned for 1.7 in f696e0d2a7
possibly because it was not yet promoted as "latest stable" at the
time.
I don't think we need to pin to an old version, and just go with
the latest, so that we can use the latest features provided.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This updates the Docker CLI version used for integration-cli tests from
v17.06.2-ce to v18.06.3-ce.
v18.06 is the first one that supports enabling BuildKit.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
full diff: https://github.com/golang/go/compare/go1.23.7...go1.23.8
release notes: https://go.dev/doc/devel/release#go1.24.2
go1.23.8 (released 2025-04-01) includes security fixes to the net/http package,
as well as bug fixes to the runtime and the go command. See the Go 1.23.8
milestone on our issue tracker for details;
https://github.com/golang/go/issues?q=milestone%3AGo1.23.8+label%3ACherryPickApproved
From the mailing list:
Hello gophers,
We have just released Go versions 1.24.2 and 1.23.8, minor point releases.
These minor releases include 1 security fixes following the security policy:
- net/http: request smuggling through invalid chunked data
The net/http package accepted data in the chunked transfer encoding
containing an invalid chunk-size line terminated by a bare LF.
When used in conjunction with a server or proxy which incorrectly
interprets a bare LF in a chunk extension as part of the extension,
this could permit request smuggling.
The net/http package now rejects chunk-size lines containing a bare LF.
Thanks to Jeppe Bonde Weikop for reporting this issue.
This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Since commit cfc049c the dev container has been using iptables-nft,
but the Dockerfile configured firewalld to use its iptables backend
(if firewalld is enabled, which it accidentally hasn't been in CI).
The integration tests run ok for a while, then some things start
failing with the less than obvious message:
Error: COMMAND_FAILED: UNKNOWN_ERROR: nonexistent or underflow of priority count
So, let firewalld use its default nftables backend.
Signed-off-by: Rob Murray <rob.murray@docker.com>
This is the sixth patch release in the 1.2.z series of runc.
It primarily fixes an issue with runc exec vs time namespace,
and a compatibility issue with older kernels.
* Fix a stall issue that would happen if setting `O_CLOEXEC` with
`CloseExecFrom` failed.
* `runc` now properly handles joining time namespaces (such as with
`runc exec`). Previously we would attempt to set the time offsets
when joining, which would fail.
* Handle `EINTR` retries correctly for socket-related direct
`golang.org/x/sys/unix` system calls.
* We no longer use `F_SEAL_FUTURE_WRITE` when sealing the runc binary, as it
turns out this had some unfortunate bugs in older kernel versions and was
never necessary in the first place.
* Remove `Fexecve` helper from `libcontainer/system`. Runc 1.2.1 removed
runc-dmz, but we forgot to remove this helper added only for that.
* Use Go 1.23 for official builds, run CI with Go 1.24 and drop Ubuntu 20.04
from CI. We need to drop Ubuntu 20.04 from CI because Github Actions
announced it's already deprecated and it will be discontinued soon.
full diff: https://github.com/opencontainers/runc/compare/v1.2.5...v1.2.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- full diff: https://github.com/containerd/containerd/compare/v1.7.25...v1.7.26
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.26
Welcome to the v1.7.26 release of containerd!
The twenty-sixth patch release for containerd 1.7 contains various fixes
and updates.
Highlights
- Add support for syncfs after unpack
- Update runc binary to v1.2.55
- Fix race between serve and immediate shutdown on the server
- Reject oversized messages from the sender
Container Runtime Interface (CRI)
- Fix fatal concurrency error in port forwarding
Node Resource Interface (NRI)
- Fix initial sync race when registering NRI plugins
- Add API support for reading Pod IPs
- Fix plugin sync to use multiple messages if ttrpc max message limit is hit
- Update API to pass configured timeouts to plugins.
- Fix mount removal in adjustments
- Close plugin if initial synchronization fails
- Add support for adjusting OOM score
- Add API support for NRI-native CDI injection
- Add support for pids cgroup
Runtime
- Fix console TTY leak in runc shim
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
