This minor release includes 10 security fixes following the security policy:
- net/mail: excessive CPU consumption in ParseAddress
The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2025-61725 and Go issue https://go.dev/issue/75680.
- crypto/x509: quadratic complexity when checking name constraints
Due to the design of the name constraint checking algorithm, the processing time
of some inputs scales non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58187 and Go issue https://go.dev/issue/75681.
- crypto/tls: ALPN negotiation errors can contain arbitrary text
The crypto/tls conn.Handshake method returns an error on the server-side when
ALPN negotation fails which can contain arbitrary attacker controlled
information provided by the client-side of the connection which is not escaped.
This affects programs which log these errors without any additional form of
sanitization, and may allow injection of attacker controlled information into
logs.
Thanks to National Cyber Security Centre Finland for reporting this issue.
This is CVE-2025-58189 and Go issue https://go.dev/issue/75652.
- encoding/pem: quadratic complexity when parsing some invalid inputs
Due to the design of the PEM parsing function, the processing time for some
inputs scales non-linearly with respect to the size of the input.
This affects programs which parse untrusted PEM inputs.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61723 and Go issue https://go.dev/issue/75676.
- net/url: insufficient validation of bracketed IPv6 hostnames
The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University for reporting this issue.
This is CVE-2025-47912 and Go issue https://go.dev/issue/75678.
- encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
When parsing DER payloads, memories were being allocated prior to fully validating the payloads.
This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58185 and Go issue https://go.dev/issue/75671.
- net/http: lack of limit when parsing cookies can cause memory exhaustion
Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit.
By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option.
Thanks to jub0bs for reporting this issue.
This is CVE-2025-58186 and Go issue https://go.dev/issue/75672.
- crypto/x509: panic when validating certificates with DSA public keys
Validating certificate chains which contain DSA public keys can cause programs
to panic, due to a interface cast that assumes they implement the Equal method.
This affects programs which validate arbitrary certificate chains.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58188 and Go issue https://go.dev/issue/75675.
- archive/tar: unbounded allocation when parsing GNU sparse map
tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.
Thanks to Harshit Gupta (Mr HAX) - https://www.linkedin.com/in/iam-harshit-gupta/ for reporting this issue.
This is CVE-2025-58183 and Go issue https://go.dev/issue/75677.
- net/textproto: excessive CPU consumption in Reader.ReadResponse
The Reader.ReadResponse function constructed a response string through
repeated string concatenation of lines. When the number of lines in a response is large,
this could cause excessive CPU consumption.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61724 and Go issue https://go.dev/issue/75716.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The default gc policy calculations based on percentage were calculated
improperly. These were calculated correctly in buildkit, but the
calculation method was not copied over correctly when updating the
values.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
The DockerVersion field was present for informational purposes, but was
not used anywhere. This patch stops propagating the field, which also
reduces the number of places where the `dockerversion` package is used,
which still needs a new home.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The DockerVersion field was used by the legacy builder, and set when
importing an image; when importing an image, this would potentially
result in less reproducible images, as the docker version used to import
the image would be encoded in the image's "v1" fields.
For the legacy builder, including the version of docker used to build
the image could still be useful information (but could be set as comment,
similar to what BuildKit does), however, many code paths were also shared
with other parts of the code; e.g., when listing images or inspecting images,
the `DockerVersion` field would always be set to the current version of
the docker daemon, and not taken from the information available in the
image (if any).
This patch removes locations where the `DockerVersion` field was set to
the current version of the daemon binary. When inspecting an image, the
field is still set with the information in the image itself (which may
be empty in most cases).
This also reduces the number of places where the `dockerversion` package
is used, which still needs a new home.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change reworks the Go mod tidy/vendor checks to run for all tracked Go modules by the project and fail for any uncommitted changes.
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
This was a mistake I made in eafca64a6b,
which was extracted from a set of changes that I had in progress, but
I forgot that patch was unfinished (whoops!); before that commit, the
legacy "Config" fields were handled through the `inspectCompatResponse`,
which applied the legacy fields to the `Config` struct within the image
inspect response.
When changing the implementation to use the `compat` package, those
fields were applied at the top-level of the response, instead of the
`Config`; additional changes were needed for the `compat` package to
support pathing nested structs, and to prevent "extra" fields from
overwriting fields that already existed in the response; these changes
were implemented in e204ba1dca.
This patch:
- Removes the old `inspectCompatResponse` implementation, which was
no longer used.
- Updates the router to patch the `Config` fields, using the fixes
and enhancements that were implemented in e204ba1dca.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This package was aliased as "imagespec" in some places, and "dockerspec"
in other places, which made it easy to confuse.
Change all uses of this package to be aliased as "dockerspec" and configure
an "importas" linting check to enforce it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The image inspect response has various fields that were deprecated as
part of the legacy builder, or Dockerfile syntax;
- The `Parent` field is only used for the legacy builder, and only set for
images that are built locally (i.e., not persisted when pulling an image).
- The `DockerVersion` field is only set when building images with the legacy
builder, and empty in most cases.
This patch deprecates the fields in the `InspectResponse` go struct, as
these fields will no longer be set in future once the legacy builder is
removed (`Parent`, `DockerVersion`). The legacy builder's deprecation in
[cli@4d8e457] / [cli@fd22746] (docker 23.0, API v1.42), however the related
API fields were kept so that information of legacy images would not be
discarded.
The API continues to return these fields if set, allowing the client to
print the fields for informational purposes when printing the raw response,
but these fields should be considered "transitional", and not be depended
on; deprecating the fields helps raise awareness.
[cli@4d8e457]: 4d8e45782b
[cli@fd22746]: fd2274692f
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Minor issues to make my IDE happy:
- rename var that shadowed import
- rename vars to use the correct camelCase format
- fix minor grammar / formatting in comments
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was a bit of an oversight; when setting additional fields to add,
the compat package currently replaces fields unconditionally. This may
have sounded like an OK idea, but it makes it more complicated to augment
responses where current versions use an "omitempty", but older API versions
should return default / zero-values.
This patch:
- Changes the meaning of "extra fields"; extra fields are only used if
the field is not present in the response.
- Makes the merging of "extra fields" recursive; this makes it easier
to patch responses where extra fields must be added to nested structs.
Previously, this would require the nested struct to be wrapped with a
`compat.Wrap` and replaced as a whole; lacking a "replace" option made
that more complicated, so making the extra fields recursive.
- Comment-out a test that tested the old behavior of replacing fields;
we currently have no cases where we must _replace_ fields or structs,
so I did not yet implement such an option, but we can implement a
`WithReplaceFields` (e.g.) once there's a need.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The image inspect response has various fields that are either optional,
or only used if the image was built using the deprecated legacy builder.
This patch marks them as "omitempty" to omit them from the response if
not set:
- The `Parent` field is only used for the legacy builder, and only set for
images that are built locally (i.e., not persisted when pulling an image).
- The `Comment` field is optional, and may not be set, depending on how the
image is produced.
- The `DockerVersion` field is only set when building images with the legacy
builder, and empty in most cases.
- The `Author` field can be set through the `MAINTAINER` instruction in
Dockerfiles, and through the `--author` option on `docker commit`, but
is optional, and won't be set in most situations.
With this patch:
On API v1.52
DOCKER_API_VERSION=v1.52 docker inspect busybox
[
{
"Id": "sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e",
"RepoTags": ["busybox:latest"],
"RepoDigests": ["busybox@sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e"],
"Created": "2024-09-26T21:31:42Z",
"Config": {
"Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],
"Cmd": ["sh"]
},
"Architecture": "arm64",
"Variant": "v8",
"Os": "linux",
"Size": 1913388,
"RootFS": {
"Type": "layers",
"Layers": ["sha256:6aba5e0d32d91e3e923854dcb30588dc4112bfa1dae82b89535ad31d322a7b19"]
},
"Metadata": {
"LastTagTime": "2025-10-03T22:24:18.440035424Z"
},
"Descriptor": {
"mediaType": "application/vnd.oci.image.index.v1+json",
"digest": "sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e",
"size": 9535
}
}
]
On API v1.51 or lower:
DOCKER_API_VERSION=v1.51 docker inspect busybox
[
{
"Architecture": "arm64",
"Author": "",
"Cmd": null,
"Comment": "",
"Config": {
"Cmd": ["sh"],
"Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
},
"Created": "2024-09-26T21:31:42Z",
"Descriptor": {
"digest": "sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e",
"mediaType": "application/vnd.oci.image.index.v1+json",
"size": 9535
},
"DockerVersion": "",
"Entrypoint": null,
"Env": null,
"Id": "sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e",
"Labels": null,
"Metadata": {
"LastTagTime": "2025-10-03T22:24:18.440035424Z"
},
"OnBuild": null,
"Os": "linux",
"Parent": "",
"RepoDigests": ["busybox@sha256:d82f458899c9696cb26a7c02d5568f81c8c8223f8661bb2a7988b269c8b9051e"],
"RepoTags": ["busybox:latest"],
"RootFS": {
"Layers": ["sha256:6aba5e0d32d91e3e923854dcb30588dc4112bfa1dae82b89535ad31d322a7b19"],
"Type": "layers"
},
"Size": 1913388,
"User": "",
"Variant": "v8",
"Volumes": null,
"WorkingDir": ""
}
]
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These utilities are very handy to use in integration tests, too. Move
the package so it can be imported by them.
Signed-off-by: Cory Snider <csnider@mirantis.com>
