These releases include 2 security fixes following the security policy:
- crypto/x509: excessive resource consumption in printing error string for host certificate validation
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.
Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime.
Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
HostnameError.Error() now limits the number of hosts and utilizes strings.Builder when constructing an error string.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2025-61729 and Go issue https://go.dev/issue/76445.
- crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
An excluded subdomain constraint in a certificate chain does not restrict the
usage of wildcard SANs in the leaf certificate. For example a constraint that
excludes the subdomain test.example.com does not prevent a leaf certificate from
claiming the SAN *.example.com.
This is CVE-2025-61727 and Go issue https://go.dev/issue/76442.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.5
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Includes a change to use go.dev/dl instead of storage.googleapis.com/golang
as fallback URL, because storage.googleapis.com/golang is deprecated.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I recently had a great time to find out why the tmpfs mode provided did not work
until I found out that the API does not expect octal values but decimal ones.
Therefore, this PR will hopefully clarify the logic and prevent user questions in the future
Signed-off-by: Kai Harder <kai.harder@sap.com>
Do not require replace rules to be added if there's no code-changes
in the module. Note that changes in api/swagger.yaml may result in
changes in generated code, but this should be checked separate from
the swagger itself.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When inspecting multi-platform images where some layer blobs were
missing from the content store, the image inspect operation would return
too early causing some data (like config details or unpacked size) to be
omitted even though are available.
This ensures that `docker image inspect` returns as much information as
possible.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The value was calculated, but due to 0af2962fdd
changing to a non-pointer, the value was not written back to the resulting
slice.
Before this patch:
docker pull nginx:alpine
docker pull alpine
docker system df -v
Images space usage:
REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS
nginx alpine cbad6347cca2 4 weeks ago 53.4MB N/A N/A 0
alpine latest 171e65262c80 7 weeks ago 8.51MB N/A N/A 0
With this patch:
docker system df -v
Images space usage:
REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS
nginx alpine cbad6347cca2 4 weeks ago 53.4MB 8.512MB 44.91MB 0
alpine latest 171e65262c80 7 weeks ago 8.51MB 8.512MB 0B 0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In rootless mode, the Engine needs to call the rootless port driver to
know which IP address it should bind to inside of its network namespace.
The slirp4netns port drivers doesn't support binding to IPv6 address, so
we need to detect that before listening on the port.
Before commit 201968cc0, this wasn't a problem because the Engine was
binding the port, then calling rootless port driver to learn whether the
proto/IP family was supported, and listen on the port if so.
Starting with that commit, the Engine does bind + listen in one go, and
then calls the port driver — this is too late. Fix the bug by checking
if the port driver supports the PortBindingReq, and only allocate the
port if so.
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
Don't build the dev image separately for each validation.
Build it once and then cache it so the validations can reuse it.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Allow other validate checks to finish even if one of them failed.
Sometimes a check is faulty and its failure is expected - in such case
we want to ignore that one validation fail but still run all the others.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The bash array usage was wrong - change to a simpler check that just
compares if the diff is empty.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Historically, the client would downgrade to API v1.24 when failing
to negotiate as this was the API version from before API-version
negotiation was introduced.
Given that those daemons are EOL and those API versions no longer
supported, we should not fall back to an older API version, and
just continue using the latest / current version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
