In a multi-module repository, the top-level LICENSE file is used for
all modules in the repository. However, when using a "replace" rule,
the vendored file is removed, but added back when removing the replace
rule.
This patch adds copies of the license to each of the modules to reduce
code-churn; these are vanilla copies downloaded from;
https://www.apache.org/licenses/LICENSE-2.0.txt
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These releases include 2 security fixes following the security policy:
- crypto/x509: excessive resource consumption in printing error string for host certificate validation
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.
Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime.
Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
HostnameError.Error() now limits the number of hosts and utilizes strings.Builder when constructing an error string.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2025-61729 and Go issue https://go.dev/issue/76445.
- crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
An excluded subdomain constraint in a certificate chain does not restrict the
usage of wildcard SANs in the leaf certificate. For example a constraint that
excludes the subdomain test.example.com does not prevent a leaf certificate from
claiming the SAN *.example.com.
This is CVE-2025-61727 and Go issue https://go.dev/issue/76442.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.5
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Includes a change to use go.dev/dl instead of storage.googleapis.com/golang
as fallback URL, because storage.googleapis.com/golang is deprecated.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I recently had a great time to find out why the tmpfs mode provided did not work
until I found out that the API does not expect octal values but decimal ones.
Therefore, this PR will hopefully clarify the logic and prevent user questions in the future
Signed-off-by: Kai Harder <kai.harder@sap.com>
Do not require replace rules to be added if there's no code-changes
in the module. Note that changes in api/swagger.yaml may result in
changes in generated code, but this should be checked separate from
the swagger itself.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When inspecting multi-platform images where some layer blobs were
missing from the content store, the image inspect operation would return
too early causing some data (like config details or unpacked size) to be
omitted even though are available.
This ensures that `docker image inspect` returns as much information as
possible.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The value was calculated, but due to 0af2962fdd
changing to a non-pointer, the value was not written back to the resulting
slice.
Before this patch:
docker pull nginx:alpine
docker pull alpine
docker system df -v
Images space usage:
REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS
nginx alpine cbad6347cca2 4 weeks ago 53.4MB N/A N/A 0
alpine latest 171e65262c80 7 weeks ago 8.51MB N/A N/A 0
With this patch:
docker system df -v
Images space usage:
REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS
nginx alpine cbad6347cca2 4 weeks ago 53.4MB 8.512MB 44.91MB 0
alpine latest 171e65262c80 7 weeks ago 8.51MB 8.512MB 0B 0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In rootless mode, the Engine needs to call the rootless port driver to
know which IP address it should bind to inside of its network namespace.
The slirp4netns port drivers doesn't support binding to IPv6 address, so
we need to detect that before listening on the port.
Before commit 201968cc0, this wasn't a problem because the Engine was
binding the port, then calling rootless port driver to learn whether the
proto/IP family was supported, and listen on the port if so.
Starting with that commit, the Engine does bind + listen in one go, and
then calls the port driver — this is too late. Fix the bug by checking
if the port driver supports the PortBindingReq, and only allocate the
port if so.
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
Don't build the dev image separately for each validation.
Build it once and then cache it so the validations can reuse it.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
