This simplifies `dockerd-rootless.sh` by removing the workaround for
`CDI: Error associated with spec file /etc/cdi: failed to monitor for changes: permission denied`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
In rootless mode, the Engine needs to call the rootless port driver to
know which IP address it should bind to inside of its network namespace.
The slirp4netns port drivers doesn't support binding to IPv6 address, so
we need to detect that before listening on the port.
Before commit 201968cc0, this wasn't a problem because the Engine was
binding the port, then calling rootless port driver to learn whether the
proto/IP family was supported, and listen on the port if so.
Starting with that commit, the Engine does bind + listen in one go, and
then calls the port driver — this is too late. Fix the bug by checking
if the port driver supports the PortBindingReq, and only allocate the
port if so.
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
Allow other validate checks to finish even if one of them failed.
Sometimes a check is faulty and its failure is expected - in such case
we want to ignore that one validation fail but still run all the others.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The bash array usage was wrong - change to a simpler check that just
compares if the diff is empty.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Historically, the client would downgrade to API v1.24 when failing
to negotiate as this was the API version from before API-version
negotiation was introduced.
Given that those daemons are EOL and those API versions no longer
supported, we should not fall back to an older API version, and
just continue using the latest / current version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Make the mocked responses match the API closer;
- Add headers as returned by the daemon's VersionMiddleware
- By default handle "/_ping" requests to allow the client to
perform API-version negotiation as part of tests.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/crypto/compare/v0.44.0...v0.45.0
Hello gophers,
We have tagged version v0.45.0 of golang.org/x/crypto in order to address two
security issues.
This version fixes a vulnerability in the golang.org/x/crypto/ssh package and a
vulnerability in the golang.org/x/crypto/ssh/agent package which could cause
programs to consume unbounded memory or panic respectively.
SSH servers parsing GSSAPI authentication requests don't validate the number of
mechanisms specified in the request, allowing an attacker to cause unbounded
memory consumption.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58181 and Go issue https://go.dev/issue/76363.
SSH Agent servers do not validate the size of messages when processing new
identity requests, which may cause the program to panic if the message is
malformed due to an out of bounds read.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-47914 and Go issue https://go.dev/issue/76364.
Cheers, Go Security team
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
