Historically, the client would downgrade to API v1.24 when failing
to negotiate as this was the API version from before API-version
negotiation was introduced.
Given that those daemons are EOL and those API versions no longer
supported, we should not fall back to an older API version, and
just continue using the latest / current version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/crypto/compare/v0.44.0...v0.45.0
Hello gophers,
We have tagged version v0.45.0 of golang.org/x/crypto in order to address two
security issues.
This version fixes a vulnerability in the golang.org/x/crypto/ssh package and a
vulnerability in the golang.org/x/crypto/ssh/agent package which could cause
programs to consume unbounded memory or panic respectively.
SSH servers parsing GSSAPI authentication requests don't validate the number of
mechanisms specified in the request, allowing an attacker to cause unbounded
memory consumption.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58181 and Go issue https://go.dev/issue/76363.
SSH Agent servers do not validate the size of messages when processing new
identity requests, which may cause the program to panic if the message is
malformed due to an out of bounds read.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-47914 and Go issue https://go.dev/issue/76364.
Cheers, Go Security team
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- cpu: add HPDS, LOR, PAN detection for arm64
- cpu: also use MRS instruction in getmmfr1
- cpu: use MRS instruction to read arm64 system registers
- unix: add consts for ELF handling
- unix: add SetMemPolicy and its mode/flag values
- unix: add SizeofNhmsg and SizeofNexthopGrp
- windows: add iphlpapi routing functions
full diff: https://github.com/golang/sys/compare/v0.37.0...v0.38.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- add early returns for `nil` body, `http.NoBody`, and `json.RawMessage`
- use `http.NoBody` instead of `nil` for empty bodies; it's more clear
on intent.
- use json.Encode instead of json.Encoder.Encode(), as we're marshaling
a single JSON document; this also avoid adding a trailing newline.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function was setting `text/plain` as default content-type for any
request that had a non-nil body.
However, this would also set the content-type if (e.g.) `http.NoBody` was set,
or if an empty reader was used, which would result in the daemon potentialy
rejecting the request, as it validates request to be using `application/json`;
d9ee22d1ab/daemon/server/httputils/httputils.go (L47-L58)
=== RUN TestCommitInheritsEnv
commit_test.go:30: assertion failed: error is not nil: Error response from daemon: unsupported Content-Type header (text/plain): must be 'application/json'
--- FAIL: TestCommitInheritsEnv (0.02s)
This patch removes setting the default content-type.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When manually setting the API version to use, automatic API version
negotiation should no longer be performed. Instead of keeping track
of these options individually, we can mark negotiation to have happend
if either the version was set manually, or if API version negotiation
took place.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While a manual overridden version shouldn't perform automatic version
negotiation, the "ForceNegotiate" option could still be used to (re)
negotiate a version. This allows a client to be configured with an
initial API version, then triggered to perform API-version negotiation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Environment-variables are expected to override config / defaults, so
make sure that the DOCKER_API_VERSION env-var always takes priority.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Make these options more strict to not allow arbitrary values. Historically,
the `DOCKER_API_VERSION` env-var did not perform any validation as it was
intended for testing-purposes, but given the wider use of this env-var,
we should perform some amount of validation.
Both `WithAPIVersion` and `WithAPIVersionFromEnv` still allow specifying
API versions that are not supported by the client for testing purposes
(e.g. to use API versions beyond `MinAPIVersion` and `MaxAPIVersion`),
but must be well-formed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Export trace spans from the github.com/microsoft/hcsshim module, which
is instrumented with OpenCensus, to the daemon's OpenTelemetry exporter
to provide more visibility into Windows container lifecycle operations.
Signed-off-by: Cory Snider <csnider@mirantis.com>
