mirror of
https://github.com/moby/moby.git
synced 2026-01-11 18:51:37 +00:00
6f9d1ec3fb
These releases include 2 security fixes following the security policy:
- crypto/x509: excessive resource consumption in printing error string for host certificate validation
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.
Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime.
Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
HostnameError.Error() now limits the number of hosts and utilizes strings.Builder when constructing an error string.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2025-61729 and Go issue https://go.dev/issue/76445.
- crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
An excluded subdomain constraint in a certificate chain does not restrict the
usage of wildcard SANs in the leaf certificate. For example a constraint that
excludes the subdomain test.example.com does not prevent a leaf certificate from
claiming the SAN *.example.com.
This is CVE-2025-61727 and Go issue https://go.dev/issue/76442.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.5
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
75 lines
2.1 KiB
Docker
75 lines
2.1 KiB
Docker
# syntax=docker/dockerfile:1
|
|
|
|
ARG GO_VERSION=1.25.5
|
|
ARG BASE_DEBIAN_DISTRO="bookworm"
|
|
ARG PROTOC_VERSION=3.11.4
|
|
|
|
# protoc is dynamically linked to glibc so can't use alpine base
|
|
FROM golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO} AS base
|
|
RUN apt-get update && apt-get --no-install-recommends install -y git unzip
|
|
ARG PROTOC_VERSION
|
|
ARG TARGETOS
|
|
ARG TARGETARCH
|
|
ENV GOTOOLCHAIN=local
|
|
RUN <<EOT
|
|
set -e
|
|
arch=$(echo $TARGETARCH | sed -e s/amd64/x86_64/ -e s/arm64/aarch_64/)
|
|
wget -q https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-${TARGETOS}-${arch}.zip
|
|
unzip protoc-${PROTOC_VERSION}-${TARGETOS}-${arch}.zip -d /usr/local
|
|
EOT
|
|
WORKDIR /go/src/github.com/moby/moby
|
|
|
|
FROM base AS src
|
|
WORKDIR /out
|
|
COPY . .
|
|
RUN <<EOT
|
|
set -ex
|
|
git config --global user.email "moby@example.com"
|
|
git config --global user.name "moby"
|
|
git init .
|
|
git add .
|
|
git commit -m 'init'
|
|
EOT
|
|
|
|
FROM base AS tools
|
|
RUN --mount=from=src,source=/out,target=.,rw \
|
|
--mount=type=cache,target=/root/.cache/go-build <<EOT
|
|
set -ex
|
|
go install -v \
|
|
github.com/gogo/protobuf/protoc-gen-gogo \
|
|
github.com/gogo/protobuf/protoc-gen-gogofaster \
|
|
github.com/gogo/protobuf/protoc-gen-gogoslick \
|
|
github.com/golang/protobuf/protoc-gen-go
|
|
go build -v \
|
|
-o /usr/bin/pluginrpc-gen \
|
|
./pkg/plugins/pluginrpc-gen
|
|
EOT
|
|
|
|
FROM tools AS generated
|
|
ENV GO111MODULE=off
|
|
RUN --mount=from=src,source=/out,target=.,rw <<EOT
|
|
set -ex
|
|
go generate -v ./...
|
|
mkdir /out
|
|
git ls-files -m --others -- ':!vendor' 'profiles/seccomp/default.json' '**/*.pb.go' | tar -cf - --files-from - | tar -C /out -xf -
|
|
EOT
|
|
|
|
FROM scratch AS update
|
|
COPY --from=generated /out /
|
|
|
|
FROM base AS validate
|
|
RUN --mount=from=src,source=/out,target=.,rw \
|
|
--mount=type=bind,from=generated,source=/out,target=/generated-files <<EOT
|
|
set -e
|
|
git add -A
|
|
if [ "$(ls -A /generated-files)" ]; then
|
|
cp -rf /generated-files/* .
|
|
fi
|
|
diff=$(git status --porcelain -- ':!vendor' 'profiles/seccomp/default.json' '**/*.pb.go')
|
|
if [ -n "$diff" ]; then
|
|
echo >&2 'ERROR: The result of "go generate" differs. Please update with "make generate-files"'
|
|
echo "$diff"
|
|
exit 1
|
|
fi
|
|
EOT
|