server: prohibit more than MaxConcurrentStreams handlers from running at once
(CVE-2023-44487).
In addition to this change, applications should ensure they do not leave running
tasks behind related to the RPC before returning from method handlers, or should
enforce appropriate limits on any such work.
- https://github.com/grpc/grpc-go/compare/v1.56.2...v1.56.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Please the linters in preparation of updating golangci-lint;
- remove dot-imports
- add some checks for unhandled errors
- replace some fixed-value variables for consts
cli/command/image/build/context.go:238:17: G107: Potential HTTP request made with variable url (gosec)
if resp, err = http.Get(url); err != nil {
^
cli/command/idresolver/idresolver_test.go:7:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/registry_test.go:7:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/cli/command" // Prevents a circular import with "github.com/docker/cli/internal/test"
^
cli/command/task/print_test.go:11:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/swarm/update_test.go:10:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/swarm/unlock_key_test.go:9:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/swarm/join_token_test.go:9:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/node/list_test.go:9:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/node/promote_test.go:8:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/node/demote_test.go:8:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package functions
^
cli/command/node/ps_test.go:11:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/node/update_test.go:8:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/node/inspect_test.go:9:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package functions
^
cli/command/secret/ls_test.go:11:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/secret/inspect_test.go:11:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/volume/inspect_test.go:9:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/volume/list_test.go:9:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/config/inspect_test.go:11:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/config/ls_test.go:11:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/network/list_test.go:9:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders"
^
cli/command/container/list_test.go:10:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/service/list_test.go:12:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders"
^
cli/command/service/client_test.go:6:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/stack/list_test.go:8:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/stack/services_test.go:9:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
cli/command/stack/ps_test.go:10:2: dot-imports: should not use dot imports (revive)
. "github.com/docker/cli/internal/test/builders" // Import builders to get the builder function as package function
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `docker swarm update` copmmand does not have a `--quiet` flag, but this
test was trying to set it.
docker swarm update --help
Usage: docker swarm update [OPTIONS]
Update the swarm
Options:
--autolock Change manager autolocking setting (true|false)
--cert-expiry duration Validity period for node certificates (ns|us|ms|s|m|h) (default 2160h0m0s)
--dispatcher-heartbeat duration Dispatcher heartbeat period (ns|us|ms|s|m|h) (default 5s)
--external-ca external-ca Specifications of one or more certificate signing endpoints
--max-snapshots uint Number of additional Raft snapshots to retain
--snapshot-interval uint Number of log entries between Raft snapshots (default 10000)
--task-history-limit int Task history retention limit (default 5)
The test didn't catch this issue, because errors when setting the flag were
not handled, so also adding error-handling;
=== Failed
=== FAIL: cli/command/swarm TestSwarmUpdate (0.00s)
update_test.go:177: assertion failed: error is not nil: no such flag -quiet
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Paths in the advanced / compose-file format are not converted
to be platform-specific, so for these tests, it should not be
needed to convert the paths to be Windows-paths.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
use the golden utility instead of self-crafting expected output,
this allows automaticaly updating the expected output.
This change does break this specific test on Windows due to platform-
specific paths. Other tests already have this issue on Windows, so
skipping the test for now.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Removed broken link in #937
- How I did it
Removed first section of CONTRIBUTING.md
- How to verify it
Check CONTRIBUTING.md
- Description for the changelog
Removed broken link in contributing to Docker documentation.
A picture of a cute animal (not mandatory but encouraged)
Closes#937
Signed-off-by: achneerov <achneerov@gmail.com>
full diff: https://github.com/golang/net/compare/v0.10.0...v0.17.0
This fixes the same CVE as go1.21.3 and go1.20.10;
- net/http: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.
HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.
This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
This is also tracked by CVE-2023-44487.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Fix storageDriver gcs not registered in binaries
- reference: replace uses of deprecated function SplitHostname
- Dont parse errors as JSON unless Content-Type is set to JSON
- update to go1.20.8
- Set Content-Type header in registry client ReadFrom
- deprecate reference package, migrate to github.com/distribution/reference
- digestset: deprecate package in favor of go-digest/digestset
- Do not close HTTP request body in HTTP handler
full diff: https://github.com/distribution/distribution/compare/v2.8.2...v2.8.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.21.3 (released 2023-10-10) includes a security fix to the net/http package.
See the Go 1.21.3 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.21.3+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.21.2...go1.21.3
From the security mailing:
[security] Go 1.21.3 and Go 1.20.10 are released
Hello gophers,
We have just released Go versions 1.21.3 and 1.20.10, minor point releases.
These minor releases include 1 security fixes following the security policy:
- net/http: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.
HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.
This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
This is also tracked by CVE-2023-44487.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.21.2 (released 2023-10-05) includes one security fixes to the cmd/go package,
as well as bug fixes to the compiler, the go command, the linker, the runtime,
and the runtime/metrics package. See the Go 1.21.2 milestone on our issue
tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.21.2+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.21.1...go1.21.2
From the security mailing:
[security] Go 1.21.2 and Go 1.20.9 are released
Hello gophers,
We have just released Go versions 1.21.2 and 1.20.9, minor point releases.
These minor releases include 1 security fixes following the security policy:
- cmd/go: line directives allows arbitrary execution during build
"//line" directives can be used to bypass the restrictions on "//go:cgo_"
directives, allowing blocked linker and compiler flags to be passed during
compliation. This can result in unexpected execution of arbitrary code when
running "go build". The line directive requires the absolute path of the file in
which the directive lives, which makes exploting this issue significantly more
complex.
This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn
Sebastiaan van Stijn
Gabriela Georgieva
Brian Goff
Sam Thibault
achneerov
Bjorn Neergaard