full diff: db3c7e526a...2eb08e3e57
- Add support for detecting netns for all possible QoS in Kubernetes
- Add go1.10 build constraint
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.0.3...v3.1.0
noteworthy changes:
- ci: add go1.16
- ci: add go1.17, remove go1.13
- golden: only create dir if update flag is set
- icmd: replace all usages of os/exec with golang.org/x/sys/execabs
- assert: ErrorIs
- fs: add DirFromPath
- Stop creating directory outside of testdata
- fs: Fix comparing symlink permissions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/pelletier/go-toml/compare/v1.9.1...v1.9.4
- Add Encoder.CompactComments to omit extra new line
- Clarify license and comply with Apache 2.0
- feat(tomll): add multiLineArray flag to linter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/continuity/compare/v0.1.0...v0.2.2
- fs/stat: add FreeBSD, and cleanup some nolint-comments
- go.mod: bazil.org/fuse v0.0.0-20200407214033-5883e5a4b5125
- Fix darwin issues
- Remove direct dependency on github.com/pkg/errors
- Do not log errors before returning them
- Build containerd/continuity on multiple Unix OSes
- Update CI Go version to 1.17
- fs: use syscall.Timespec.Unix
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/tools/compare/v0.1.0...v0.1.5
It's not used, but one of our dependencies has a `tools.go` file that forces
it to be vendored; vendor/cloud.google.com/go/tools.go
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/mod/compare/v0.4.1...v0.4.2
It's not used, but one of our dependencies has a `tools.go` file that forces
it to be vendored; vendor/cloud.google.com/go/tools.go
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
A copy of Go's archive/tar packge was vendored with a patch applied to
mitigate CVE-2019-14271. Vendoring standard library packages is not
supported by Go in module-aware mode, which is getting in the way of
maintenance. A different approach to mitigate the vulnerability is
needed which does not involve vendoring parts of the standard library.
glibc implements name service lookups such as users, groups and DNS
using a scheme known as Name Service Switch. The services are
implemented as modules, shared libraries which glibc dynamically links
into the process the first time a function requiring the module is
called. This is the crux of the vulnerability: if a process linked
against glibc chroots, then calls one of the functions implemented with
NSS for the first time, glibc may load NSS modules out of the chrooted
filesystem.
The API underlying the `docker cp` command is implemented by forking a
new process which chroots into the container's rootfs and writes a tar
stream of files from the container over standard output. It utilizes the
Go standard library's archive/tar package to write the tar stream. It
makes use of the tar.FileInfoHeader function to construct a tar.Header
value from an fs.FileInfo value. In modern versions of Go on *nix
platforms, FileInfoHeader will attempt to resolve the file's UID and GID
to their respective user and group names by calling the os/user
functions LookupId and LookupGroupId. The cgo implementation of os/user
on *nix performs lookups by calling the corresponding libc functions. So
when linked against glibc, calls to tar.FileInfoHeader after the
process has chrooted into the container's rootfs can have the side
effect of loading NSS modules from the container! Without any
mitigations, a malicious container image author can trivially get
arbitrary code execution by leveraging this vulnerability and escape the
chroot (which is not a sandbox) into the host.
Mitigate the vulnerability without patching or forking archive/tar by
hiding the OS-dependent file info from tar.FileInfoHeader which it needs
to perform the lookups. Without that information available it falls back
to populating the tar.Header with only the information obtainable
directly from the FileInfo value without making any calls into os/user.
Fixes#42402
Signed-off-by: Cory Snider <csnider@mirantis.com>
full diff: https://github.com/fsnotify/fsnotify/compare/v1.4.9...v1.5.1
Relevant changes:
- Fix unsafe pointer conversion
- Drop support/testing for Go 1.11 and earlier
- Update x/sys to latest
- add //go:build lines
- add go 1.17 to test matrix
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the replace rule, and use the version as specified by (indirect) dependencies:
full diff: bf48bf16ab...f6687ab280
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Looks like the `replace` rule was also matching what we're already vendoring,
so we can remove it:
github.com/containerd/containerd v1.5.8 => github.com/containerd/containerd v1.5.8
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the replace rule, and use the version as specified by (indirect) dependencies:
full diff: e18ecbb051...69e39bad7d
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the replace rule, and use the version as specified by (indirect) dependencies:
full diff: 3af7569d3a...f0f3c7e86c
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
