full diff: 7c1e88399e...481103c879
- Fix error handling for task deletion
- Fix fd leak of shim log
- Fix killall when use pidnamespace
- Improve ARM platform matching
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This makes sure that we don't become vulnerable to CVE-2018-17419 or
CVE-2019-19794 in the future. While we are not currently vulnerable to
either, there is a risk that a PR could be made which uses one of the
vulnerable methods in the future, so it's worth going ahead and updating
to ensure that a simple PR that would easily pass code review doesn't
lead to a vulnerability.
Signed-off-by: Sam Whited <sam@samwhited.com>
This version avoids doing name lookups on creating tarball that
should be avoided in to not hit loading glibc shared libraries.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
full diff: https://github.com/grpc/grpc-go/compare/v1.23.0...v1.23.1
- grpc/grpc-go#3018 server: set and advertise max frame size of 16KB
- grpc/grpc-go#3017 grpclb: fix deadlock in grpclb connection cache
- Before the fix, if the timer to remove a SubConn fires at the
same time NewSubConn cancels the timer, it caused a mutex leak
and deadlock.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 39ad39d220)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 5215b1806f...v1.3.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 12c7541f1f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 88737f569e...69ecbb4d6d
Includes 69ecbb4d6d
(forward-port of 8b5121be2f),
which fixes CVE-2020-7919:
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b606c8e440)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Among other things, this is required to pull in
microsoft/hcsshim#718
Also fixesmicrosoft/hcsshim#737
which was caught by checks while attempting to bump
up hcsshim version.
Signed-off-by: Vikram bir Singh <vikrambir.singh@docker.com>
(cherry picked from commit a7b6c3f0bf)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
also updates libnetwork to d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23
full diff:
3eb39382bf...d9a6682a4d
- docker/libnetwork#2482 [19.03 backport] Shorten controller ID in exec-root to not hit UNIX_PATH_MAX
- docker/libnetwork#2483 [19.03 backport] Fix panic in drivers/overlay/encryption.go
Signed-off-by: Grant Millar <rid@cylo.io>
(cherry picked from commit df7b8f458a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change caused a regression, causing the DOCKER-USER chain
to not be created, despite iptables being enabled on the daemon.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The patch made in docker/libnetwork#2450 caused a breaking change in the
networking behaviour, causing Kubernetes installations on Docker Desktop
(and possibly other setups) to fail.
Rolling back this change in the 19.03 branch while we investigate if there
are alternatives.
diff: 45c710223c...96bcc0dae8
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: bbe341867e...f35d9100f2
changes included:
- docker/swarmkit#2891 [19.03 backport] Remove hardcoded IPAM config subnet value for ingress network
- backport of docker/swarmkit#2890 Remove hardcoded IPAM config subnet value for ingress network
- fixes [ENGORC-2651] Specifying --default-addr-pool for docker swarm init is not picked up by ingress network
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: fcdddc395d...v1.0.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 720b66ee1f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 09cdcc8c0e...92d1fbe1eb
relevant changes included (omitting some changes that were added _and_ reverted in this bump):
- docker/libnetwork#2433 Fix parseIP error when parseIP before get AddressFamily
- fixesdocker/libnetwork#2431 parseIP Error ip=[172 17 0 2 0 0 0 0 0 0 0 0 0 0 0 0]
- https://github.com/docker/libnetwork/issues/2289
- this was a regression introduced in docker/libnetwork#2416 Fix hardcoded AF_INET for IPv6 address handling
- docker/libnetwork#2440 Bump hashicorp go-sockaddr v1.0.2, go-multierror v1.0.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bab58c1924)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diffs:
- fc5a7d91d5...62a13ae87c
- b2de5d10e3...v1.0.0
- 604eaf189e...13995c7128ccc8e51e9a6bd2b551020a27180abd
notable changes in libnetwork:
- docker/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- docker/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
- addresses docker/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
- addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
- addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- docker/libnetwork#2394 Make DNS records and queries case-insensitive
- addresses moby/moby#28689 Embedded DNS is case-sensitive
- addresses moby/moby#21169 hostnames with new networking are case-sensitive
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 344b093258)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
