Commit graph

116 commits

Author SHA1 Message Date
Sebastiaan van Stijn
3886faced8
vendor: golang.org/x/text v0.8.0
full diff: https://github.com/golang/text/compare/v0.7.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 19:53:50 +02:00
Sebastiaan van Stijn
9752e43644
vendor: golang.org/x/sys v0.6.0
full diff: https://github.com/golang/sys/compare/v0.5.0...v0.6.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:52 +01:00
Cory Snider
25b51cad3d libnetwork: replace ad-hoc semaphore implementation
...for limiting concurrent external DNS requests with
"golang.org/x/sync/semaphore".Weighted. Replace the ad-hoc rate limiter
for when the concurrency limit is hit (which contains a data-race bug)
with "golang.org/x/time/rate".Sometimes.

Immediately retrying with the next server if the concurrency limit has
been hit just further compounds the problem. Wait on the semaphore and
refuse the query if it could not be acquired in a reasonable amount of
time.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-16 19:05:59 -05:00
Sebastiaan van Stijn
a36286cf89
vendor: golang.org/x/net v0.7.0
This addresses the same CVE as is patched in go1.19.6. From that announcement:

> net/http: avoid quadratic complexity in HPACK decoding
>
> A maliciously crafted HTTP/2 stream could cause excessive CPU consumption
> in the HPACK decoder, sufficient to cause a denial of service from a small
> number of small requests.
>
> This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
> configuring HTTP/2.
>
> This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.

full diff: https://github.com/golang/net/compare/v0.5.0...v0.7.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-14 21:00:09 +01:00
Sebastiaan van Stijn
a53b44a266
vendor: golang.org/x/sys v0.5.0
full diff: https://github.com/golang/sys/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-14 20:58:24 +01:00
Sebastiaan van Stijn
65c6ba1fc4
vendor: golang.org/x/net v0.5.0
contains a fix for CVE-2022-41721, although it probably does not affect us.

full diff: https://github.com/golang/net/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-17 14:34:05 +01:00
Sebastiaan van Stijn
e66e6bb28a
vendor: golang.org/x/sys v0.4.0
full diff: https://github.com/golang/sys/compare/v0.3.0...v0.4.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-17 14:09:18 +01:00
Bjorn Neergaard
d42495033e
daemon/config: support alternate (common) unicode encodings using a BOM
This is a pragmatic but impure choice, in order to better support the
default tools available on Windows Server, and reduce user confusion due
to otherwise inscrutable-to-the-uninitiated errors like the following:

> invalid character 'þ' looking for beginning of value
> invalid character 'ÿ' looking for beginning of value

While meaningful to those who are familiar with and are equipped to
diagnose encoding issues, these characters will be hidden when the file
is edited with a BOM-aware text editor, and further confuse the user.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2023-01-10 15:49:15 -07:00
Sebastiaan van Stijn
4bbc37687e
vendor: golang.org/x/net v0.4.0
golang.org/x/net contains a fix for CVE-2022-41717, which was addressed
in stdlib in go1.19.4 and go1.18.9;

> net/http: limit canonical header cache by bytes, not entries
>
> An attacker can cause excessive memory growth in a Go server accepting
> HTTP/2 requests.
>
> HTTP/2 server connections contain a cache of HTTP header keys sent by
> the client. While the total number of entries in this cache is capped,
> an attacker sending very large keys can cause the server to allocate
> approximately 64 MiB per open connection.
>
> This issue is also fixed in golang.org/x/net/http2 v0.4.0,
> for users manually configuring HTTP/2.

full diff: https://github.com/golang/net/compare/v0.2.0...v0.4.0

other dependency updates (due to circular dependencies):

- golang.org/x/sys v0.3.0: https://github.com/golang/sys/compare/v0.2.0...v0.3.0
- golang.org/x/text v0.5.0: https://github.com/golang/text/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-07 22:25:49 +01:00
Sebastiaan van Stijn
1907027b7b
Merge pull request #44520 from vvoland/disk-usage-singleflight
daemon/disk_usage: Use context aware singleflight
2022-11-30 13:39:55 +01:00
Paweł Gronowski
dec81e489f
daemon/disk_usage: Use context aware singleflight
The singleflight function was capturing the context.Context of the first
caller that invoked the `singleflight.Do`. This could cause all
concurrent calls to be cancelled when the first request is cancelled.

singleflight calls were also moved from the ImageService to Daemon, to
avoid having to implement this logic in both graphdriver and containerd
based image services.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-11-29 16:46:19 +01:00
Sebastiaan van Stijn
7c1b7842c6
vendor: golang.org/x/crypto v0.2.0
- all: use math/bits.RotateLeft

full diff: https://github.com/golang/crypto/compare/v0.1.0...v0.2.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-25 17:57:16 +01:00
Sebastiaan van Stijn
efe17dbdb4
vendor: golang.org/x/net v0.2.0
- http2/hpack: build static table with go generate

full diff: https://github.com/golang/net/compare/v0.1.0...v0.2.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-25 17:57:16 +01:00
Sebastiaan van Stijn
2799bbc562
Merge pull request #44467 from AkihiroSuda/rootlesskit-1.1.0
update RootlessKit to v1.1.0
2022-11-16 14:10:14 +01:00
Sebastiaan van Stijn
a6cb8efd81
vendor: golang.org/x/oauth2 v0.1.0
The golang.org/x/ projects are now doing tagged releases.

Some notable changes:

- authhandler: Add support for PKCE
- Introduce new AuthenticationError type returned by errWrappingTokenSource.Token
- Add support to set JWT Audience in JWTConfigFromJSON()
- google/internal: Add AWS Session Token to Metadata Requests
- go.mod: update vulnerable net library
- google: add support for "impersonated_service_account" credential type.
- google/externalaccount: add support for workforce pool credentials

full diff: https://github.com/golang/oauth2/compare/2bc19b11175f...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-15 13:43:31 +01:00
Sebastiaan van Stijn
9d7bd47cb6
vendor: golang.org/x/crypto v0.1.0
The golang.org/x/ projects are now doing tagged releases.

full diff: https://github.com/golang/crypto/compare/3147a52a75dd...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-15 13:43:28 +01:00
Akihiro Suda
08516af897
vendor: github.com/rootless-containers/rootlesskit v1.1.0
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-11-15 20:43:09 +09:00
Sebastiaan van Stijn
79f9ffd401
vendor: golang.org/x/net v0.1.0
The golang.org/x/ projects are now doing tagged releases.

full diff:

- https://github.com/golang/net/compare/f3363e06e74c...v0.1.0
- https://github.com/golang/text/compare/v0.3.7...v0.4.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-09 13:50:51 +01:00
Sebastiaan van Stijn
71fa64a272
vendor: golang.org/x/time v0.1.0
The golang.org/x/ projects are now doing tagged releases.

full diff: https://github.com/golang/time/compare/f0f3c7e86c11...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-09 13:50:51 +01:00
Sebastiaan van Stijn
4965f19626
vendor: golang.org/x/sync v0.1.0
The golang.org/x/ projects are now doing tagged releases.

full diff: https://github.com/golang/sync/compare/036812b2e83c...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-09 13:50:51 +01:00
Sebastiaan van Stijn
4bb95eef6f
vendor: golang.org/x/sys v0.1.0
The golang.org/x/ projects are now doing tagged releases.

full diff: https://github.com/golang/sys/compare/84dc82d7e875...v0.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-09 13:50:50 +01:00
Sebastiaan van Stijn
57ba2df970
vendor: github.com/google/go-cmp v0.5.9 to remove golang.org/x/xerrors dep
full diff: https://github.com/google/go-cmp/compare/v0.5.7...v0.5.9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-05 19:21:36 +01:00
Sebastiaan van Stijn
6742f74e0e
vendor: golang.org/x/sys v0.0.0-20221006211917-84dc82d7e875
full diff: 3c1f35247d...84dc82d7e8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-08 21:19:33 +02:00
Sebastiaan van Stijn
518179f63e
vendor: golang.org/x/net v0.0.0-20220906165146-f3363e06e74c
Update to the latest version that contains a fix for CVE-2022-27664;
f3363e06e7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 22:50:51 +02:00
Bjorn Neergaard
360238e9e1 vendor: github.com/hasicorp/memberlist v0.4.0
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-08-18 09:51:11 -06:00
Sebastiaan van Stijn
53aefba7f3
vendor: golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a
full diff: 33da011f77...bc2c85ada1

notable changes;

- unix: use ByteSliceFromString in (*Ifreq).Name
- unix: update openbsd Statfs_t fields

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-27 10:21:35 +02:00
Sebastiaan van Stijn
f9cef468f9
vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

full diff: 1e041c57c4...33da011f77

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-11 14:07:07 +02:00
Sebastiaan van Stijn
16cd359664
vendor: golang.org/x/sys v0.0.0-20220405210540-1e041c57c461
full diff: a9b59b0215...1e041c57c4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-29 16:18:00 +02:00
Akihiro Suda
19a7875c3c
vendor: golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-03-26 02:10:12 +09:00
Sebastiaan van Stijn
917b44799d
vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd
full diff: 5770296d90...3147a52a75

This version contains a fix for CVE-2022-27191 (not sure if it affects us).

From the golang mailing list:

    Hello gophers,

    Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
    client authentication support for signature algorithms based on SHA-2 for use with
    existing RSA keys.

    Previously, a client would fail to authenticate with RSA keys to servers that
    reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default
    and—starting today March 15, 2022 for recently uploaded keys.

    We are providing this announcement as the error (“ssh: unable to authenticate”)
    might otherwise be difficult to troubleshoot.

    Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also
    fixes a potential security issue where an attacker could cause a crash in a
    golang.org/x/crypto/ssh server under these conditions:

    - The server has been configured by passing a Signer to ServerConfig.AddHostKey.
    - The Signer passed to AddHostKey does not also implement AlgorithmSigner.
    - The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.

    Servers that only use Signer implementations provided by the ssh package are
    unaffected. This is CVE-2022-27191.

    Alla prossima,

    Filippo for the Go Security team

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-17 13:59:03 +01:00
Sebastiaan van Stijn
7df7357e08
vendor: cloud.google.com/go v0.92.0, google.golang.org/api v0.54.0
this removes a `tools.go` from the dependency, which caused various test
dependencies to be ending up in the dependency-tree, and are now gone.

- cloud.google.com/go v0.92.0: https://github.com/googleapis/google-cloud-go/compare/v0.81.0...v0.92.0
- google.golang.org/api v0.54.0: https://github.com/googleapis/google-api-go-client/compare/v0.46.0...v0.54.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-11 20:01:57 +01:00
Cory Snider
b36fb04e03 vendor: github.com/containerd/containerd v1.6.1
Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-03-10 17:48:10 -05:00
Sebastiaan van Stijn
7f9c77b2fe
vendor: golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f
full diff: 6f1e639406...2bc19b1117

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-01 18:03:34 +01:00
Sebastiaan van Stijn
a69cda092b
vendor: golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
no changes in vendored code

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-01 18:02:03 +01:00
Sebastiaan van Stijn
7876c53424
vendor: golang.org/x/tools v0.1.5
full diff: https://github.com/golang/tools/compare/v0.1.0...v0.1.5

It's not used, but one of our dependencies has a `tools.go` file that forces
it to be vendored; vendor/cloud.google.com/go/tools.go

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-23 18:42:17 +01:00
Sebastiaan van Stijn
1b829c2a6a
vendor: golang.org/x/mod v0.4.2
full diff: https://github.com/golang/mod/compare/v0.4.1...v0.4.2

It's not used, but one of our dependencies has a `tools.go` file that forces
it to be vendored; vendor/cloud.google.com/go/tools.go

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-23 18:37:58 +01:00
Sebastiaan van Stijn
6be521ccb8
vendor: golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a
full diff: f6687ab280...6f1e639406

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-23 18:30:08 +01:00
Sebastiaan van Stijn
3ddf696a2d
vendor: golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
Remove the replace rule, and use the version as specified by (indirect) dependencies:

full diff: bf48bf16ab...f6687ab280

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-15 15:43:04 +01:00
Sebastiaan van Stijn
03f45fafc5
vendor: golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2
Remove the replace rule, and use the version as specified by (indirect) dependencies:

full diff: e18ecbb051...69e39bad7d

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-14 15:42:37 +01:00
Sebastiaan van Stijn
368d680dfe
vendor: golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
Remove the replace rule, and use the version as specified by (indirect) dependencies:

full diff: 3af7569d3a...f0f3c7e86c

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-14 15:39:04 +01:00
Sebastiaan van Stijn
ce4ca67d52
vendor: golang.org/x/text v0.3.6:
to match the version used by golang.org/x/crypto

full diff: https://github.com/golang/text/compare/v0.3.3...v0.3.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-14 15:35:01 +01:00
Akihiro Suda
0d04359ec2
vendor: golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-02-06 16:28:59 +09:00
Sebastiaan van Stijn
ace8c7896c
vendor: cloud.google.com/go v0.59.0 to remove some test-deps
commit ad4f9324cd
removes some of the test-dependencies from cloud.google.com.

only other relevant changes in vendored code are from this commit:
dccc6b4b71

Full diff: https://github.com/googleapis/google-cloud-go/compare/v0.44.3...v0.59.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-18 15:46:08 +01:00
Sebastiaan van Stijn
e5d28115ee
vendor: regenerate
- all changes here are attributed to difference in behaviour between,
  namely:
  - resolution of secondary test dependencies
  - prunning of non-Go files

Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-18 15:46:04 +01:00
Sebastiaan van Stijn
dd9782fe94
go.mod: golang.org/x/crypto 5770296d904e90f15f38f77dfc2e43fdf5efc083
full diff: 0c34fe9e7d...5770296d90

includes a fix in golang.org/x/crypto/ssh for CVE-2021-43565

- golang/go#49932
- 5770296d90

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-12-03 09:19:28 +01:00
Sebastiaan van Stijn
875969251b
vendor: golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359
full diff: 63515b42dc...69cdffdb93

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-19 09:53:57 +01:00
Sebastiaan van Stijn
d48c8b70a1
vendor: golang.org/x/sys 63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
Go 1.17 requires golang.org/x/sys a76c4d0a0096537dc565908b53073460d96c8539 (May 8,
2021) or later, see https://github.com/golang/go/issues/45702. While this seems
to affect macOS only, let's update to the latest version.

full diff: d19ff857e8...63515b42dc

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-23 16:34:33 +02:00
Roman Volosatovs
135cec5d4d
daemon,volume: share disk usage computations
Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
2021-08-09 19:59:39 +02:00
Sebastiaan van Stijn
225f764652
vendor: golang.org/x/sync 036812b2e83c0ddf193dd5a34e034151da389d09
full diff: 6e8e738ad2...036812b2e8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-15 16:20:44 +02:00
Sebastiaan van Stijn
037c26d863
vendor: golang.org/x/net e18ecbb051101a46fc263334b127c89bc7bff7ea
full diff: 6772e930b6...e18ecbb051

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-15 16:20:42 +02:00