full diff: 5770296d90...3147a52a75
This version contains a fix for CVE-2022-27191 (not sure if it affects us).
From the golang mailing list:
Hello gophers,
Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
client authentication support for signature algorithms based on SHA-2 for use with
existing RSA keys.
Previously, a client would fail to authenticate with RSA keys to servers that
reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default
and—starting today March 15, 2022 for recently uploaded keys.
We are providing this announcement as the error (“ssh: unable to authenticate”)
might otherwise be difficult to troubleshoot.
Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also
fixes a potential security issue where an attacker could cause a crash in a
golang.org/x/crypto/ssh server under these conditions:
- The server has been configured by passing a Signer to ServerConfig.AddHostKey.
- The Signer passed to AddHostKey does not also implement AlgorithmSigner.
- The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.
Servers that only use Signer implementations provided by the ssh package are
unaffected. This is CVE-2022-27191.
Alla prossima,
Filippo for the Go Security team
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/tools/compare/v0.1.0...v0.1.5
It's not used, but one of our dependencies has a `tools.go` file that forces
it to be vendored; vendor/cloud.google.com/go/tools.go
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/mod/compare/v0.4.1...v0.4.2
It's not used, but one of our dependencies has a `tools.go` file that forces
it to be vendored; vendor/cloud.google.com/go/tools.go
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the replace rule, and use the version as specified by (indirect) dependencies:
full diff: bf48bf16ab...f6687ab280
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the replace rule, and use the version as specified by (indirect) dependencies:
full diff: e18ecbb051...69e39bad7d
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the replace rule, and use the version as specified by (indirect) dependencies:
full diff: 3af7569d3a...f0f3c7e86c
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- all changes here are attributed to difference in behaviour between,
namely:
- resolution of secondary test dependencies
- prunning of non-Go files
Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Go 1.17 requires golang.org/x/sys a76c4d0a0096537dc565908b53073460d96c8539 (May 8,
2021) or later, see https://github.com/golang/go/issues/45702. While this seems
to affect macOS only, let's update to the latest version.
full diff: d19ff857e8...63515b42dc
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: ab34263943...6772e930b6
- http/httpproxy: match http scheme when selecting http_proxy
- drop support for pre-1.12 direct syscalls on darwin
- x/net/http2: reject HTTP/2 Content-Length headers containing a sign
- http2/h2i: use x/term instead of x/crypto/ssh/terminal
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This dependency was added in 6cdbf07be9d0ad08776df0b65fb1b3e4e617c42a,
but looks like the code was vendored manually, or vendored, then removeed
from vendor.conf.
This commit removes the vendored files, as they are not needed to build
our binaries.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 6861f17f15...v0.8.0-rc2
- dockerfile: rename experimental channel to labs
- dockerfile build: fix not exit when meet error in load config metadata
- copy containerd.UnknownExitStatus to local const to reduce dependency graph in client
- executor: switch to docker seccomp profile
- add retry handlers to push/pull
- SSH-based auth for llb.Git operations
- Allow gateway exec-ing into a failed solve with an exec op
- Fix parsing ssh-based git sources
- Fix sshkeyscan to work with ipv6
- fix assumption that ssh port must be 2 digits
- vendor: github.com/Microsoft/go-winio v0.4.15
- vendor: github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85
- vendor: containerd v1.4.1-0.20201117152358-0edc412565dc
- vendor: golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 75b288015a...c1f2f97bff
relevant changes:
- pkcs12: document that we use the wrong PEM type
- pkcs12: drop PKCS#12 attributes with unknown OIDs
- ocsp: Improve documentation for ParseResponse and ParseResponseForCert
other changes (not in vendor);
- ssh: improve error message for KeyboardInteractiveChallenge
- ssh: remove slow unnecessary diffie-hellman-group-exchange primality check
- ssh/terminal: replace with a golang.org/x/term wrapper
- Deprecates ssh/terminal in favor of golang.org/x/term
- ssh/terminal: add support for zos
- ssh/terminal: bump x/term dependency to fix js/nacl
- nacl/auth: use Size instead of KeySize for Sum output
- sha3: remove go:nocheckptr annotation
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
aee5d888a8...eeed37f84f
- all: add GOOS=ios
- unix: add back IoctlCtlInfo on darwin
- windows: add SetConsoleCursorPosition
- unix: update Dockerfile to Linux 5.9 and Go 1.15.2 (adds `CAP_CHECKPOINT_RESTORE`)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 73f35e472e...7f0af18e79
- update gotest.tools to v3
- Use unix.Ioctl{Get,Set}Termios on all unix platforms
- Make Termios type alias, remove casts
vendor: golang.org/x/sys 196b9ba8737a10c9253b04174f25881e562da5b8
full diff: ed371f2e16...196b9ba873
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 88737f569e...69ecbb4d6d
Includes 69ecbb4d6d
(forward-port of 8b5121be2f),
which fixes CVE-2020-7919:
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: c990c680b6...6d18c012ae
execute "docker run -it {image name} /bin/sh" no response on mip64el platform;
EpollEvent struct define lack a field named PadFd;
add the field "PadFd";
execute docker run -it {image} /bin/sh for test after rebuilded.
Signed-off-by: liuxiaodong <liuxiaodong@loongson.cn>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Pull requests started failing because vendoring didn't match;
```
The result of vndr differs
D vendor/golang.org/x/sync/singleflight/singleflight.go
Please vendor your package with github.com/LK4D4/vndr.
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
