50bd133ad3
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages. See the [Go 1.21.9 milestone](https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved)
for more details.
These minor releases include 1 security fixes following the security policy:
- http2: close connections when receiving too many headers
Maintaining HPACK state requires that we parse and process all HEADERS
and CONTINUATION frames on a connection. When a request's headers exceed
MaxHeaderBytes, we don't allocate memory to store the excess headers but
we do parse them. This permits an attacker to cause an HTTP/2 endpoint
to read arbitrary amounts of header data, all associated with a request
which is going to be rejected. These headers can include Huffman-encoded
data which is significantly more expensive for the receiver to decode
than for an attacker to send.
Set a limit on the amount of excess header frames we will process before
closing a connection.
Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue.
This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.2
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.8...go1.21.9
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 329d403e20
)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
49 lines
1.4 KiB
Docker
49 lines
1.4 KiB
Docker
# docker build -t docker:simple -f Dockerfile.simple .
|
|
# docker run --rm docker:simple hack/make.sh dynbinary
|
|
# docker run --rm --privileged docker:simple hack/dind hack/make.sh test-unit
|
|
# docker run --rm --privileged -v /var/lib/docker docker:simple hack/dind hack/make.sh dynbinary test-integration
|
|
|
|
# This represents the bare minimum required to build and test Docker.
|
|
|
|
ARG GO_VERSION=1.21.9
|
|
|
|
ARG BASE_DEBIAN_DISTRO="bookworm"
|
|
ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
|
|
|
|
FROM ${GOLANG_IMAGE}
|
|
ENV GO111MODULE=off
|
|
ENV GOTOOLCHAIN=local
|
|
|
|
# Compile and runtime deps
|
|
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
|
|
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
build-essential \
|
|
curl \
|
|
cmake \
|
|
git \
|
|
libapparmor-dev \
|
|
libseccomp-dev \
|
|
ca-certificates \
|
|
e2fsprogs \
|
|
iptables \
|
|
pkg-config \
|
|
pigz \
|
|
procps \
|
|
xfsprogs \
|
|
xz-utils \
|
|
\
|
|
vim-common \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Install runc, containerd, tini and docker-proxy
|
|
# Please edit hack/dockerfile/install/<name>.installer to update them.
|
|
COPY hack/dockerfile/install hack/dockerfile/install
|
|
RUN for i in runc containerd tini proxy dockercli; \
|
|
do hack/dockerfile/install/install.sh $i; \
|
|
done
|
|
ENV PATH=/usr/local/cli:$PATH
|
|
|
|
ENV AUTO_GOPATH 1
|
|
WORKDIR /usr/src/docker
|
|
COPY . /usr/src/docker
|