summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Brian Goff [Tue, 6 Oct 2020 19:30:07 +0000 (19:30 +0000)]
[PATCH] Ensure MkdirAllAndChown also sets perms
Generally if we ever need to change perms of a dir, between versions,
this ensures the permissions actually change when we think it should
change without having to handle special cases if it already existed.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit
edb62a3ace8c4303822a391b38231e577f8c2ee8)
Signed-off-by: Tibor Vass <tibor@docker.com>
Gbp-Pq: Name cve-2021-21284-1.patch
Tianon Gravi [Tue, 24 Nov 2020 12:38:31 +0000 (12:38 +0000)]
[PATCH] Fix CVE-2020-15257
This is the 1.2 backport. It's the Samuel Karp patch with additional changes:
- Add ReadAddress function from commit
84a24711e88
- Add "horten the unix socket path for shim" commit (
a631796fda6)
Below is the original commit message:
-----------------------------------------------------------------------
Use path based unix socket for shims
This allows filesystem based ACLs for configuring access to the socket of a
shim.
Co-authored-by: Samuel Karp <skarp@amazon.com>
Signed-off-by: Samuel Karp <skarp@amazon.com>
Signed-off-by: Michael Crosby <michael@thepasture.io>
Signed-off-by: Michael Crosby <michael.crosby@apple.com>
-----------------------------------------------------------------------
containerd-shim: use path-based unix socket
This allows filesystem-based ACLs for configuring access to the socket
of a shim.
Ported from Michael Crosby's similar patch for v2 shims.
Signed-off-by: Samuel Karp <skarp@amazon.com>
-----------------------------------------------------------------------
Co-authored-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Co-authored-by: varsha teratipally <teratipally@google.com>
Signed-off-by: Tianon Gravi <tianon@infosiftr.com>
Gbp-Pq: Name cve-2020-15257.patch
Sergey Kanzhelev [Thu, 24 Sep 2020 18:35:46 +0000 (18:35 +0000)]
[PATCH] treat manifest provided URLs differently
Gbp-Pq: Name cve-2020-15157.patch
Samuel Karp [Fri, 3 Apr 2020 23:23:18 +0000 (16:23 -0700)]
[PATCH] bridge: disable IPv6 router advertisements
Signed-off-by: Samuel Karp <skarp@amazon.com>
Gbp-Pq: Name cve-2020-13401-disable-IPv6-router-advertisements.patch
Justin Cormack [Thu, 25 Jul 2019 14:24:39 +0000 (15:24 +0100)]
[PATCH] Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files.
See also OpenVZ https://github.com/kolyshkin/vzctl/blob/
a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit
a316b10dab79d9298b02c7930958ed52e0ccf4e4)
Gbp-Pq: Name cve-2019-14271-Initialize-nss-libraries-in-Glibc.patch
Sebastiaan van Stijn [Wed, 3 Jul 2019 14:16:22 +0000 (16:16 +0200)]
[PATCH] DebugRequestMiddleware: Remove path handling
Path-specific rules were removed, so this is no longer used.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit
530e63c1a61b105a6f7fc143c5acb9b5cd87f958)
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit
f8a0f26843bc5aff33cf9201b75bd4bdbb48a3ad)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Origin: upstream, https://github.com/docker/engine/pull/298
Gbp-Pq: Name cve-2019-13509-04-DebugRequestMiddleware-Remove-path-handling.patch
Sebastiaan van Stijn [Tue, 2 Jul 2019 12:21:03 +0000 (14:21 +0200)]
[PATCH] DebugRequestMiddleware: unconditionally scrub data field
Commit
77b8465d7e68ca102d7aae839c7b3fe0ecd28398 added a secret update
endpoint to allow updating labels on existing secrets. However, when
implementing the endpoint, the DebugRequestMiddleware was not updated
to scrub the Data field (as is being done when creating a secret).
When updating a secret (to set labels), the Data field should be either
`nil` (not set), or contain the same value as the existing secret. In
situations where the Data field is set, and the `dockerd` daemon is
running with debugging enabled / log-level debug, the base64-encoded
value of the secret is printed to the daemon logs.
The docker cli does not have a `docker secret update` command, but
when using `docker stack deploy`, the docker cli sends the secret
data both when _creating_ a stack, and when _updating_ a stack, thus
leaking the secret data if the daemon runs with debug enabled:
1. Start the daemon in debug-mode
dockerd --debug
2. Initialize swarm
docker swarm init
3. Create a file containing a secret
echo secret > my_secret.txt
4. Create a docker-compose file using that secret
cat > docker-compose.yml <<'EOF'
version: "3.3"
services:
web:
image: nginx:alpine
secrets:
- my_secret
secrets:
my_secret:
file: ./my_secret.txt
EOF
5. Deploy the stack
docker stack deploy -c docker-compose.yml test
6. Verify that the secret is scrubbed in the daemon logs
DEBU[2019-07-01T22:36:08.170617400Z] Calling POST /v1.30/secrets/create
DEBU[2019-07-01T22:36:08.171364900Z] form data: {"Data":"*****","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}
7. Re-deploy the stack to trigger an "update"
docker stack deploy -c docker-compose.yml test
8. Notice that this time, the Data field is not scrubbed, and the base64-encoded secret is logged
DEBU[2019-07-01T22:37:35.828819400Z] Calling POST /v1.30/secrets/w3hgvwpzl8yooq5ctnyp71v52/update?version=34
DEBU[2019-07-01T22:37:35.829993700Z] form data: {"Data":"c2VjcmV0Cg==","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}
This patch modifies `maskSecretKeys` to unconditionally scrub `Data` fields.
Currently, only the `secrets` and `configs` endpoints use a field with this
name, and no other POST API endpoints use a data field, so scrubbing this
field unconditionally will only scrub requests for those endpoints.
If a new endpoint is added in future where this field should not be scrubbed,
we can re-introduce more fine-grained (path-specific) handling.
This patch introduces some change in behavior:
- In addition to secrets, requests to create or update _configs_ will
now have their `Data` field scrubbed. Generally, the actual data should
not be interesting for debugging, so likely will not be problematic.
In addition, scrubbing this data for configs may actually be desirable,
because (even though they are not explicitely designed for this purpose)
configs may contain sensitive data (credentials inside a configuration
file, e.g.).
- Requests that send key/value pairs as a "map" and that contain a
key named "data", will see the value of that field scrubbed. This
means that (e.g.) setting a `label` named `data` on a config, will
scrub/mask the value of that label.
- Note that this is already the case for any label named `jointoken`,
`password`, `secret`, `signingcakey`, or `unlockkey`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit
c7ce4be93ae8edd2da62a588e01c67313a4aba0c)
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit
73db8c77bfb2d0cbdf71ce491f3d3e66c9dd5be6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Origin: upstream, https://github.com/docker/engine/pull/298
Gbp-Pq: Name cve-2019-13509-03-DebugRequestMiddleware-unconditionally-scrub-data-field.patch
Sebastiaan van Stijn [Tue, 2 Jul 2019 11:29:24 +0000 (13:29 +0200)]
[PATCH] TestMaskSecretKeys: use subtests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit
32d70c7e21631224674cd60021d3ec908c2d888c)
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit
ebb542b3f88d7f5551f6b6e1d8d2774a2c166409)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Origin: https://github.com/docker/engine/pull/298
Gbp-Pq: Name cve-2019-13509-02-TestMaskSecretKeys-use-subtests.patch
Sebastiaan van Stijn [Tue, 2 Jul 2019 11:21:04 +0000 (13:21 +0200)]
[PATCH] TestMaskSecretKeys: add more test-cases
Add tests for
- case-insensitive matching of fields
- recursive masking
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit
db5f811216e70bcb4a10e477c1558d6c68f618c5)
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit
18dac2cf32faeaada3bd4e8e2bffa576ad4329fe)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Origin: upstream, https://github.com/docker/engine/pull/298
Gbp-Pq: Name cve-2019-13509-01-TestMaskSecretKeys-add-more-test-cases.patch
Tonis Tiigi [Wed, 6 Feb 2019 19:58:40 +0000 (11:58 -0800)]
[PATCH] gitutils: add validation for ref
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit
723b107ca4fba14580a6cd971e63d8af2e7d2bbe)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Origin: upstream, https://github.com/moby/moby/pull/38944
Gbp-Pq: Name cve-2019-13139-01-gitutils-add-validation-for-ref.patch
Brian Goff [Thu, 30 May 2019 21:55:52 +0000 (14:55 -0700)]
[PATCH] Add chroot for tar packing operations
Previously only unpack operations were supported with chroot.
This adds chroot support for packing operations.
This prevents potential breakouts when copying data from a container.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Origin: upstream, https://github.com/moby/moby/pull/39292
Gbp-Pq: Name cve-2018-15664-02-add-chroot-for-tar-packing-operations.patch
Brian Goff [Thu, 30 May 2019 18:15:09 +0000 (11:15 -0700)]
[PATCH] Pass root to chroot to for chroot Untar
This is useful for preventing CVE-2018-15664 where a malicious container
process can take advantage of a race on symlink resolution/sanitization.
Before this change chrootarchive would chroot to the destination
directory which is attacker controlled. With this patch we always chroot
to the container's root which is not attacker controlled.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Origin: upstream, https://github.com/moby/moby/pull/39292
Gbp-Pq: Name cve-2018-15664-01-pass-root-to-chroot-to-for-chroot-untar.patch
Kir Kolyshkin [Wed, 10 Oct 2018 06:36:04 +0000 (23:36 -0700)]
[PATCH] cli/registry: fix a Debugf statement
Fix this warning from go-1.11
> cli/registry/client/fetcher.go:234: Debugf format %s has arg
> repoEndpoint of wrong type client.repositoryEndpoint
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Origin: upstream, https://github.com/docker/cli/commit/
51848bf
Gbp-Pq: Name cli-fix-registry-debug-message-go-1.11.patch
Arnaud Rebillout [Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)]
fix man pages build
Forwarded: not-needed
Last-Update: 2018-04-03
Gbp-Pq: Name cli-fix-manpages-build-script.patch
Arnaud Rebillout [Tue, 22 Jan 2019 05:22:52 +0000 (12:22 +0700)]
Build against google-grpc 1.11, where md.Get() does not exist.
This patch is based on the commit that introduced md.Get() in google-grpc:
<https://github.com/grpc/grpc-go/commit/
291de7f0>.
Please drop this patch as soon as we build docker against google-grpc >= 1.12.
Origin: vendor, Debian
Forwarded: not-needed, Debian-specific
Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name buildkit-build-against-google-grpc-1.11.patch
Dmitry Smirnov [Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)]
remove prompt and delay
Last-Update: 2018-06-09
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853258
Forwarded: not-needed
Gbp-Pq: Name debian-nuke-no-prompt.patch
Tianon Gravi [Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)]
remove convenience copies of cgroupfs-mount in init.d / upstart
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/783143
Gbp-Pq: Name debian-cgroupfs-mount-convenience-copy.patch
Dmitry Smirnov [Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)]
FHS compliance.
Forwarded: not-needed
Gbp-Pq: Name debian-dockerd-binary-location.patch
Dmitry Smirnov [Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)]
"fix" containerd executable name.
Last-Update: 2019-01-27
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920597
Gbp-Pq: Name debian-containerd-name.patch
Paul R. Tagliamonte [Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)]
Use EnvironmentFile with the systemd unit file.
Last-Update: 2014-05-07
Bug-Debian: http://bugs.debian.org/746774
Forwarded: no
Gbp-Pq: Name debian-systemd-unit-environment-file.patch
pierre@meteor.com [Thu, 24 Mar 2016 23:14:30 +0000 (16:14 -0700)]
[PATCH] docker.service: don't limit tasks
From
33a8ab29ed9e51697772a0642b8d651b9a845532 Mon Sep 17 00:00:00 2001
Origin: https://github.com/docker/docker/pull/21491
Signed-off-by: Pierre Carrier <pierre@meteor.com>
Gbp-Pq: Name debian-systemd-unit-tasksmax.patch
Felix Geyer [Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)]
docker.io (18.09.1+dfsg1-7.1+deb10u3) buster-security; urgency=medium
* Backport upstream patches for:
- CVE-2020-15157
- CVE-2020-15257
- CVE-2021-21284
- CVE-2021-21285
[dgit import unpatched docker.io 18.09.1+dfsg1-7.1+deb10u3]
Felix Geyer [Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)]
Import docker.io_18.09.1+dfsg1-7.1+deb10u3.debian.tar.xz
[dgit import tarball docker.io 18.09.1+dfsg1-7.1+deb10u3 docker.io_18.09.1+dfsg1-7.1+deb10u3.debian.tar.xz]
Arnaud Rebillout [Tue, 22 Jan 2019 08:48:15 +0000 (08:48 +0000)]
Import docker.io_18.09.1+dfsg1.orig.tar.xz
[dgit import orig docker.io_18.09.1+dfsg1.orig.tar.xz]
Arnaud Rebillout [Tue, 22 Jan 2019 08:48:15 +0000 (08:48 +0000)]
Import docker.io_18.09.1+dfsg1.orig-containerd.tar.xz
[dgit import orig docker.io_18.09.1+dfsg1.orig-containerd.tar.xz]
Arnaud Rebillout [Tue, 22 Jan 2019 08:48:15 +0000 (08:48 +0000)]
Import docker.io_18.09.1+dfsg1.orig-distribution.tar.xz
[dgit import orig docker.io_18.09.1+dfsg1.orig-distribution.tar.xz]
Arnaud Rebillout [Tue, 22 Jan 2019 08:48:15 +0000 (08:48 +0000)]
Import docker.io_18.09.1+dfsg1.orig-go-events.tar.xz
[dgit import orig docker.io_18.09.1+dfsg1.orig-go-events.tar.xz]
Arnaud Rebillout [Tue, 22 Jan 2019 08:48:15 +0000 (08:48 +0000)]
Import docker.io_18.09.1+dfsg1.orig-go-metrics.tar.xz
[dgit import orig docker.io_18.09.1+dfsg1.orig-go-metrics.tar.xz]
Arnaud Rebillout [Tue, 22 Jan 2019 08:48:15 +0000 (08:48 +0000)]
Import docker.io_18.09.1+dfsg1.orig-libnetwork.tar.xz
[dgit import orig docker.io_18.09.1+dfsg1.orig-libnetwork.tar.xz]
Arnaud Rebillout [Tue, 22 Jan 2019 08:48:15 +0000 (08:48 +0000)]
Import docker.io_18.09.1+dfsg1.orig-swarmkit.tar.xz
[dgit import orig docker.io_18.09.1+dfsg1.orig-swarmkit.tar.xz]
projects / docker.io.git / log