chore(deps): update module github.com/moby/moby to v20 - autoclosed
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
github.com/moby/moby | replace | major |
v1.13.1 -> v20.10.22
|
Release Notes
moby/moby
v20.10.22
Bug fixes and enhancements
- Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569).
- Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476).
- Fix
ssh: parse error in message type 27
errors duringdocker build
on hosts using OpenSSH 8.9 or above (moby/moby#3862). - seccomp: block socket calls to
AF_VSOCK
in default profile (moby/moby#44564).
Packaging Updates
- Update Docker Compose to v2.14.1.
- Update Docker Scan to v0.23.0.
- Update containerd (
containerd.io
package) to v1.6.13 to include a fix for CVE-2022-23471. - Update Go runtime to 1.18.9 to include fixes for CVE-2022-41716, CVE-2022-41717, and CVE-2022-41720.
v20.10.21
This release of Docker Engine contains updated versions of Docker Compose, Docker Scan, Containerd, added packages for Ubuntu 22.10, and some minor bug fixes and enhancements.
Client
- Remove "experimental" gates around "--platform" in bash completion docker/cli#3824.
Daemon
- Allow "allow-nondistributable-artifacts" to be configured for Docker Hub moby/moby#44313.
- Fix an
Invalid standard handle identifie
panic when registering the docker daemon as a service from a legacy CLI on Windows moby/moby#44326.
Builder
- Fix running git commands in Cygwin on Windows moby/moby#44332.
- Update bundled BuildKit version to to fix "output clipped, log limit 1MiB reached" errors moby/moby#44339.
Packaging
- Provide packages for Ubuntu 22.10 "Kinetic Kudu".
- Update Docker Compose to v2.12.2.
- Update Docker Scan to v0.21.0.
- Update containerd (
containerd.io
package) to v1.6.9.
v20.10.20
This release of Docker Engine contains partial mitigations for a Git vulnerability
(CVE-2022-39253), and has updated handling of image:tag@digest
image references.
The Git vulnerability allows a maliciously crafted Git repository, when used as a build context, to copy arbitrary filesystem paths into resulting containers/images; this can occur in both the daemon, and in API clients, depending on the versions and tools in use.
The mitigations available in this release and in other consumers of the daemon API
are partial and only protect users who build a Git URL context (e.g. git+protocol://
).
As the vulnerability could still be exploited by manually run Git commands that interact
with and check out submodules, users should immediately upgrade to a patched version of
Git to protect against this vulernability. Further details are available from the GitHub
blog ("Git security vulnerabilities announced").
Client
- Added a mitigation for CVE-2022-39253, when using the classic Builder with a Git URL as the build context.
Daemon
- Updated handling of
image:tag@digest
references. When pulling an image using theimage:tag@digest
("pull by digest"), image resolution happens through the content-addressable digest and theimage
andtag
are not used. While this is expected, this could lead to confusing behavior, and could potentially be exploited through social engineering to run an image that is already present in the local image store. Docker now checks if the digest matches the repository name used to pull the image, and otherwise will produce an error.
Builder
- Updated handling of
image:tag@digest
references. Refer to the "Daemon" section above for details. - Added a mitigation to the classic Builder and updated BuildKit to v0.8.3-31-gc0149372, for CVE-2022-39253.
v20.10.19
This release of Docker Engine comes with some bug-fixes, and an updated version of Docker Compose.
Builder
- Fix an issue that could result in a panic during
docker builder prune
ordocker system prune
moby/moby#44122.
Daemon
- Fix a bug where using
docker volume prune
would remove volumes that were still in use if the daemon was running with "live restore" and was restarted moby/moby#44238.
Packaging
- Update Docker Compose to v2.11.2.
- Update Go runtime to 1.18.7, which contains fixes for CVE-2022-2879, CVE-2022-2880, and CVE-2022-41715.
v20.10.18
This release of Docker Engine comes with a fix for a low-severity security issue,
some minor bug fixes, and updated versions of Docker Compose, Docker Buildx,
containerd
, and runc
.
Client
- Add Bash completion for Docker Compose docker/cli#3752.
Builder
- Fix an issue where file-capabilities were not preserved during build moby/moby#43876.
- Fix an issue that could result in a panic caused by a concurrent map read and map write moby/moby#44067
Daemon
- Fix a security vulnerability relating to supplementary group permissions, which could allow a container process to bypass primary group restrictions within the container CVE-2022-36109, GHSA-rc4r-wh2q-q6c4.
- seccomp: add support for Landlock syscalls in default policy moby/moby#43991.
- seccomp: update default policy to support new syscalls introduced in kernel 5.12 - 5.16 moby/moby#43991.
- Fix an issue where cache lookup for image manifests would fail, resulting in a redundant round-trip to the image registry moby/moby#44109.
- Fix an issue where
exec
processes and healthchecks were not terminated when they timed out moby/moby#44018.
Packaging
- Update Docker Buildx to v0.9.1.
- Update Docker Compose to v2.10.2.
- Update containerd (
containerd.io
package) to v1.6.8. - Update runc to v1.1.4.
- Update Go runtime to 1.18.6, which contains fixes for CVE-2022-27664 and CVE-2022-32190.
v20.10.17
This release of Docker Engine comes with updated versions of the compose
,
containerd
, and runc
components, as well as some minor bug fixes.
Client
- Remove asterisk from docker commands in zsh completion script docker/cli#3648.
Networking
- Fix Windows port conflict with published ports in host mode for overlay moby/moby#43644.
- Ensure performance tuning is always applied to libnetwork sandboxes moby/moby#43683.
Packaging
- Update Docker Compose to v2.6.0.
- Update containerd (
containerd.io
package) to v1.6.6, which contains a fix for CVE-2022-31030 - Update runc version to v1.1.2, which contains a fix for CVE-2022-29162.
- Updated Go runtime to 1.17.11, which contains fixes for CVE-2022-30634, CVE-2022-30629, CVE-2022-30580 and CVE-2022-29804
v20.10.16
This release of Docker Engine fixes a regression in the Docker CLI builds for
macOS, fixes an issue with docker stats
when using containerd 1.5 and up,
and updates the Go runtime to include a fix for CVE-2022-29526.
Client
- Fix a regression in binaries for macOS introduced in 20.10.15, which resulted in a panic docker/cli#43426.
- Update golang.org/x/sys dependency which contains a fix for CVE-2022-29526.
Daemon
- Fix an issue where
docker stats
was showing empty stats when running with containerd 1.5.0 or up moby/moby#43567. - Update the
golang.org/x/sys
build-time dependency which contains a fix for CVE-2022-29526.
Packaging
- Update Go runtime to 1.17.10, which contains a fix for CVE-2022-29526.
- Use "weak" dependencies for the
docker scan
CLI plugin, to prevent a "conflicting requests" error when users performed an off-line installation from downloaded RPM packages docker/docker-ce-packaging#659.
v20.10.15
This release of Docker Engine comes with updated versions of the compose
,
buildx
, containerd
, and runc
components, as well as some minor bugfixes.
Daemon
- Use a RWMutex for stateCounter to prevent potential locking congestion moby/moby#43426.
- Prevent an issue where the daemon was unable to find an available IP-range in some conditions moby/moby#43360
Packaging
- Update Docker Compose to v2.5.0.
- Update Docker Buildx to v0.8.2.
- Update Go runtime to 1.17.9.
- Update containerd (
containerd.io
package) to v1.6.4. - Update runc version to v1.1.1.
- Add packages for CentOS 9 stream and Fedora 36.
v20.10.14
This release of Docker Engine updates the default inheritable capabilities for
containers to address CVE-2022-24769,
a new version of the containerd.io
runtime is also included to address the same
issue.
Daemon
- Update the default inheritable capabilities.
Builder
- Update the default inheritable capabilities for containers used during build.
Packaging
v20.10.13
This release of Docker Engine contains some bug-fixes and packaging changes,
updates to the docker scan
and docker buildx
commands, an updated version of
the Go runtime, and new versions of the containerd.io
runtime.
Together with this release, we now also provide .deb
and .rpm
packages of
Docker Compose V2, which can be installed using the (optional) docker-compose-plugin
package.
Builder
- Updated the bundled version of buildx to v0.8.0.
Daemon
- Fix a race condition when updating the container's state moby/moby#43166.
- Update the etcd dependency to prevent the daemon from incorrectly holding file locks moby/moby#43259
- Fix detection of user-namespaces when configuring the default
net.ipv4.ping_group_range
sysctl moby/moby#43084.
Distribution
- Retry downloading image-manifests if a connection failure happens during image pull moby/moby#43333.
Documentation
- Various fixes in command-line reference and API documentation.
Logging
- Prevent an OOM when using the "local" logging driver with containers that produce a large amount of log messages moby/moby#43165.
- Updates the fluentd log driver to prevent a potential daemon crash, and prevent
containers from hanging when using the
fluentd-async-connect=true
and the remote server is unreachable moby/moby#43147.
Packaging
- Provide
.deb
and.rpm
packages for Docker Compose V2. Docker Compose v2.3.3 can now be installed on Linux using thedocker-compose-plugin
packages, which provides thedocker compose
subcommand on the Docker CLI. The Docker Compose plugin can also be installed and run standalone to be used as a drop-in replacement fordocker-compose
(Docker Compose V1) docker/docker-ce-packaging#638. Thecompose-cli-plugin
package can also be used on older version of the Docker CLI with support for CLI plugins (Docker CLI 18.09 and up). - Provide packages for the upcoming Ubuntu 22.04 "Jammy Jellyfish" LTS release docker/docker-ce-packaging#645, docker/containerd-packaging#271.
- Update
docker buildx
to v0.8.0. - Update
docker scan
(docker-scan-plugin
) to v0.17.0. - Update containerd (
containerd.io
package) to v1.5.10. - Update the bundled runc version to v1.0.3.
- Update Golang runtime to Go 1.16.15.
v20.10.12
Packaging
v20.10.11
20.10.11
IMPORTANT
Due to net/http changes in Go 1.16, HTTP proxies configured through the
$HTTP_MROXY
environment variable are no longer used for TLS (https://
) connections. Make sure you also set an$HTTPS_MROXY
environment variable for handling requests tohttps://
URLs.Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server. {: .important }
Distribution
- Handle ambiguous OCI manifest parsing to mitigate CVE-2021-41190 / GHSA-mc8v-mgrf-8f4m. See GHSA-xmmx-7jpf-fx42 for details.
Windows
- Fix panic.log file having read-only attribute set moby/moby#42987.
Packaging
- Update containerd to v1.4.12 to mitigate CVE-2021-41190.
- Update Golang runtime to Go 1.16.10.
v20.10.10
20.10.10
IMPORTANT
Due to net/http changes in Go 1.16, HTTP proxies configured through the
$HTTP_MROXY
environment variable are no longer used for TLS (https://
) connections. Make sure you also set an$HTTPS_MROXY
environment variable for handling requests tohttps://
URLs.Refer to the HTTP/HTTPS proxy section to learn how to configure the Docker Daemon to use a proxy server.
Builder
- Fix platform-matching logic to fix
docker build
using not finding images in the local image cache on Arm machines when using BuildKit moby/moby#42954
Runtime
- Add support for
clone3
syscall in the default seccomp policy to support running containers based on recent versions of Fedora and Ubuntu. moby/moby/#42836. - Windows: update hcsshim library to fix a bug in sparse file handling in container layers, which was exposed by recent changes in Windows moby/moby#42944.
- Fix some situations where
docker stop
could hang forever moby/moby#42956.
Swarm
- Fix an issue where updating a service did not roll back on failure moby/moby#42875.
Packaging
- Add packages for Ubuntu 21.10 "Impish Indri" and Fedora 35.
- Update
docker scan
to v0.9.0 - Update Golang runtime to Go 1.16.9.
v20.10.9
This release is a security release with security fixes in the CLI, runtime, as well as updated versions of the containerd.io package and the Go runtime.
Client
- CVE-2021-41092 Ensure default auth config has address field set, to prevent credentials being sent to the default registry.
Runtime
-
CVE-2021-41089
Create parent directories inside a chroot during
docker cp
to prevent a specially crafted container from changing permissions of existing files in the host’s filesystem. -
CVE-2021-41091
Lock down file permissions to prevent unprivileged users from discovering and
executing programs in
/var/lib/docker
.
Packaging
- Update Golang runtime to Go 1.16.8, which contains fixes for CVE-2021-36221 and CVE-2021-39293
- Update static binaries and containerd.io rpm and deb packages to containerd v1.4.11 and runc v1.0.2 to address CVE-2021-41103.
- Update the bundled buildx version to v0.6.3 for rpm and deb packages.
v20.10.8
20.10.8
IMPORTANT
Due to net/http changes in Go 1.16, HTTP proxies configured through the
$HTTP_MROXY
environment variable are no longer used for TLS (https://
) connections. Make sure you also set an$HTTPS_MROXY
environment variable for handling requests tohttps://
URLs. Refer to the HTTP/HTTPS proxy section in the documentation to learn how to configure the Docker Daemon to use a proxy server.
Deprecation
- Deprecate support for encrypted TLS private keys. Legacy PEM encryption as specified in RFC 1423 is insecure by design. Because it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. Support for encrypted TLS private keys is now marked as deprecated, and will be removed in an upcoming release. docker/cli#3219
- Deprecate Kubernetes stack support. Following the deprecation of Compose on Kubernetes,
support for Kubernetes in the
stack
andcontext
commands in the Docker CLI is now marked as deprecated, and will be removed in an upcoming release docker/cli#3174.
Client
- Fix
Invalid standard handle identifier
errors on Windows docker/cli#3132.
Rootless
- Avoid
can't open lock file /run/xtables.lock: Permission denied
error on SELinux hosts moby/moby#42462. - Disable overlay2 when running with SELinux to prevent permission denied errors moby/moby#42462.
- Fix
x509: certificate signed by unknown authority
error on openSUSE Tumbleweed moby/moby#42462.
Runtime
- Print a warning when using the
--platform
option to pull a single-arch image that does not match the specified architecture moby/moby#42633. - Fix incorrect
Your kernel does not support swap memory limit
warning when running with cgroups v2 moby/moby#42479. - Windows: Fix a situation where containers were not stopped if
HcsShutdownComputeSystem
returned anERROR_MROC_NOT_FOUND
error moby/moby#42613
Swarm
- Fix a possibility where overlapping IP addresses could exist as a result of the node failing to clean up its old loadbalancer IPs moby/moby#42538
- Fix a deadlock in log broker ("dispatcher is stopped") moby/moby#42537
Packaging
Known issue
The
ctr
binary shipping with the static packages of this release is not statically linked, and will not run in Docker images using alpine as a base image. Users can install thelibc6-compat
package, or download a previous version of thectr
binary as a workaround. Refer to the containerd ticket related to this issue for more details: containerd/containerd#5824.
- Remove packaging for Ubuntu 16.04 "Xenial" and Fedora 32, as they reached EOL docker/docker-ce-packaging#560
- Update Golang runtime to Go 1.16.6
- Update the bundled buildx version to v0.6.1 for rpm and deb packages docker/docker-ce-packaging#562
- Update static binaries and containerd.io rpm and deb packages to containerd v1.4.9 and runc v1.0.1: docker/containerd-packaging#241, docker/containerd-packaging#245, docker/containerd-packaging#247.
v20.10.7
20.10.7
Client
- Suppress warnings for deprecated cgroups docker/cli#3099.
- Prevent sending
SIGURG
signals to container on Linux and macOS. The Go runtime (starting with Go 1.14) usesSIGURG
signals internally as an interrupt to support preemptable syscalls. In situations where the Docker CLI was attached to a container, these interrupts were forwarded to the container. This fix changes the Docker CLI to ignoreSIGURG
signals docker/cli#3107, moby/moby#42421.
Builder
- Update BuildKit to version v0.8.3-3-g244e8cde moby/moby#42448:
- Transform relative mountpoints for exec mounts in the executor to work around a breaking change in runc v1.0.0-rc94 and up. moby/buildkit#2137.
- Add retry on image push 5xx errors. moby/buildkit#2043.
- Fix build-cache not being invalidated when renaming a file that is copied using
a
COPY
command with a wildcard. Note that this change invalidates existing build caches for copy commands that use a wildcard. moby/buildkit#2018. - Fix build-cache not being invalidated when using mounts moby/buildkit#2076.
- Fix build failures when
FROM
image is not cached when using legacy schema 1 images moby/moby#42382.
Logging
- Update the hcsshim SDK to make daemon logs on Windows less verbose moby/moby#42292.
Rootless
- Fix capabilities not being honored when an image was built on a daemon with user-namespaces enabled moby/moby#42352.
Networking
- Update libnetwork to fix publishing ports on environments with kernel boot
parameter
ipv6.disable=1
, and to fix a deadlock causing internal DNS lookups to fail moby/moby#42413.
Contrib
- Update rootlesskit to v0.14.2 to fix a timeout when starting the userland proxy
with the
slirp4netns
port driver moby/moby#42294. - Fix "Device or resource busy" errors when running docker-in-docker on a rootless daemon moby/moby#42342.
Packaging
- Update containerd to v1.4.6, runc v1.0.0-rc95 to address CVE-2021-30465 moby/moby#42398, moby/moby#42395, ocker/containerd-packaging#234
- Update containerd to v1.4.5, runc v1.0.0-rc94 moby/moby#42372, moby/moby#42388, docker/containerd-packaging#232.
- Update Docker Scan plugin packages (
docker-scan-plugin
) to v0.8 docker/docker-ce-packaging#545.
v20.10.6
release notes: https://docs.docker.com/engine/release-notes/#20106
v20.10.5
release notes: https://docs.docker.com/engine/release-notes/#20105
20.10.5
Client
- Revert docker/cli#2960 to fix hanging in docker start --attach and remove spurious “Unsupported signal: . Discarding." messages docker/cli#2987
v20.10.4
release notes: https://docs.docker.com/engine/release-notes/#20104
20.10.4
Builder
- Fix incorrect cache match for inline cache import with empty layers moby/moby#42061
- Update BuildKit to v0.8.2 moby/moby#42061
- resolver: avoid error caching on token fetch
- fileop: fix checksum to contain indexes of inputs preventing certain cache misses
- Fix reference count issues on typed errors with mount references (fixing
invalid mutable ref
errors) - git: set token only for main remote access allowing cloning submodules with different credentials
- Ensure blobs get deleted in /var/lib/docker/buildkit/content/blobs/sha256 after pull. To clean up old state run
builder prune
moby/moby#42065 - Fix parallel pull synchronization regression moby/moby#42049
- Ensure libnetwork state files do not leak moby/moby#41972
Client
- Fix a panic on
docker login
if no config file is present docker/cli#2959 - Fix
WARNING: Error loading config file: .dockercfg: $HOME is not defined
docker/cli#2958
Runtime
- docker info: silence unhandleable warnings moby/moby#41958
- Avoid creating parent directories for XGlobalHeader moby/moby#42017
- Use 0755 permissions when creating missing directories moby/moby#42017
- Fallback to manifest list when no platform matches in image config moby/moby#42045 moby/moby#41873
- Fix a daemon panic on setups with a custom default runtime configured moby/moby#41974
- Fix a panic when daemon configuration is empty moby/moby#41976
- Fix daemon panic when starting container with invalid device cgroup rule moby/moby#42001
- Fix userns-remap option when username & UID match moby/moby#42013
- static: update runc binary to v1.0.0-rc93 moby/moby#42014
Logger
- Honor
labels-regex
config even iflabels
is not set moby/moby#42046 - Handle long log messages correctly preventing awslogs in non-blocking mode to split events bigger than 16kB mobymoby#41975
Rootless
- Prevent the service hanging when stopping by setting systemd KillMode to mixed moby/moby#41956
- dockerd-rootless.sh: add typo guard moby/moby#42070
- Update rootlesskit to v0.13.1 to fix handling of IPv6 addresses moby/moby#42025
- allow mknodding FIFO inside userns moby/moby#41957
Security
- profiles: seccomp: update to Linux 5.11 syscall list moby/moby#41971
Swarm
- Fix issue with heartbeat not persisting upon restart moby/moby#42060
- Fix potential stalled tasks moby/moby#42060
- Fix
--update-order
and--rollback-order
flags when only--update-order
or--rollback-order
is provided docker/cli#2963 - Fix
docker service rollback
returning a non-zero exit code in some situations docker/cli#2964 - Fix inconsistent progress-bar direction on
docker service rollback
docker/cli#2964
v20.10.3
Release notes: https://docs.docker.com/engine/release-notes/#20103
20.10.3
Security
- CVE-2021-21285 Prevent an invalid image from crashing docker daemon
- CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state
- Ensure AppArmor and SELinux profiles are applied when building with BuildKit
Client
- Check contexts before importing them to reduce risk of extracted files escaping context store
- Windows: prevent executing certain binaries from current directory docker/cli#2950
v20.10.2
Release notes: https://docs.docker.com/engine/release-notes/#20102
v20.10.1
Release notes: https://docs.docker.com/engine/release-notes/#20101
v20.10.0
Release notes: https://docs.docker.com/engine/release-notes/#20100
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.