moby--moby

Author SHA1 Message Date

Author	SHA1	Message	Date
Sebastiaan van Stijn	917b44799d	vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd full diff: `5770296d90...3147a52a75` This version contains a fix for CVE-2022-27191 (not sure if it affects us). From the golang mailing list: Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements client authentication support for signature algorithms based on SHA-2 for use with existing RSA keys. Previously, a client would fail to authenticate with RSA keys to servers that reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default and—starting today March 15, 2022 for recently uploaded keys. We are providing this announcement as the error (“ssh: unable to authenticate”) might otherwise be difficult to troubleshoot. Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also fixes a potential security issue where an attacker could cause a crash in a golang.org/x/crypto/ssh server under these conditions: - The server has been configured by passing a Signer to ServerConfig.AddHostKey. - The Signer passed to AddHostKey does not also implement AlgorithmSigner. - The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method. Servers that only use Signer implementations provided by the ssh package are unaffected. This is CVE-2022-27191. Alla prossima, Filippo for the Go Security team Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2022-03-17 13:59:03 +01:00
Sebastiaan van Stijn	dd9782fe94	go.mod: golang.org/x/crypto 5770296d904e90f15f38f77dfc2e43fdf5efc083 full diff: `0c34fe9e7d...5770296d90` includes a fix in golang.org/x/crypto/ssh for CVE-2021-43565 - golang/go#49932 - `5770296d90` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2021-12-03 09:19:28 +01:00
Sebastiaan van Stijn	73571e4689	vendor: github.com/moby/buildkit v0.8.0-rc2 full diff: `6861f17f15`...v0.8.0-rc2 - dockerfile: rename experimental channel to labs - dockerfile build: fix not exit when meet error in load config metadata - copy containerd.UnknownExitStatus to local const to reduce dependency graph in client - executor: switch to docker seccomp profile - add retry handlers to push/pull - SSH-based auth for llb.Git operations - Allow gateway exec-ing into a failed solve with an exec op - Fix parsing ssh-based git sources - Fix sshkeyscan to work with ipv6 - fix assumption that ssh port must be 2 digits - vendor: github.com/Microsoft/go-winio v0.4.15 - vendor: github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85 - vendor: containerd v1.4.1-0.20201117152358-0edc412565dc - vendor: golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2020-11-19 10:31:35 +01:00

Sebastiaan van Stijn

917b44799d

vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd

full diff: 5770296d90...3147a52a75

This version contains a fix for CVE-2022-27191 (not sure if it affects us).

From the golang mailing list:

    Hello gophers,

    Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
    client authentication support for signature algorithms based on SHA-2 for use with
    existing RSA keys.

    Previously, a client would fail to authenticate with RSA keys to servers that
    reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default
    and—starting today March 15, 2022 for recently uploaded keys.

    We are providing this announcement as the error (“ssh: unable to authenticate”)
    might otherwise be difficult to troubleshoot.

    Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also
    fixes a potential security issue where an attacker could cause a crash in a
    golang.org/x/crypto/ssh server under these conditions:

    - The server has been configured by passing a Signer to ServerConfig.AddHostKey.
    - The Signer passed to AddHostKey does not also implement AlgorithmSigner.
    - The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.

    Servers that only use Signer implementations provided by the ssh package are
    unaffected. This is CVE-2022-27191.

    Alla prossima,

    Filippo for the Go Security team

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

2022-03-17 13:59:03 +01:00

Sebastiaan van Stijn

dd9782fe94

go.mod: golang.org/x/crypto 5770296d904e90f15f38f77dfc2e43fdf5efc083

full diff: 0c34fe9e7d...5770296d90

includes a fix in golang.org/x/crypto/ssh for CVE-2021-43565

- golang/go#49932
- 5770296d90

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

2021-12-03 09:19:28 +01:00

Sebastiaan van Stijn

73571e4689

vendor: github.com/moby/buildkit v0.8.0-rc2

full diff: 6861f17f15...v0.8.0-rc2

- dockerfile: rename experimental channel to labs
- dockerfile build: fix not exit when meet error in load config metadata
- copy containerd.UnknownExitStatus to local const to reduce dependency graph in client
- executor: switch to docker seccomp profile
- add retry handlers to push/pull
- SSH-based auth for llb.Git operations
- Allow gateway exec-ing into a failed solve with an exec op
- Fix parsing ssh-based git sources
- Fix sshkeyscan to work with ipv6
- fix assumption that ssh port must be 2 digits
- vendor: github.com/Microsoft/go-winio v0.4.15
- vendor: github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85
- vendor: containerd v1.4.1-0.20201117152358-0edc412565dc
- vendor: golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

2020-11-19 10:31:35 +01:00

3 Commits