1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Find a file
Sebastiaan van Stijn 73b0e4c589
Bump golang 1.12.8 (CVE-2019-9512, CVE-2019-9514)
go1.12.8 (released 2019/08/13) includes security fixes to the net/http and net/url packages.
See the Go 1.12.8 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.12.8

- net/http: Denial of Service vulnerabilities in the HTTP/2 implementation
  net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted
  clients could be remotely made to allocate an unlimited amount of memory, until the program
  crashes. Servers will now close connections if the send queue accumulates too many control
  messages.
  The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
  Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.
  This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.
  net/url: parsing validation issue
- url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary
  suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses
  in certain applications. Note that URLs with invalid, not numeric ports will now return an error
  from url.Parse.
  The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
  Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering
  and reporting this issue.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-14 02:27:05 +02:00
.github
api fix some spelling mistakes 2019-08-13 22:57:55 +08:00
builder Builder: fix "COPY --from" to non-existing directory on Windows 2019-08-08 16:45:10 +02:00
cli
client fix client.HTTPClient() not returning a copy 2019-08-06 00:45:45 +02:00
cmd/dockerd Remove hack MalformedHostHeaderOverride 2019-07-18 21:25:04 +02:00
container Merge pull request #39653 from thaJeztah/fix_unmount_ipc_ignore_enotexist 2019-08-05 11:51:28 -07:00
contrib Merge pull request #39165 from stafwag/master 2019-07-18 00:44:28 +02:00
daemon Merge pull request #38859 from kolyshkin/journald 2019-08-09 10:22:40 -07:00
distribution
dockerversion
docs Added information regarding our new Jenkins ci on moby/moby 2019-07-30 13:48:00 -07:00
errdefs Merge pull request #39527 from thaJeztah/pull_platform_regression 2019-07-16 03:29:16 +02:00
hack Jenkinsfile: reduce time of integration tests by dividing tests into 3 parallel runs 2019-08-12 20:41:03 +00:00
image
integration Builder: fix "COPY --from" to non-existing directory on Windows 2019-08-08 16:45:10 +02:00
integration-cli fix some spelling mistakes 2019-08-13 22:57:55 +08:00
internal Jenkinsfile: reduce time of integration tests by dividing tests into 3 parallel runs 2019-08-12 20:41:03 +00:00
layer
libcontainerd Sleep before restarting event processing 2019-07-12 15:42:19 -07:00
oci
opts
pkg devicemapper: remove unused errors 2019-08-07 12:27:44 +02:00
plugin
profiles
project
reference
registry
reports
restartmanager
rootless
runconfig
vendor Merge pull request #39679 from jterry75/revendor_go-winio 2019-08-08 15:07:29 +02:00
volume
.DEREK.yml
.dockerignore
.gitignore run unit tests and generate junit report 2019-08-01 06:08:35 +00:00
.mailmap
AUTHORS
CHANGELOG.md
codecov.yml
CONTRIBUTING.md Update CONTRIBUTING.md to have an option to keep name anonymous if requested 2019-07-15 16:04:11 +02:00
Dockerfile Bump golang 1.12.8 (CVE-2019-9512, CVE-2019-9514) 2019-08-14 02:27:05 +02:00
Dockerfile.e2e Bump golang 1.12.8 (CVE-2019-9512, CVE-2019-9514) 2019-08-14 02:27:05 +02:00
Dockerfile.simple Bump golang 1.12.8 (CVE-2019-9512, CVE-2019-9514) 2019-08-14 02:27:05 +02:00
Dockerfile.windows Bump golang 1.12.8 (CVE-2019-9512, CVE-2019-9514) 2019-08-14 02:27:05 +02:00
Jenkinsfile Jenkinsfile: collect junit.xml for all architectures 2019-08-13 19:58:45 +02:00
LICENSE
MAINTAINERS fix some spelling mistakes 2019-08-13 22:57:55 +08:00
Makefile Jenkinsfile: reduce time of integration tests by dividing tests into 3 parallel runs 2019-08-12 20:41:03 +00:00
NOTICE switch kr/pty to creack/pty v1.1.7 2019-07-29 16:59:08 -07:00
poule.yml
README.md
ROADMAP.md
SECURITY.md
TESTING.md Bump golang 1.12.8 (CVE-2019-9512, CVE-2019-9514) 2019-08-14 02:27:05 +02:00
vendor.conf Merge pull request #39679 from jterry75/revendor_go-winio 2019-08-08 15:07:29 +02:00
VENDORING.md

The Moby Project

Moby Project logo

Moby is an open-source project created by Docker to enable and accelerate software containerization.

It provides a "Lego set" of toolkit components, the framework for assembling them into custom container-based systems, and a place for all container enthusiasts and professionals to experiment and exchange ideas. Components include container build tools, a container registry, orchestration tools, a runtime and more, and these can be used as building blocks in conjunction with other tools and projects.

Principles

Moby is an open project guided by strong principles, aiming to be modular, flexible and without too strong an opinion on user experience. It is open to the community to help set its direction.

  • Modular: the project includes lots of components that have well-defined functions and APIs that work together.
  • Batteries included but swappable: Moby includes enough components to build fully featured container system, but its modular architecture ensures that most of the components can be swapped by different implementations.
  • Usable security: Moby provides secure defaults without compromising usability.
  • Developer focused: The APIs are intended to be functional and useful to build powerful tools. They are not necessarily intended as end user tools but as components aimed at developers. Documentation and UX is aimed at developers not end users.

Audience

The Moby Project is intended for engineers, integrators and enthusiasts looking to modify, hack, fix, experiment, invent and build systems based on containers. It is not for people looking for a commercially supported system, but for people who want to work and learn with open source code.

Relationship with Docker

The components and tools in the Moby Project are initially the open source components that Docker and the community have built for the Docker Project. New projects can be added if they fit with the community goals. Docker is committed to using Moby as the upstream for the Docker Product. However, other projects are also encouraged to use Moby as an upstream, and to reuse the components in diverse ways, and all these uses will be treated in the same way. External maintainers and contributors are welcomed.

The Moby project is not intended as a location for support or feature requests for Docker products, but as a place for contributors to work on open source code, fix bugs, and make the code more useful. The releases are supported by the maintainers, community and users, on a best efforts basis only, and are not intended for customers who want enterprise or commercial support; Docker EE is the appropriate product for these use cases.


Legal

Brought to you courtesy of our legal counsel. For more context, please see the NOTICE document in this repo.

Use and transfer of Moby may be subject to certain restrictions by the United States and other governments.

It is your responsibility to ensure that your use and/or transfer does not violate applicable laws.

For more information, please see https://www.bis.doc.gov

Licensing

Moby is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.