diff --git a/SPECS/moby-cli/CVE-2021-44716.patch b/SPECS/moby-cli/CVE-2021-44716.patch deleted file mode 100644 index dc3adbff678..00000000000 --- a/SPECS/moby-cli/CVE-2021-44716.patch +++ /dev/null @@ -1,51 +0,0 @@ -Parent: db4efeb8 (http2: deflake TestTransportGroupsPendingDials) -Author: Damien Neil -AuthorDate: 2021-12-06 14:31:43 -0800 -Commit: Filippo Valsorda -CommitDate: 2021-12-09 12:49:13 +0000 - -http2: cap the size of the server's canonical header cache - -The HTTP/2 server keeps a per-connection cache mapping header keys -to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the -maximum size of this cache to prevent a peer sending many unique -header keys from causing unbounded memory growth. - -Cap chosen arbitrarily at 32 entries. Since this cache does not -include common headers (e.g., "content-type"), 32 seems like more -than enough for almost all normal uses. - -Fixes #50058 -Fixes CVE-2021-44716 - -Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105 -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827 -Reviewed-by: Roland Shoemaker -Reviewed-on: https://go-review.googlesource.com/c/net/+/369794 -Trust: Filippo Valsorda -Run-TryBot: Filippo Valsorda -Trust: Damien Neil -Reviewed-by: Russ Cox -Reviewed-by: Filippo Valsorda -TryBot-Result: Gopher Robot - -diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go ---- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go 2024-02-05 08:53:30.802532951 -0800 -+++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go 2024-02-05 09:19:08.473430121 -0800 -@@ -720,7 +720,15 @@ - sc.canonHeader = make(map[string]string) - } - cv = http.CanonicalHeaderKey(v) -- sc.canonHeader[v] = cv -+ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of -+ // entries in the canonHeader cache. This should be larger than the number -+ // of unique, uncommon header keys likely to be sent by the peer, while not -+ // so high as to permit unreaasonable memory usage if the peer sends an unbounded -+ // number of unique header keys. -+ const maxCachedCanonicalHeaders = 32 -+ if len(sc.canonHeader) < maxCachedCanonicalHeaders { -+ sc.canonHeader[v] = cv -+ } - return cv - } - \ No newline at end of file diff --git a/SPECS/moby-cli/CVE-2022-21698.patch b/SPECS/moby-cli/CVE-2022-21698.patch deleted file mode 100644 index b2c866f6bf5..00000000000 --- a/SPECS/moby-cli/CVE-2022-21698.patch +++ /dev/null @@ -1,364 +0,0 @@ -From 253029f7ffbade99588df59a8b89a35d99197fe0 Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Tue, 18 Jan 2022 10:19:28 +0100 -Subject: [PATCH] Port upstream patch - https://github.com/prometheus/client_golang/commit/9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 - -Differences: -- Removed tests -- Removed some comments that don't merge -- Line numbers and such - -Based on: - -From 9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 Mon Sep 17 00:00:00 2001 -From: Kemal Akkoyun -Date: Tue, 18 Jan 2022 10:19:28 +0100 -Subject: [PATCH] promhttp: Check validity of method and code label values - (#962) - -* Check validity of method and code label values - -Signed-off-by: Kemal Akkoyun - -* Use more flexibly functional option pattern for configuration - -Signed-off-by: Kemal Akkoyun - -* Update documentation - -Signed-off-by: Kemal Akkoyun - -* Simplify - -Signed-off-by: Kemal Akkoyun - -* Fix inconsistent method naming - -Signed-off-by: Kemal Akkoyun ---- -vendor/github.com/prometheus/client_golang/prometheuspromhttp/instrument_client.go | 28 ++++++-- -vendor/github.com/prometheus/client_golang/prometheuspromhttp/instrument_server.go | 82 ++++++++++++++++++------ -vendor/github.com/prometheus/client_golang/prometheuspromhttp/option.go | 31 +++++++++ - 3 files changed, 116 insertions(+), 25 deletions(-) - create mode 100644vendor/github.com/prometheus/client_golang/prometheuspromhttp/option.go - -diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go -index 83c49b6..861b4d2 100644 ---- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go -+++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go -@@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp - // http.RoundTripper to observe the request result with the provided CounterVec. - // The CounterVec must have zero, one, or two non-const non-curried labels. For - // those, the only allowed label names are "code" and "method". The function --// panics otherwise. Partitioning of the CounterVec happens by HTTP status code -+// panics otherwise. For the "method" label a predefined default label value set -+// is used to filter given values. Values besides predefined values will count -+// as `unknown` method.`WithExtraMethods` can be used to add more -+// methods to the set. Partitioning of the CounterVec happens by HTTP status code - // and/or HTTP method if the respective instance label names are present in the - // CounterVec. For unpartitioned counting, use a CounterVec with zero labels. - // -@@ -57,13 +60,18 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp - // is not incremented. - // - // See the example for ExampleInstrumentRoundTripperDuration for example usage. --func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper) RoundTripperFunc { -+func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { -+ rtOpts := &option{} -+ for _, o := range opts { -+ o(rtOpts) -+ } -+ - code, method := checkLabels(counter) - - return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { - resp, err := next.RoundTrip(r) - if err == nil { -- counter.With(labels(code, method, r.Method, resp.StatusCode)).Inc() -+ counter.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Inc() - } - return resp, err - }) -@@ -73,7 +81,10 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou - // http.RoundTripper to observe the request duration with the provided - // ObserverVec. The ObserverVec must have zero, one, or two non-const - // non-curried labels. For those, the only allowed label names are "code" and --// "method". The function panics otherwise. The Observe method of the Observer -+// "method". The function panics otherwise. For the "method" label a predefined -+// default label value set is used to filter given values. Values besides -+// predefined values will count as `unknown` method. `WithExtraMethods` -+// can be used to add more methods to the set. The Observe method of the Observer - // in the ObserverVec is called with the request duration in - // seconds. Partitioning happens by HTTP status code and/or HTTP method if the - // respective instance label names are present in the ObserverVec. For -@@ -85,14 +96,19 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou - // - // Note that this method is only guaranteed to never observe negative durations - // if used with Go1.9+. --func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper) RoundTripperFunc { -+func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { -+ rtOpts := &option{} -+ for _, o := range opts { -+ o(rtOpts) -+ } -+ - code, method := checkLabels(obs) - - return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { - start := time.Now() - resp, err := next.RoundTrip(r) - if err == nil { -- obs.With(labels(code, method, r.Method, resp.StatusCode)).Observe(time.Since(start).Seconds()) -+ obs.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Observe(time.Since(start).Seconds()) - } - return resp, err - }) -diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go -index 9db2438..91802f8 100644 ---- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go -+++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go -@@ -58,7 +58,12 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl - // - // Note that this method is only guaranteed to never observe negative durations - // if used with Go1.9+. --func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) - - if code { -@@ -67,14 +72,14 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht - d := newDelegator(w, nil) - next.ServeHTTP(d, r) - -- obs.With(labels(code, method, r.Method, d.Status())).Observe(time.Since(now).Seconds()) -+ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) - }) - } - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - now := time.Now() - next.ServeHTTP(w, r) -- obs.With(labels(code, method, r.Method, 0)).Observe(time.Since(now).Seconds()) -+ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) - }) - } - -@@ -91,20 +96,25 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht - // If the wrapped Handler panics, the Counter is not incremented. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(counter) - - if code { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - d := newDelegator(w, nil) - next.ServeHTTP(d, r) -- counter.With(labels(code, method, r.Method, d.Status())).Inc() -+ counter.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Inc() - }) - } - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - next.ServeHTTP(w, r) -- counter.With(labels(code, method, r.Method, 0)).Inc() -+ counter.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Inc() - }) - } - -@@ -126,13 +136,18 @@ func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) - // if used with Go1.9+. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - now := time.Now() - d := newDelegator(w, func(status int) { -- obs.With(labels(code, method, r.Method, status)).Observe(time.Since(now).Seconds()) -+ obs.With(labels(code, method, r.Method, status, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) - }) - next.ServeHTTP(d, r) - }) -@@ -154,7 +169,12 @@ func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Ha - // If the wrapped Handler panics, no values are reported. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) - - if code { -@@ -162,14 +182,14 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) - d := newDelegator(w, nil) - next.ServeHTTP(d, r) - size := computeApproximateRequestSize(r) -- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(size)) -+ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(size)) - }) - } - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - next.ServeHTTP(w, r) - size := computeApproximateRequestSize(r) -- obs.With(labels(code, method, r.Method, 0)).Observe(float64(size)) -+ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(float64(size)) - }) - } - -@@ -189,12 +209,18 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) - // If the wrapped Handler panics, no values are reported. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler) http.Handler { -+func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.Handler { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) -+ - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - d := newDelegator(w, nil) - next.ServeHTTP(d, r) -- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(d.Written())) -+ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(d.Written())) - }) - } - -@@ -279,7 +305,7 @@ func isLabelCurried(c prometheus.Collector, label string) bool { - // unnecessary allocations on each request. - var emptyLabels = prometheus.Labels{} - --func labels(code, method bool, reqMethod string, status int) prometheus.Labels { -+func labels(code, method bool, reqMethod string, status int, extraMethods ...string) prometheus.Labels { - if !(code || method) { - return emptyLabels - } -@@ -289,7 +315,7 @@ func labels(code, method bool, reqMethod string, status int) prometheus.Labels { - labels["code"] = sanitizeCode(status) - } - if method { -- labels["method"] = sanitizeMethod(reqMethod) -+ labels["method"] = sanitizeMethod(reqMethod, extraMethods...) - } - - return labels -@@ -319,7 +345,12 @@ func computeApproximateRequestSize(r *http.Request) int { - return s - } - --func sanitizeMethod(m string) string { -+// If the wrapped http.Handler has a known method, it will be sanitized and returned. -+// Otherwise, "unknown" will be returned. The known method list can be extended -+// as needed by using extraMethods parameter. -+func sanitizeMethod(m string, extraMethods ...string) string { -+ // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for -+ // the methods chosen as default. - switch m { - case "GET", "get": - return "get" -@@ -337,15 +368,25 @@ func sanitizeMethod(m string) string { - return "options" - case "NOTIFY", "notify": - return "notify" -+ case "TRACE", "trace": -+ return "trace" -+ case "PATCH", "patch": -+ return "patch" - default: -- return strings.ToLower(m) -+ for _, method := range extraMethods { -+ if strings.EqualFold(m, method) { -+ return strings.ToLower(m) -+ } -+ } -+ return "unknown" - } - } - - // If the wrapped http.Handler has not set a status code, i.e. the value is --// currently 0, santizeCode will return 200, for consistency with behavior in -+// currently 0, sanitizeCode will return 200, for consistency with behavior in - // the stdlib. - func sanitizeCode(s int) string { -+ // See for accepted codes https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml - switch s { - case 100: - return "100" -@@ -442,6 +483,9 @@ func sanitizeCode(s int) string { - return "511" - - default: -- return strconv.Itoa(s) -+ if s >= 100 && s <= 599 { -+ return strconv.Itoa(s) -+ } -+ return "unknown" - } - } -diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go -new file mode 100644 -index 0000000..35e41bd ---- /dev/null -+++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go -@@ -0,0 +1,31 @@ -+// Copyright 2022 The Prometheus Authors -+// Licensed under the Apache License, Version 2.0 (the "License"); -+// you may not use this file except in compliance with the License. -+// You may obtain a copy of the License at -+// -+// http://www.apache.org/licenses/LICENSE-2.0 -+// -+// Unless required by applicable law or agreed to in writing, software -+// distributed under the License is distributed on an "AS IS" BASIS, -+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+// See the License for the specific language governing permissions and -+// limitations under the License. -+ -+package promhttp -+ -+// Option are used to configure a middleware or round tripper.. -+type Option func(*option) -+ -+type option struct { -+ extraMethods []string -+} -+ -+// WithExtraMethods adds additional HTTP methods to the list of allowed methods. -+// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for the default list. -+// -+// See the example for ExampleInstrumentHandlerWithExtraMethods for example usage. -+func WithExtraMethods(methods ...string) Option { -+ return func(o *option) { -+ o.extraMethods = methods -+ } -+} --- -2.33.8 - diff --git a/SPECS/moby-cli/CVE-2023-48795.patch b/SPECS/moby-cli/CVE-2023-48795.patch deleted file mode 100644 index 916a4996be6..00000000000 --- a/SPECS/moby-cli/CVE-2023-48795.patch +++ /dev/null @@ -1,285 +0,0 @@ -From 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d Mon Sep 17 00:00:00 2001 -From: Roland Shoemaker -Date: Mon, 20 Nov 2023 12:06:18 -0800 -Subject: [PATCH] ssh: implement strict KEX protocol changes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Implement the "strict KEX" protocol changes, as described in section -1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1). - -Namely this makes the following changes: - * Both the server and the client add an additional algorithm to the - initial KEXINIT message, indicating support for the strict KEX mode. - * When one side of the connection sees the strict KEX extension - algorithm, the strict KEX mode is enabled for messages originating - from the other side of the connection. If the sequence number for - the side which requested the extension is not 1 (indicating that it - has already received non-KEXINIT packets), the connection is - terminated. - * When strict kex mode is enabled, unexpected messages during the - handshake are considered fatal. Additionally when a key change - occurs (on the receipt of the NEWKEYS message) the message sequence - numbers are reset. - -Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr -University Bochum for reporting this issue. - -Fixes CVE-2023-48795 -Fixes golang/go#64784 - -Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604 -Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715 -Reviewed-by: Nicola Murino -Reviewed-by: Tatiana Bradley -TryBot-Result: Gopher Robot -Run-TryBot: Roland Shoemaker -Reviewed-by: Damien Neil -LUCI-TryBot-Result: Go LUCI - -Modified patch 9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d to apply to -CBL-Mariner: added initialization of enterKeyExchange variable in -enterKeyExchange function. Removed modifications to ssh/handshake_test.go -as this file is not present in CBL-Mariner's version of the package. -Modified by: corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - ---- - vendor/golang.org/x/crypto/ssh/handshake.go | 59 +++++++++++++++++++-- - vendor/golang.org/x/crypto/ssh/transport.go | 32 +++++++++-- - 2 files changed, 81 insertions(+), 10 deletions(-) - -diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go -index 653dc4d..e7d4545 100644 ---- a/vendor/golang.org/x/crypto/ssh/handshake.go -+++ b/vendor/golang.org/x/crypto/ssh/handshake.go -@@ -34,6 +34,16 @@ type keyingTransport interface { - // direction will be effected if a msgNewKeys message is sent - // or received. - prepareKeyChange(*algorithms, *kexResult) error -+ -+ // setStrictMode sets the strict KEX mode, notably triggering -+ // sequence number resets on sending or receiving msgNewKeys. -+ // If the sequence number is already > 1 when setStrictMode -+ // is called, an error is returned. -+ setStrictMode() error -+ -+ // setInitialKEXDone indicates to the transport that the initial key exchange -+ // was completed -+ setInitialKEXDone() - } - - // handshakeTransport implements rekeying on top of a keyingTransport -@@ -94,6 +104,10 @@ type handshakeTransport struct { - - // The session ID or nil if first kex did not complete yet. - sessionID []byte -+ -+ // strictMode indicates if the other side of the handshake indicated -+ // that we should be following the strict KEX protocol restrictions. -+ strictMode bool - } - - type pendingKex struct { -@@ -201,7 +215,10 @@ func (t *handshakeTransport) readLoop() { - close(t.incoming) - break - } -- if p[0] == msgIgnore || p[0] == msgDebug { -+ // If this is the first kex, and strict KEX mode is enabled, -+ // we don't ignore any messages, as they may be used to manipulate -+ // the packet sequence numbers. -+ if !(t.sessionID == nil && t.strictMode) && (p[0] == msgIgnore || p[0] == msgDebug) { - continue - } - t.incoming <- p -@@ -432,6 +449,11 @@ func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) { - return successPacket, nil - } - -+const ( -+ kexStrictClient = "kex-strict-c-v00@openssh.com" -+ kexStrictServer = "kex-strict-s-v00@openssh.com" -+) -+ - // sendKexInit sends a key change message. - func (t *handshakeTransport) sendKexInit() error { - t.mu.Lock() -@@ -445,7 +467,6 @@ func (t *handshakeTransport) sendKexInit() error { - } - - msg := &kexInitMsg{ -- KexAlgos: t.config.KeyExchanges, - CiphersClientServer: t.config.Ciphers, - CiphersServerClient: t.config.Ciphers, - MACsClientServer: t.config.MACs, -@@ -455,6 +476,13 @@ func (t *handshakeTransport) sendKexInit() error { - } - io.ReadFull(rand.Reader, msg.Cookie[:]) - -+ // We mutate the KexAlgos slice, in order to add the kex-strict extension algorithm, -+ // and possibly to add the ext-info extension algorithm. Since the slice may be the -+ // user owned KeyExchanges, we create our own slice in order to avoid using user -+ // owned memory by mistake. -+ msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+2) // room for kex-strict and ext-info -+ msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...) -+ - isServer := len(t.hostKeys) > 0 - if isServer { - for _, k := range t.hostKeys { -@@ -474,17 +502,24 @@ func (t *handshakeTransport) sendKexInit() error { - msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, keyFormat) - } - } -+ -+ if t.sessionID == nil { -+ msg.KexAlgos = append(msg.KexAlgos, kexStrictServer) -+ } - } else { - msg.ServerHostKeyAlgos = t.hostKeyAlgorithms - - // As a client we opt in to receiving SSH_MSG_EXT_INFO so we know what - // algorithms the server supports for public key authentication. See RFC - // 8308, Section 2.1. -+ // -+ // We also send the strict KEX mode extension algorithm, in order to opt -+ // into the strict KEX mode. - if firstKeyExchange := t.sessionID == nil; firstKeyExchange { -- msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+1) -- msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...) - msg.KexAlgos = append(msg.KexAlgos, "ext-info-c") -+ msg.KexAlgos = append(msg.KexAlgos, kexStrictClient) - } -+ - } - - packet := Marshal(msg) -@@ -581,6 +616,13 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error { - return err - } - -+ if t.sessionID == nil && ((isClient && contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && contains(clientInit.KexAlgos, kexStrictClient))) { -+ t.strictMode = true -+ if err := t.conn.setStrictMode(); err != nil { -+ return err -+ } -+ } -+ - // We don't send FirstKexFollows, but we handle receiving it. - // - // RFC 4253 section 7 defines the kex and the agreement method for -@@ -615,7 +657,8 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error { - return err - } - -- if t.sessionID == nil { -+ firstKeyExchange := t.sessionID == nil -+ if firstKeyExchange { - t.sessionID = result.H - } - result.SessionID = t.sessionID -@@ -632,6 +675,12 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error { - return unexpectedMessageError(msgNewKeys, packet[0]) - } - -+ if firstKeyExchange { -+ // Indicates to the transport that the first key exchange is completed -+ // after receiving SSH_MSG_NEWKEYS. -+ t.conn.setInitialKEXDone() -+ } -+ - return nil - } - -diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go -index acf5a21..4df45fc 100644 ---- a/vendor/golang.org/x/crypto/ssh/transport.go -+++ b/vendor/golang.org/x/crypto/ssh/transport.go -@@ -48,6 +48,9 @@ type transport struct { - rand io.Reader - isClient bool - io.Closer -+ -+ strictMode bool -+ initialKEXDone bool - } - - // packetCipher represents a combination of SSH encryption/MAC -@@ -73,6 +76,18 @@ type connectionState struct { - pendingKeyChange chan packetCipher - } - -+func (t *transport) setStrictMode() error { -+ if t.reader.seqNum != 1 { -+ return errors.New("ssh: sequence number != 1 when strict KEX mode requested") -+ } -+ t.strictMode = true -+ return nil -+} -+ -+func (t *transport) setInitialKEXDone() { -+ t.initialKEXDone = true -+} -+ - // prepareKeyChange sets up key material for a keychange. The key changes in - // both directions are triggered by reading and writing a msgNewKey packet - // respectively. -@@ -111,11 +126,12 @@ func (t *transport) printPacket(p []byte, write bool) { - // Read and decrypt next packet. - func (t *transport) readPacket() (p []byte, err error) { - for { -- p, err = t.reader.readPacket(t.bufReader) -+ p, err = t.reader.readPacket(t.bufReader, t.strictMode) - if err != nil { - break - } -- if len(p) == 0 || (p[0] != msgIgnore && p[0] != msgDebug) { -+ // in strict mode we pass through DEBUG and IGNORE packets only during the initial KEX -+ if len(p) == 0 || (t.strictMode && !t.initialKEXDone) || (p[0] != msgIgnore && p[0] != msgDebug) { - break - } - } -@@ -126,7 +142,7 @@ func (t *transport) readPacket() (p []byte, err error) { - return p, err - } - --func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) { -+func (s *connectionState) readPacket(r *bufio.Reader, strictMode bool) ([]byte, error) { - packet, err := s.packetCipher.readCipherPacket(s.seqNum, r) - s.seqNum++ - if err == nil && len(packet) == 0 { -@@ -139,6 +155,9 @@ func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) { - select { - case cipher := <-s.pendingKeyChange: - s.packetCipher = cipher -+ if strictMode { -+ s.seqNum = 0 -+ } - default: - return nil, errors.New("ssh: got bogus newkeys message") - } -@@ -169,10 +188,10 @@ func (t *transport) writePacket(packet []byte) error { - if debugTransport { - t.printPacket(packet, true) - } -- return t.writer.writePacket(t.bufWriter, t.rand, packet) -+ return t.writer.writePacket(t.bufWriter, t.rand, packet, t.strictMode) - } - --func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte) error { -+func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte, strictMode bool) error { - changeKeys := len(packet) > 0 && packet[0] == msgNewKeys - - err := s.packetCipher.writeCipherPacket(s.seqNum, w, rand, packet) -@@ -187,6 +206,9 @@ func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet [] - select { - case cipher := <-s.pendingKeyChange: - s.packetCipher = cipher -+ if strictMode { -+ s.seqNum = 0 -+ } - default: - panic("ssh: no key material for msgNewKeys") - } --- -2.33.8 diff --git a/SPECS/moby-cli/disable_manpage_vendor.patch b/SPECS/moby-cli/disable_manpage_vendor.patch new file mode 100644 index 00000000000..b0c1a888aa7 --- /dev/null +++ b/SPECS/moby-cli/disable_manpage_vendor.patch @@ -0,0 +1,17 @@ +Prevent the manpage build from attemption to vendor golang modules. +These dependencies have already been included in Source1 + +diff -Naur a/scripts/docs/generate-man.sh b/scripts/docs/generate-man.sh +--- a/scripts/docs/generate-man.sh 2023-10-26 00:06:42.000000000 -0700 ++++ b/scripts/docs/generate-man.sh 2024-01-18 15:11:13.529735864 -0800 +@@ -21,10 +21,8 @@ + ./scripts/vendor init + # install go-md2man and copy man/tools.go in root folder + # to be able to fetch the required dependencies +- go mod edit -modfile=vendor.mod -require=github.com/cpuguy83/go-md2man/v2@${MD2MAN_VERSION} + cp man/tools.go . + # update vendor +- ./scripts/vendor update + # build gen-manpages + go build -mod=vendor -modfile=vendor.mod -tags manpages -o /tmp/gen-manpages ./man/generate.go + # build go-md2man diff --git a/SPECS/moby-cli/generate_source_tarball.sh b/SPECS/moby-cli/generate_source_tarball.sh new file mode 100755 index 00000000000..fe48b47f238 --- /dev/null +++ b/SPECS/moby-cli/generate_source_tarball.sh @@ -0,0 +1,122 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# Quit on failure +set -e + +PKG_VERSION="" +SRC_TARBALL="" +VENDOR_VERSION="1" +OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +# parameters: +# +# --srcTarball : src tarball file +# this file contains the 'initial' source code of the component +# and should be replaced with the new/modified src code +# --outFolder : folder where to copy the new tarball(s) +# --pkgVersion : package version +# --vendorVersion : vendor version +# +PARAMS="" +while (( "$#" )); do + case "$1" in + --srcTarball) + if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + SRC_TARBALL=$2 + shift 2 + else + echo "Error: Argument for $1 is missing" >&2 + exit 1 + fi + ;; + --outFolder) + if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + OUT_FOLDER=$2 + shift 2 + else + echo "Error: Argument for $1 is missing" >&2 + exit 1 + fi + ;; + --pkgVersion) + if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + PKG_VERSION=$2 + shift 2 + else + echo "Error: Argument for $1 is missing" >&2 + exit 1 + fi + ;; + --vendorVersion) + if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then + VENDOR_VERSION=$2 + shift 2 + else + echo "Error: Argument for $1 is missing" >&2 + exit 1 + fi + ;; + -*|--*=) # unsupported flags + echo "Error: Unsupported flag $1" >&2 + exit 1 + ;; + *) # preserve positional arguments + PARAMS="$PARAMS $1" + shift + ;; + esac +done + +echo "--srcTarball -> $SRC_TARBALL" +echo "--outFolder -> $OUT_FOLDER" +echo "--pkgVersion -> $PKG_VERSION" +echo "--vendorVersion -> $VENDOR_VERSION" + +if [ -z "$PKG_VERSION" ]; then + echo "--pkgVersion parameter cannot be empty" + exit 1 +fi + +echo "-- create temp folder" +tmpdir=$(mktemp -d) +function cleanup { + echo "+++ cleanup -> remove $tmpdir" + rm -rf $tmpdir +} +trap cleanup EXIT + +TARBALL_FOLDER="$tmpdir/tarballFolder" +mkdir -p $TARBALL_FOLDER +cp $SRC_TARBALL $tmpdir + +pushd $tmpdir > /dev/null + +PKG_NAME="moby-cli" +NAME_VER="$PKG_NAME-$PKG_VERSION" +VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-govendor-v$VENDOR_VERSION.tar.gz" + +echo "Unpacking source tarball..." +tar -xf $SRC_TARBALL + +echo "Vendor go modules..." +cd cli-"$PKG_VERSION" +cp man/tools.go . +./scripts/vendor init +go mod edit -modfile=vendor.mod -require=github.com/cpuguy83/go-md2man/v2@v2.0.3 +#go mod tidy -modfile=vendor.mod +#go mod vendor -modfile=vendor.mod +./scripts/vendor update + +echo "" +echo "=========================" +echo "Tar vendored tarball" +tar --sort=name \ + --mtime="2021-04-26 00:00Z" \ + --owner=0 --group=0 --numeric-owner \ + --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ + -czf "$VENDOR_TARBALL" vendor.mod vendor.sum vendor + +popd > /dev/null +echo "$PKG_NAME vendored modules are available at $VENDOR_TARBALL" diff --git a/SPECS/moby-cli/moby-cli.signatures.json b/SPECS/moby-cli/moby-cli.signatures.json index ed71b3b92a2..053c06d0b5c 100644 --- a/SPECS/moby-cli/moby-cli.signatures.json +++ b/SPECS/moby-cli/moby-cli.signatures.json @@ -1,5 +1,6 @@ { "Signatures": { - "moby-cli-20.10.27.tar.gz": "32541cb51a541c6f38b0d4a7a638c28233a29dba5c9a843bc5dbb3a709d8ddf0" + "moby-cli-23.0.10-govendor-v1.tar.gz": "75dc6c52c64a78a14c3cc40d6c6a26889af7a75f3a4787bd144d8e0d12dc727e", + "moby-cli-23.0.10.tar.gz": "214f74c53a019c91d15fc06e84efcc69ef370bff8f441f37a69a2e2edb8aa651" } } \ No newline at end of file diff --git a/SPECS/moby-cli/moby-cli.spec b/SPECS/moby-cli/moby-cli.spec index f989bae6763..061be2daa87 100644 --- a/SPECS/moby-cli/moby-cli.spec +++ b/SPECS/moby-cli/moby-cli.spec @@ -1,39 +1,34 @@ -%define upstream_name cli -%define commit_hash b82b9f3a0e763304a250531cb9350aa6d93723c9 - -Summary: The open-source application container engine client. -Name: moby-%{upstream_name} -Version: 20.10.27 -Release: 5%{?dist} -License: ASL 2.0 -Group: Tools/Container -URL: https://github.com/docker/cli -Vendor: Microsoft Corporation -Distribution: Mariner - -Source0: https://github.com/docker/cli/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Patch0: CVE-2023-48795.patch -Patch1: CVE-2022-21698.patch -Patch2: CVE-2021-44716.patch - -BuildRequires: golang >= 1.16.12 -BuildRequires: make -BuildRequires: git -BuildRequires: go-md2man - -Requires: /bin/sh -Requires: tar -Requires: xz +%define commit_hash 672b1497b97348af636b8e075908656e302d5bb8 +%define OUR_GOPATH %{_topdir}/.gopath +Summary: The open-source application container engine client. +Name: moby-cli +Version: 23.0.10 +Release: 1%{?dist} +License: ASL 2.0 +Vendor: Microsoft Corporation +Distribution: Azure Linux +Group: Tools/Container +URL: https://github.com/docker/cli +Source0: https://github.com/docker/cli/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source1: %{name}-%{version}-govendor-v1.tar.gz +Patch0: disable_manpage_vendor.patch +BuildRequires: git +BuildRequires: go-md2man +BuildRequires: golang +BuildRequires: make +Requires: /bin/sh +Requires: tar +Requires: xz %description %{summary} -%define OUR_GOPATH %{_topdir}/.gopath - %prep -%autosetup -p1 -n %{upstream_name}-%{version} +%autosetup -p1 -n cli-%{version} +%setup -q -n cli-%{version} -T -D -a 1 + mkdir -p %{OUR_GOPATH}/src/github.com/docker -ln -sfT %{_builddir}/%{upstream_name}-%{version} %{OUR_GOPATH}/src/github.com/docker/cli +ln -sfT %{_builddir}/cli-%{version} %{OUR_GOPATH}/src/github.com/docker/cli %build export GOPATH=%{OUR_GOPATH} @@ -52,17 +47,17 @@ make \ # Generating man pages. mkdir -p ./github.com/docker -ln -sfT %{_builddir}/%{upstream_name}-%{version} ./github.com/docker/cli +ln -sfT %{_builddir}/cli-%{version} ./github.com/docker/cli make manpages %install mkdir -p %{buildroot}/%{_bindir} -cp -aLT build/docker %{buildroot}/%{_bindir}/docker +install -p -m 755 build/docker %{buildroot}%{_bindir}/docker install -dp %{buildroot}%{_mandir}/man{1,5,8} -install -p -m 644 man/man1/*.1 %{buildroot}/%{_mandir}/man1 -install -p -m 644 man/man5/*.5 %{buildroot}/%{_mandir}/man5 -install -p -m 644 man/man8/*.8 %{buildroot}/%{_mandir}/man8 +install -p -m 644 man/man1/*.1 %{buildroot}%{_mandir}/man1 +install -p -m 644 man/man5/*.5 %{buildroot}%{_mandir}/man5 +install -p -m 644 man/man8/*.8 %{buildroot}%{_mandir}/man8 install -d %{buildroot}%{_datadir}/bash-completion/completions install -d %{buildroot}%{_datadir}/zsh/vendor-completions @@ -71,7 +66,6 @@ install -p -m 644 contrib/completion/bash/docker %{buildroot}%{_datadir}/bash-co install -p -m 644 contrib/completion/zsh/_docker %{buildroot}%{_datadir}/zsh/vendor-completions/_docker install -p -m 644 contrib/completion/fish/docker.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/docker.fish -# list files owned by the package here %files %license NOTICE LICENSE %{_bindir}/docker @@ -83,6 +77,11 @@ install -p -m 644 contrib/completion/fish/docker.fish %{buildroot}%{_datadir}/fi %{_datadir}/fish/vendor_completions.d/docker.fish %changelog +* Mon Mar 25 2024 Muhammad Falak - 23.0.10-1 +- Bump version to 23.X +- Drop un-needed patches +- Add vendor tarball for new deps in make manpages + * Thu Feb 08 2024 Muhammad Falak - 20.10.27-5 - Bump release to rebuild with go 1.21.6 diff --git a/SPECS/moby-engine/CVE-2022-21698.patch b/SPECS/moby-engine/CVE-2022-21698.patch deleted file mode 100644 index b2c866f6bf5..00000000000 --- a/SPECS/moby-engine/CVE-2022-21698.patch +++ /dev/null @@ -1,364 +0,0 @@ -From 253029f7ffbade99588df59a8b89a35d99197fe0 Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Tue, 18 Jan 2022 10:19:28 +0100 -Subject: [PATCH] Port upstream patch - https://github.com/prometheus/client_golang/commit/9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 - -Differences: -- Removed tests -- Removed some comments that don't merge -- Line numbers and such - -Based on: - -From 9075cdf61646b5adf54d3ba77a0e4f6c65cb4fd7 Mon Sep 17 00:00:00 2001 -From: Kemal Akkoyun -Date: Tue, 18 Jan 2022 10:19:28 +0100 -Subject: [PATCH] promhttp: Check validity of method and code label values - (#962) - -* Check validity of method and code label values - -Signed-off-by: Kemal Akkoyun - -* Use more flexibly functional option pattern for configuration - -Signed-off-by: Kemal Akkoyun - -* Update documentation - -Signed-off-by: Kemal Akkoyun - -* Simplify - -Signed-off-by: Kemal Akkoyun - -* Fix inconsistent method naming - -Signed-off-by: Kemal Akkoyun ---- -vendor/github.com/prometheus/client_golang/prometheuspromhttp/instrument_client.go | 28 ++++++-- -vendor/github.com/prometheus/client_golang/prometheuspromhttp/instrument_server.go | 82 ++++++++++++++++++------ -vendor/github.com/prometheus/client_golang/prometheuspromhttp/option.go | 31 +++++++++ - 3 files changed, 116 insertions(+), 25 deletions(-) - create mode 100644vendor/github.com/prometheus/client_golang/prometheuspromhttp/option.go - -diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go -index 83c49b6..861b4d2 100644 ---- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go -+++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go -@@ -49,7 +49,10 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp - // http.RoundTripper to observe the request result with the provided CounterVec. - // The CounterVec must have zero, one, or two non-const non-curried labels. For - // those, the only allowed label names are "code" and "method". The function --// panics otherwise. Partitioning of the CounterVec happens by HTTP status code -+// panics otherwise. For the "method" label a predefined default label value set -+// is used to filter given values. Values besides predefined values will count -+// as `unknown` method.`WithExtraMethods` can be used to add more -+// methods to the set. Partitioning of the CounterVec happens by HTTP status code - // and/or HTTP method if the respective instance label names are present in the - // CounterVec. For unpartitioned counting, use a CounterVec with zero labels. - // -@@ -57,13 +60,18 @@ func InstrumentRoundTripperInFlight(gauge prometheus.Gauge, next http.RoundTripp - // is not incremented. - // - // See the example for ExampleInstrumentRoundTripperDuration for example usage. --func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper) RoundTripperFunc { -+func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { -+ rtOpts := &option{} -+ for _, o := range opts { -+ o(rtOpts) -+ } -+ - code, method := checkLabels(counter) - - return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { - resp, err := next.RoundTrip(r) - if err == nil { -- counter.With(labels(code, method, r.Method, resp.StatusCode)).Inc() -+ counter.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Inc() - } - return resp, err - }) -@@ -73,7 +81,10 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou - // http.RoundTripper to observe the request duration with the provided - // ObserverVec. The ObserverVec must have zero, one, or two non-const - // non-curried labels. For those, the only allowed label names are "code" and --// "method". The function panics otherwise. The Observe method of the Observer -+// "method". The function panics otherwise. For the "method" label a predefined -+// default label value set is used to filter given values. Values besides -+// predefined values will count as `unknown` method. `WithExtraMethods` -+// can be used to add more methods to the set. The Observe method of the Observer - // in the ObserverVec is called with the request duration in - // seconds. Partitioning happens by HTTP status code and/or HTTP method if the - // respective instance label names are present in the ObserverVec. For -@@ -85,14 +96,19 @@ func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.Rou - // - // Note that this method is only guaranteed to never observe negative durations - // if used with Go1.9+. --func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper) RoundTripperFunc { -+func InstrumentRoundTripperDuration(obs prometheus.ObserverVec, next http.RoundTripper, opts ...Option) RoundTripperFunc { -+ rtOpts := &option{} -+ for _, o := range opts { -+ o(rtOpts) -+ } -+ - code, method := checkLabels(obs) - - return RoundTripperFunc(func(r *http.Request) (*http.Response, error) { - start := time.Now() - resp, err := next.RoundTrip(r) - if err == nil { -- obs.With(labels(code, method, r.Method, resp.StatusCode)).Observe(time.Since(start).Seconds()) -+ obs.With(labels(code, method, r.Method, resp.StatusCode, rtOpts.extraMethods...)).Observe(time.Since(start).Seconds()) - } - return resp, err - }) -diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go -index 9db2438..91802f8 100644 ---- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go -+++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go -@@ -58,7 +58,12 @@ func InstrumentHandlerInFlight(g prometheus.Gauge, next http.Handler) http.Handl - // - // Note that this method is only guaranteed to never observe negative durations - // if used with Go1.9+. --func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) - - if code { -@@ -67,14 +72,14 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht - d := newDelegator(w, nil) - next.ServeHTTP(d, r) - -- obs.With(labels(code, method, r.Method, d.Status())).Observe(time.Since(now).Seconds()) -+ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) - }) - } - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - now := time.Now() - next.ServeHTTP(w, r) -- obs.With(labels(code, method, r.Method, 0)).Observe(time.Since(now).Seconds()) -+ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) - }) - } - -@@ -91,20 +96,25 @@ func InstrumentHandlerDuration(obs prometheus.ObserverVec, next http.Handler) ht - // If the wrapped Handler panics, the Counter is not incremented. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(counter) - - if code { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - d := newDelegator(w, nil) - next.ServeHTTP(d, r) -- counter.With(labels(code, method, r.Method, d.Status())).Inc() -+ counter.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Inc() - }) - } - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - next.ServeHTTP(w, r) -- counter.With(labels(code, method, r.Method, 0)).Inc() -+ counter.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Inc() - }) - } - -@@ -126,13 +136,18 @@ func InstrumentHandlerCounter(counter *prometheus.CounterVec, next http.Handler) - // if used with Go1.9+. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - now := time.Now() - d := newDelegator(w, func(status int) { -- obs.With(labels(code, method, r.Method, status)).Observe(time.Since(now).Seconds()) -+ obs.With(labels(code, method, r.Method, status, mwOpts.extraMethods...)).Observe(time.Since(now).Seconds()) - }) - next.ServeHTTP(d, r) - }) -@@ -154,7 +169,12 @@ func InstrumentHandlerTimeToWriteHeader(obs prometheus.ObserverVec, next http.Ha - // If the wrapped Handler panics, no values are reported. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) http.HandlerFunc { -+func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.HandlerFunc { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) - - if code { -@@ -162,14 +182,14 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) - d := newDelegator(w, nil) - next.ServeHTTP(d, r) - size := computeApproximateRequestSize(r) -- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(size)) -+ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(size)) - }) - } - - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - next.ServeHTTP(w, r) - size := computeApproximateRequestSize(r) -- obs.With(labels(code, method, r.Method, 0)).Observe(float64(size)) -+ obs.With(labels(code, method, r.Method, 0, mwOpts.extraMethods...)).Observe(float64(size)) - }) - } - -@@ -189,12 +209,18 @@ func InstrumentHandlerRequestSize(obs prometheus.ObserverVec, next http.Handler) - // If the wrapped Handler panics, no values are reported. - // - // See the example for InstrumentHandlerDuration for example usage. --func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler) http.Handler { -+func InstrumentHandlerResponseSize(obs prometheus.ObserverVec, next http.Handler, opts ...Option) http.Handler { -+ mwOpts := &option{} -+ for _, o := range opts { -+ o(mwOpts) -+ } -+ - code, method := checkLabels(obs) -+ - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - d := newDelegator(w, nil) - next.ServeHTTP(d, r) -- obs.With(labels(code, method, r.Method, d.Status())).Observe(float64(d.Written())) -+ obs.With(labels(code, method, r.Method, d.Status(), mwOpts.extraMethods...)).Observe(float64(d.Written())) - }) - } - -@@ -279,7 +305,7 @@ func isLabelCurried(c prometheus.Collector, label string) bool { - // unnecessary allocations on each request. - var emptyLabels = prometheus.Labels{} - --func labels(code, method bool, reqMethod string, status int) prometheus.Labels { -+func labels(code, method bool, reqMethod string, status int, extraMethods ...string) prometheus.Labels { - if !(code || method) { - return emptyLabels - } -@@ -289,7 +315,7 @@ func labels(code, method bool, reqMethod string, status int) prometheus.Labels { - labels["code"] = sanitizeCode(status) - } - if method { -- labels["method"] = sanitizeMethod(reqMethod) -+ labels["method"] = sanitizeMethod(reqMethod, extraMethods...) - } - - return labels -@@ -319,7 +345,12 @@ func computeApproximateRequestSize(r *http.Request) int { - return s - } - --func sanitizeMethod(m string) string { -+// If the wrapped http.Handler has a known method, it will be sanitized and returned. -+// Otherwise, "unknown" will be returned. The known method list can be extended -+// as needed by using extraMethods parameter. -+func sanitizeMethod(m string, extraMethods ...string) string { -+ // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for -+ // the methods chosen as default. - switch m { - case "GET", "get": - return "get" -@@ -337,15 +368,25 @@ func sanitizeMethod(m string) string { - return "options" - case "NOTIFY", "notify": - return "notify" -+ case "TRACE", "trace": -+ return "trace" -+ case "PATCH", "patch": -+ return "patch" - default: -- return strings.ToLower(m) -+ for _, method := range extraMethods { -+ if strings.EqualFold(m, method) { -+ return strings.ToLower(m) -+ } -+ } -+ return "unknown" - } - } - - // If the wrapped http.Handler has not set a status code, i.e. the value is --// currently 0, santizeCode will return 200, for consistency with behavior in -+// currently 0, sanitizeCode will return 200, for consistency with behavior in - // the stdlib. - func sanitizeCode(s int) string { -+ // See for accepted codes https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml - switch s { - case 100: - return "100" -@@ -442,6 +483,9 @@ func sanitizeCode(s int) string { - return "511" - - default: -- return strconv.Itoa(s) -+ if s >= 100 && s <= 599 { -+ return strconv.Itoa(s) -+ } -+ return "unknown" - } - } -diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go -new file mode 100644 -index 0000000..35e41bd ---- /dev/null -+++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/option.go -@@ -0,0 +1,31 @@ -+// Copyright 2022 The Prometheus Authors -+// Licensed under the Apache License, Version 2.0 (the "License"); -+// you may not use this file except in compliance with the License. -+// You may obtain a copy of the License at -+// -+// http://www.apache.org/licenses/LICENSE-2.0 -+// -+// Unless required by applicable law or agreed to in writing, software -+// distributed under the License is distributed on an "AS IS" BASIS, -+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+// See the License for the specific language governing permissions and -+// limitations under the License. -+ -+package promhttp -+ -+// Option are used to configure a middleware or round tripper.. -+type Option func(*option) -+ -+type option struct { -+ extraMethods []string -+} -+ -+// WithExtraMethods adds additional HTTP methods to the list of allowed methods. -+// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods for the default list. -+// -+// See the example for ExampleInstrumentHandlerWithExtraMethods for example usage. -+func WithExtraMethods(methods ...string) Option { -+ return func(o *option) { -+ o.extraMethods = methods -+ } -+} --- -2.33.8 - diff --git a/SPECS/moby-engine/CVE-2023-25153.patch b/SPECS/moby-engine/CVE-2023-25153.patch deleted file mode 100644 index cca22ced16f..00000000000 --- a/SPECS/moby-engine/CVE-2023-25153.patch +++ /dev/null @@ -1,33 +0,0 @@ -from commit 9e4acc02807a012a51f68afef41f189a350a16cd - -diff -ru moby-20.10.14-orig/vendor/github.com/containerd/containerd/images/archive/importer.go moby-20.10.14/vendor/github.com/containerd/containerd/images/archive/importer.go ---- moby-20.10.14-orig/vendor/github.com/containerd/containerd/images/archive/importer.go 2023-03-15 13:29:35.779238288 -0700 -+++ moby-20.10.14/vendor/github.com/containerd/containerd/images/archive/importer.go 2023-03-15 14:19:06.216217317 -0700 -@@ -24,7 +24,6 @@ - "encoding/json" - "fmt" - "io" -- "io/ioutil" - "path" - - "github.com/containerd/containerd/archive/compression" -@@ -222,12 +221,14 @@ - return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex) - } - -+const ( -+ kib = 1024 -+ mib = 1024 * kib -+ jsonLimit = 20 * mib -+) -+ - func onUntarJSON(r io.Reader, j interface{}) error { -- b, err := ioutil.ReadAll(r) -- if err != nil { -- return err -- } -- return json.Unmarshal(b, j) -+ return json.NewDecoder(io.LimitReader(r, jsonLimit)).Decode(j) - } - - func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) { diff --git a/SPECS/moby-engine/CVE-2024-23651.patch b/SPECS/moby-engine/CVE-2024-23651.patch index 7d8cd8d3545..e7a63b92acc 100644 --- a/SPECS/moby-engine/CVE-2024-23651.patch +++ b/SPECS/moby-engine/CVE-2024-23651.patch @@ -1,5 +1,17 @@ +From 05ff7ed16b1f782a0312f07578ab778e2003e140 Mon Sep 17 00:00:00 2001 +From: Muhammad Falak R Wani +Date: Tue, 26 Mar 2024 10:19:10 +0530 +Subject: [PATCH 1/2] CVE-2024-23651 + +Signed-off-by: Muhammad Falak R Wani +--- + .../moby/buildkit/executor/oci/spec.go | 74 ++++++++++++++++--- + .../buildkit/executor/oci/spec_windows.go | 11 +++ + .../moby/buildkit/snapshot/localmounter.go | 35 ++++++--- + 3 files changed, 100 insertions(+), 20 deletions(-) + diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec.go b/vendor/github.com/moby/buildkit/executor/oci/spec.go -index 8000310..0eb5d49 100644 +index 94b48a7..774bbc1 100644 --- a/vendor/github.com/moby/buildkit/executor/oci/spec.go +++ b/vendor/github.com/moby/buildkit/executor/oci/spec.go @@ -2,7 +2,9 @@ package oci @@ -9,10 +21,10 @@ index 8000310..0eb5d49 100644 + "os" "path" + "strconv" + "path/filepath" + "strings" "sync" - - "github.com/containerd/containerd/containers" -@@ -18,6 +20,7 @@ import ( +@@ -21,6 +23,7 @@ import ( specs "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux" "github.com/pkg/errors" @@ -20,7 +32,7 @@ index 8000310..0eb5d49 100644 ) // ProcessMode configures PID namespaces -@@ -145,6 +148,7 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou +@@ -198,6 +201,7 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou type mountRef struct { mount mount.Mount unmount func() error @@ -28,7 +40,7 @@ index 8000310..0eb5d49 100644 } type submounts struct { -@@ -163,10 +167,17 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error) +@@ -216,10 +220,17 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error) return mount.Mount{}, nil } if mr, ok := s.m[h]; ok { @@ -47,7 +59,7 @@ index 8000310..0eb5d49 100644 return sm, nil } -@@ -191,12 +202,17 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error) +@@ -244,12 +255,17 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error) Options: opts, }, unmount: lm.Unmount, @@ -66,7 +78,7 @@ index 8000310..0eb5d49 100644 return sm, nil } -@@ -206,6 +222,9 @@ func (s *submounts) cleanup() { +@@ -259,6 +275,9 @@ func (s *submounts) cleanup() { for _, m := range s.m { func(m mountRef) { go func() { @@ -76,7 +88,7 @@ index 8000310..0eb5d49 100644 m.unmount() wg.Done() }() -@@ -214,15 +233,6 @@ func (s *submounts) cleanup() { +@@ -267,15 +286,6 @@ func (s *submounts) cleanup() { wg.Wait() } @@ -92,7 +104,7 @@ index 8000310..0eb5d49 100644 func specMapping(s []idtools.IDMap) []specs.LinuxIDMapping { var ids []specs.LinuxIDMapping for _, item := range s { -@@ -234,3 +244,45 @@ func specMapping(s []idtools.IDMap) []specs.LinuxIDMapping { +@@ -287,3 +297,45 @@ func specMapping(s []idtools.IDMap) []specs.LinuxIDMapping { } return ids } @@ -139,7 +151,7 @@ index 8000310..0eb5d49 100644 + } +} diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go b/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go -index 18f0019..d619a64 100644 +index 48b0969..757bd39 100644 --- a/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go +++ b/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go @@ -4,7 +4,9 @@ @@ -152,9 +164,9 @@ index 18f0019..d619a64 100644 "github.com/docker/docker/pkg/idtools" "github.com/moby/buildkit/solver/pb" "github.com/pkg/errors" -@@ -36,3 +38,12 @@ func generateIDmapOpts(idmap *idtools.IdentityMapping) ([]oci.SpecOpts, error) { +@@ -43,3 +45,12 @@ func generateRlimitOpts(ulimits []*pb.Ulimit) ([]oci.SpecOpts, error) { } - return nil, errors.New("no support for IdentityMapping on Windows") + return nil, errors.New("no support for POSIXRlimit on Windows") } + +func sub(m mount.Mount, subPath string) (mount.Mount, func() error, error) { @@ -218,3 +230,6 @@ index 9ddb7c1..304eebc 100644 + lm.forceRemount = true + } } +-- +2.40.1 + diff --git a/SPECS/moby-engine/CVE-2024-23652.patch b/SPECS/moby-engine/CVE-2024-23652.patch index b7d9a830a06..8f69f3f3f3a 100644 --- a/SPECS/moby-engine/CVE-2024-23652.patch +++ b/SPECS/moby-engine/CVE-2024-23652.patch @@ -1,3 +1,13 @@ +From b1bf52c80fb837175a6b9fe2efa61144cafc1739 Mon Sep 17 00:00:00 2001 +From: Muhammad Falak R Wani +Date: Wed, 27 Mar 2024 12:51:41 +0530 +Subject: [PATCH 2/2] CVE-2024-23652 + +Signed-off-by: Muhammad Falak R Wani +--- + vendor/github.com/moby/buildkit/executor/stubs.go | 11 +++++++++++ + 1 file changed, 11 insertions(+) + diff --git a/vendor/github.com/moby/buildkit/executor/stubs.go b/vendor/github.com/moby/buildkit/executor/stubs.go index 2c13b13..db56236 100644 --- a/vendor/github.com/moby/buildkit/executor/stubs.go @@ -34,3 +44,6 @@ index 2c13b13..db56236 100644 os.Remove(p) } } +-- +2.40.1 + diff --git a/SPECS/moby-engine/daemon.json b/SPECS/moby-engine/daemon.json new file mode 100644 index 00000000000..479bbf7596a --- /dev/null +++ b/SPECS/moby-engine/daemon.json @@ -0,0 +1,3 @@ +{ + "userland-proxy-path": "/usr/libexec/docker-proxy" +} diff --git a/SPECS/moby-engine/moby-engine.signatures.json b/SPECS/moby-engine/moby-engine.signatures.json index 075574bd5d6..b8783fe615d 100644 --- a/SPECS/moby-engine/moby-engine.signatures.json +++ b/SPECS/moby-engine/moby-engine.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { + "daemon.json": "532f2e930400baed129ed953b9ba0d5158fc443aecbff6f6513f58565696db5c", "docker.service": "b150b3ce0947a65c655ed09dfe4e48b7464c60542f9f9902330288bbf87af38e", "docker.socket": "51a06786cae46bc63b7314c25d0bd5bb2e676120d80874b99e35bf60d0b0ffa8", - "moby-engine-20.10.27.tar.gz": "e007811da7705f767ffb0b9a97ef04ec6a18f295c3b43cc595bd07443ddd2ba9", - "moby-libnetwork-20.10.27.tar.gz": "523bc0bbeb1651da3c236567843f524bbd162507f4445766da40aade7c37222a" + "moby-engine-23.0.10.tar.gz": "f4cfc4b57117b162373b0688da31dc6d65e25f714327cc3596112f56cc138288" } } \ No newline at end of file diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index 68b86176c76..c1b8c1e2807 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -1,10 +1,9 @@ -%define upstream_name moby -%define commit_hash 5df983c7dbe2f8914e6efd4dd6e0083a20c41ce1 +%define commit_hash 548f37a132d9c0be7c066af1b314f856c9935a1c Summary: The open-source application container engine -Name: %{upstream_name}-engine -Version: 20.10.27 -Release: 4%{?dist} +Name: moby-engine +Version: 23.0.10 +Release: 1%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -12,21 +11,15 @@ Vendor: Microsoft Corporation Distribution: Mariner Source0: https://github.com/moby/moby/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -# docker-proxy binary comes from libnetwork -# - The libnetwork version (more accurately commit hash) -# that moby relies on is hard coded in -# "hack/dockerfile/install/proxy.installer" (in moby github repo above) -Source1: https://github.com/moby/libnetwork/archive/master.tar.gz/#/%{upstream_name}-libnetwork-%{version}.tar.gz -Source3: docker.service -Source4: docker.socket -Patch0: CVE-2023-25153.patch -Patch1: CVE-2022-21698.patch +Source1: docker.service +Source2: docker.socket +Source3: daemon.json # Backport of vendored "buildkit" v0.12.5 https://github.com/moby/buildkit/pull/4604 to 0.8.4-0.20221020190723-eeb7b65ab7d6 in this package. # Remove once we upgrade this package at least to version 25.0+. -Patch2: CVE-2024-23651.patch +Patch1: CVE-2024-23651.patch # Backport of vendored "buildkit" v0.12.5 https://github.com/moby/buildkit/pull/4603 to 0.8.4-0.20221020190723-eeb7b65ab7d6 in this package. # Remove once we upgrade this package at least to version 25.0+. -Patch3: CVE-2024-23652.patch +Patch2: CVE-2024-23652.patch %{?systemd_requires} @@ -74,14 +67,10 @@ Moby is an open-source project created by Docker to enable and accelerate softwa %define OUR_GOPATH %{_topdir}/.gopath %prep -%autosetup -p1 -n %{upstream_name}-%{version} - -tar xf %{SOURCE1} --no-same-owner +%autosetup -p1 -n moby-%{version} mkdir -p %{OUR_GOPATH}/src/github.com/docker -LIBNETWORK_FOLDER=$(find -type d -name "libnetwork-*") -ln -sfT %{_builddir}/%{upstream_name}-%{version}/${LIBNETWORK_FOLDER} %{OUR_GOPATH}/src/github.com/docker/libnetwork -ln -sfT %{_builddir}/%{upstream_name}-%{version} %{OUR_GOPATH}/src/github.com/docker/docker +ln -sfT %{_builddir}/moby-%{version} %{OUR_GOPATH}/src/github.com/docker/docker %build export GOPATH=%{OUR_GOPATH} @@ -91,33 +80,29 @@ export GO111MODULE=off export GOGC=off export VERSION=%{version} -# build docker daemon GIT_COMMIT=%{commit_hash} -GIT_COMMIT_SHORT=${GIT_COMMIT:0:7} -DOCKER_GITCOMMIT=${GIT_COMMIT_SHORT} DOCKER_BUILDTAGS='apparmor seccomp' hack/make.sh dynbinary - -# build docker proxy -go build \ - -o libnetwork/docker-proxy \ - github.com/docker/libnetwork/cmd/proxy +DOCKER_GITCOMMIT=${GIT_COMMIT:0:7} DOCKER_BUILDTAGS='apparmor seccomp' hack/make.sh dynbinary %install -mkdir -p %{buildroot}/%{_bindir} -cp -aLT ./bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd -cp -aT libnetwork/docker-proxy %{buildroot}/%{_bindir}/docker-proxy +mkdir -p %{buildroot}%{_bindir} +install -p -m 755 ./bundles/dynbinary-daemon/dockerd %{buildroot}%{_bindir}/dockerd + +mkdir -p %{buildroot}%{_libexecdir} +install -p -m 755 ./bundles/dynbinary-daemon/docker-proxy %{buildroot}%{_libexecdir}/docker-proxy -# install udev rules -mkdir -p %{buildroot}/%{_sysconfdir}/udev/rules.d -install -p -m 644 contrib/udev/80-docker.rules %{buildroot}/%{_sysconfdir}/udev/rules.d/80-docker.rules +mkdir -p %{buildroot}%{_sysconfdir}/udev/rules.d +install -p -m 644 contrib/udev/80-docker.rules %{buildroot}%{_sysconfdir}/udev/rules.d/80-docker.rules -# add init scripts -mkdir -p %{buildroot}/%{_unitdir} -install -p -m 644 %{SOURCE3} %{buildroot}/%{_unitdir}/docker.service -install -p -m 644 %{SOURCE4} %{buildroot}/%{_unitdir}/docker.socket +mkdir -p %{buildroot}%{_unitdir} +install -p -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/docker.service +install -p -m 644 %{SOURCE2} %{buildroot}%{_unitdir}/docker.socket + +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/docker +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/docker/daemon.json %post if ! grep -q "^docker:" /etc/group; then - groupadd --system docker + groupadd --system docker fi %preun @@ -129,11 +114,21 @@ fi # list files owned by the package here %files %license LICENSE NOTICE -%{_bindir}/* +%{_bindir}/dockerd +%{_libexecdir}/docker-proxy +%dir %{_sysconfdir}/docker +%config(noreplace) %{_sysconfdir}/docker/daemon.json %{_sysconfdir}/* %{_unitdir}/* %changelog +* Mon Mar 25 2024 Muhammad Falak - 23.0.10-1 +- Bump version to 23.X +- Drop un-needed patches +- Remove docker-proxy as it's no longer used (2050e085f95bb796e9ff3a325b9985e319c193cf) +- Add the in-tree version of docker proxy built from cmd/docker-proxy into /usr/libexec +- Set userland-proxy-path explicitly by introducing /etc/docker/daemon.json + * Mon Feb 12 2024 Muhammad Falak - 20.10.27-4 - Bump release to rebuild with go 1.21.6 diff --git a/cgmanifest.json b/cgmanifest.json index 7f5c9623b0a..8c0ea3ea82c 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -13363,8 +13363,8 @@ "type": "other", "other": { "name": "moby-cli", - "version": "20.10.27", - "downloadUrl": "https://github.com/docker/cli/archive/v20.10.27.tar.gz" + "version": "23.0.10", + "downloadUrl": "https://github.com/docker/cli/archive/v23.0.10.tar.gz" } } }, @@ -13403,8 +13403,8 @@ "type": "other", "other": { "name": "moby-engine", - "version": "20.10.27", - "downloadUrl": "https://github.com/moby/moby/archive/v20.10.27.tar.gz" + "version": "23.0.10", + "downloadUrl": "https://github.com/moby/moby/archive/v23.0.10.tar.gz" } } },