fix(deps): update module github.com/docker/docker to v26.0.2+incompatible [security] #2906
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
deleted the
renovate/go-github.com/docker/docker-vulnerability
branch
renovate bot
added a commit
to NorkzYT/Wolflith
that referenced
this pull request
Apr 30, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [amir20/dozzle](https://togithub.com/amir20/dozzle) | patch | `v6.5.1` -> `v6.5.2` | --- ### Release Notes <details> <summary>amir20/dozzle (amir20/dozzle)</summary> ### [`v6.5.2`](https://togithub.com/amir20/dozzle/releases/tag/v6.5.2) [Compare Source](https://togithub.com/amir20/dozzle/compare/v6.5.1...v6.5.2) ##### 🚀 Features - Add Turkish language support - by [@​amir20](https://togithub.com/amir20) and **hasanbeder** in [amir20/dozzle#2912 [<samp>(588cd)</samp>](https://togithub.com/amir20/dozzle/commit/588cd604) ##### 🐞 Bug Fixes - **deps**: - Update module github.com/docker/docker to v26.0.2+incompatible \[security] - by [@​renovate](https://togithub.com/renovate)\[bot] in[amir20/dozzle#2906 [<samp>(b5b86)</samp>](https://togithub.com/amir20/dozzle/commit/b5b8650c) - Update all non-major dependencies - by [@​renovate](https://togithub.com/renovate)\[bot] in[amir20/dozzle#2911 [<samp>(c49b7)</samp>](https://togithub.com/amir20/dozzle/commit/c49b761f) ##### [View changes on GitHub](https://togithub.com/amir20/dozzle/compare/v6.5.1...v6.5.2) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 10pm every weekday,every weekend,before 5am every weekday" in timezone America/New_York, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/NorkzYT/Wolflith). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoic3RhZ2luZyIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJtaW5vciIsInJlbm92YXRlIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v26.0.1+incompatible->v26.0.2+incompatibleGitHub Vulnerability Alerts
CVE-2024-32473
In 26.0.0 and 26.0.1, IPv6 is not disabled on network interfaces, including those belonging to networks where
--ipv6=false.Impact
A container with an
ipvlanormacvlaninterface will normally be configured to share an external network link with the host machine. Because of this direct access, with IPv6 enabled:This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface.
A container with an unexpected IPv6 address can do anything a container configured with an IPv6 address can do. That is, listen for connections on its IPv6 address, open connections to other nodes on the network over IPv6, or attempt a DoS attack by flooding packets from its IPv6 address. This has CVSS score AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L (2.7).
Because the container may not be constrained by an IPv6 firewall, there is increased potential for data exfiltration from the container. This has CVSS score AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (4.7).
A remote attacker could send malicious Router Advertisements to divert traffic to itself, a black-hole, or another device. The same attack is possible today for IPv4 macvlan/ipvlan endpoints with ARP spoofing, TLS is commonly used by Internet APIs to mitigate this risk. The presence of an IPv6 route could impact the container's availability by indirectly abusing the behaviour of software which behaves poorly in a dual-stack environment. For example, it could resolve a name to a DNS AAAA record and keep trying to connect over IPv6 without ever falling back to IPv4, potentially denying service to the container. This has CVSS score AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.5).
Patches
The issue is patched in 26.0.2.
Workarounds
To completely disable IPv6 in a container, use
--sysctl=net.ipv6.conf.all.disable_ipv6=1in thedocker createordocker runcommand. Or, in the service configuration of acomposefile, the equivalent:References
docker run:docker compose:Release Notes
docker/docker (github.com/docker/docker)
v26.0.2+incompatibleCompare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.