c48da13
\r\nhttp2: fix TestServerContinuationFlood flakes762b58d
\r\nhttp2: fix tipos in commentba87210
\r\nhttp2: close connections when receiving too many headersebc8168
\r\nall: fix some typos3678185
\r\nhttp2: make TestCanonicalHeaderCacheGrowth faster448c44f
\r\nhttp2: remove clientTesterc7877ac
\r\nhttp2: convert the remaining clientTester tests to testClientConnd8870b0
\r\nhttp2: use synthetic time in TestIdleConnTimeoutd73acff
\r\nhttp2: only set up deadline when Server.IdleTimeout is positive89f602b
\r\nhttp2: validate client/outgoing trailersSourced from github.com/docker/docker's\r\nreleases.
\r\n\r\n\r\nv24.0.9
\r\n24.0.9
\r\nFor a full list of pull requests and changes in this release, refer\r\nto the relevant GitHub milestones:
\r\n\r\nSecurity
\r\nThis release contains security fixes for the following CVEs affecting\r\nDocker Engine and its components.
\r\n\r\n\r\n
\r\n\r\n \r\n\r\n\r\nCVE \r\nComponent \r\nFix version \r\nSeverity \r\n\r\n \r\nCVE-2024-21626 \r\nrunc \r\n1.1.12 \r\nHigh, CVSS 8.6 \r\n\r\n \r\n\r\nCVE-2024-24557 \r\nDocker Engine \r\n24.0.9 \r\nMedium, CVSS 6.9 \r\n\r\n\r\nImportant ⚠️
\r\nNote that this release of Docker Engine doesn't include fixes for the\r\nfollowing known vulnerabilities in BuildKit:
\r\n\r\n
\r\n- CVE-2024-23651
\r\n- CVE-2024-23652
\r\n- CVE-2024-23653
\r\n- CVE-2024-23650
\r\nTo address these vulnerabilities, upgrade to Docker\r\nEngine v25.0.2.
\r\nFor more information about the security issues addressed in this\r\nrelease, and the unaddressed vulnerabilities in BuildKit, refer to the\r\nblog\r\npost. For details about each vulnerability, see the relevant\r\nsecurity advisory:
\r\n\r\n
\r\n- CVE-2024-21626
\r\n- CVE-2024-24557
\r\nPackaging updates
\r\n\r\n
\r\n- Upgrade runc to v1.1.12.\r\nmoby/moby#47269
\r\n- Upgrade containerd to v1.7.13\r\n(static binaries only). moby/moby#47280
\r\nv24.0.8
\r\n24.0.8
\r\nFor a full list of pull requests and changes in this release, refer\r\nto the relevant GitHub milestones:
\r\n\r\nBug fixes and enhancements
\r\n\r\n
\r\n\r\n- Live restore: Containers with auto remove (
\r\ndocker run\r\n--rm
) are no longer forcibly removed on engine restart. moby/moby#46857
... (truncated)
\r\nfca702d
\r\nMerge pull request from GHSA-xw73-rw38-6vjcf78a772
\r\nMerge pull request #47281\r\nfrom thaJeztah/24.0_backport_bump_containerd_binary...61afffe
\r\nMerge pull request #47270\r\nfrom thaJeztah/24.0_backport_bump_runc_binary_1.1.12b38e74c
\r\nMerge pull request #47276\r\nfrom thaJeztah/24.0_backport_bump_runc_1.1.12dac5663
\r\nupdate containerd binary to v1.7.1320e1af3
\r\nvendor: github.com/opencontainers/runc v1.1.12858919d
\r\nupdate runc binary to v1.1.12141ad39
\r\nMerge pull request #47266\r\nfrom vvoland/ci-fix-makeps1-templatefail-24db968c6
\r\nhack/make.ps1: Fix go list pattern61c51fb
\r\nMerge pull request #47221\r\nfrom vvoland/pkg-pools-close-noop-249d2ee97
\r\nssh: implement strict KEX protocol changes4e5a261
\r\nssh: close net.Conn on all NewServerConn errors152cdb1
\r\nx509roots/fallback: update bundlefdfe1f8
\r\nssh: defer channel window adjustmentb8ffc16
\r\nblake2b: drop Go 1.6, Go 1.8 compatibility7e6fbd8
\r\nssh: wrap errors from client handshakebda2f3f
\r\nargon2: avoid clobbering BP325b735
\r\nssh/test: skip TestSSHCLIAuth on Windows1eadac5
\r\ngo.mod: update golang.org/x dependenciesb2d7c26
\r\nssh: add (*Client).DialContext methodSourced from github.com/docker/docker's\r\nreleases.
\r\n\r\n\r\nv24.0.7
\r\n24.0.7
\r\nFor a full list of pull requests and changes in this release, refer\r\nto the relevant GitHub milestones:
\r\n\r\nBug fixes and enhancements
\r\n\r\n
\r\n- Write overlay2 layer metadata atomically. moby/moby#46703
\r\n- Fix "Rootful-in-Rootless" Docker-in-Docker on systemd\r\nversion 250 and later. moby/moby#46626
\r\n- Fix
\r\ndockerd-rootless-setuptools.sh
when username\r\ncontains a backslash. moby/moby#46407- Fix a bug that would prevent network sandboxes to be fully deleted\r\nwhen stopping containers with no network attachments and when\r\n
\r\ndockerd --bridge=none
is used. moby/moby#46702- Fix a bug where cancelling an API request could interrupt container\r\nrestart. moby/moby#46697
\r\n- Fix an issue where containers would fail to start when providing\r\n
\r\n--ip-range
with a range larger than the subnet. docker/for-mac#6870- Fix data corruption with zstd output. moby/moby#46709
\r\n- Fix the conditions under which the container's MAC address is\r\napplied. moby/moby#46478
\r\n- Improve the performance of the stats collector. moby/moby#46448
\r\n- Fix an issue with source policy rules ending up in the wrong order.\r\nmoby/moby#46441
\r\nPackaging updates
\r\n\r\n
\r\n- Add support for Fedora 39 and Ubuntu 23.10. docker/docker-ce-packaging#940,\r\ndocker/docker-ce-packaging#955
\r\n- Fix
\r\ndocker.socket
not getting disabled when\r\nuninstalling thedocker-ce
RPM package. docker/docker-ce-packaging#852- Upgrade Go to
\r\ngo1.20.10
. docker/docker-ce-packaging#951- Upgrade containerd to
\r\nv1.7.6
(static binaries only). moby/moby#46103- Upgrade the
\r\ncontainerd.io
package tov1.6.24
.Security
\r\n\r\n
\r\n- Deny containers access to
\r\n/sys/devices/virtual/powercap
\r\nby default. This change hardens against CVE-2020-8694, CVE-2020-8695, and\r\nCVE-2020-12912,\r\nand an attack known as the\r\nPLATYPUS attack. For more details, see advisory,\r\ncommit.v24.0.6
\r\n24.0.6
\r\nFor a full list of pull requests and changes in this release, refer\r\nto the relevant GitHub milestones:
\r\n\r\nBug fixes and enhancements
\r\n\r\n
\r\n\r\n- containerd storage backend: Fix
\r\ndocker ps
failing when\r\na container image is no longer present in the content store. moby/moby#46095- containerd storage backend: Fix
\r\ndocker ps -s -a
and\r\ndocker container prune
failing when a container image\r\nconfig is no longer present in the content store. moby/moby#46097- containerd storage backend: Fix
\r\ndocker inspect
failing\r\nwhen a container image config is no longer (or was never) present in the\r\ncontent store. moby/moby#46244- containerd storage backend: Fix diff and export with the\r\n
\r\noverlayfs
snapshotter by using reference-counted rootfs\r\nmounts. moby/moby#46266- containerd storage backend: Fix a misleading error message when the\r\nimage platforms available locally do not match the desired platform. moby/moby#46300
\r\n- containerd storage backend: Fix the
\r\nFROM scratch
\r\nDockerfile instruction with the classic builder. moby/moby#46302- containerd storage backend: Fix
\r\nmismatched image rootfs and\r\nmanifest layers
errors with the classic builder. moby/moby#46310
... (truncated)
\r\n311b9ff
\r\nMerge pull request #46697\r\nfrom thaJeztah/24.0_backport_restart_nocancelaf60804
\r\nMerge pull request from GHSA-jq35-85cj-fj4p3cf363e
\r\nMerge pull request #46709\r\nfrom thaJeztah/24.0_backport_bump_compress05d7386
\r\ndaemon: daemon.containerRestart: don't cancel restart on context\r\ncancel649c944
\r\nMerge pull request #46703\r\nfrom thaJeztah/24.0_backport_atomic-layer-data-write9b20b1a
\r\nMerge pull request #46702\r\nfrom thaJeztah/24.0_backport_releaseNetwork_Network...dd37b0b
\r\nvendor: github.com/klauspost/compress v1.17.27058c0d
\r\nvendor: github.com/klauspost/compress v1.16.557bd388
\r\ndaemon: overlay2: Write layer metadata atomically05d95fd
\r\ndaemon: release sandbox even when NetworkDisabledb225e7c
\r\nhttp2: limit maximum handler goroutines to MaxConcurrentStreams88194ad
\r\ngo.mod: update golang.org/x dependencies2b60a61
\r\nquic: fix several bugs in flow control accounting73d82ef
\r\nquic: handle DATA_BLOCKED frames5d5a036
\r\nquic: handle streams moving from the data queue to the meta queue350aad2
\r\nquic: correctly extend peer's flow control window after MAX_DATA21814e7
\r\nquic: validate connection id transport parametersa600b35
\r\nquic: avoid redundant MAX_DATA updatesea63359
\r\nhttp2: check stream body is present on read timeoutddd8598
\r\nquic: version negotiation