chore(deps): update module github.com/moby/buildkit to v0.28.1 [security] - autoclosed#28411
Closed
renovate[bot] wants to merge 1 commit into
Closed
chore(deps): update module github.com/moby/buildkit to v0.28.1 [security] - autoclosed#28411renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
…ity] Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
Bot
added
dependencies
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
Bot
changed the title
renovate
Bot
deleted the
renovate/go-github.com-moby-buildkit-vulnerability
branch
|
Was there a reason this was closed without being merged? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.28.0→v0.28.1GitHub Vulnerability Alerts
CVE-2026-33747
Impact
When using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context.
Patches
The issue has been fixed in v0.28.1+
Workarounds
Issue requires using an untrusted BuildKit frontend set with
#syntaxor--build-arg BUILDKIT_SYNTAX. Using these options with a well-known frontend image likedocker/dockerfileis not affected.CVE-2026-33748
Impact
Insufficient validation of Git URL fragment subdir components (
<url>#<ref>:<subdir>, docs) may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem.Patches
The issue has been fixed in version v0.28.1
Workarounds
The issue affects only builds that use Git URLs with a subpath component. Avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
Release Notes
moby/buildkit (github.com/moby/buildkit)
v0.28.1Compare Source
Welcome to the v0.28.1 release of buildkit!
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
Contributors
Notable Changes
#ref:subdirfragments that could allow access to restricted files outside the checked-out repository root. GHSA-4vrq-3vrq-g6gg.dockerignorepatterns duringCOPY. #6610 moby/patternmatcher#9Dependency Changes
Previous release can be found at v0.28.0
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.