Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v0.11] Backport CVE-2024-23653 #4638

Closed
wants to merge 2 commits into from
Closed

[v0.11] Backport CVE-2024-23653 #4638

wants to merge 2 commits into from

Conversation

dcermak
Copy link

@dcermak dcermak commented Feb 12, 2024

This is a backport of #4602 to v0.11

@tonistiigi @dcermak
gateway: pass executor with build and not access worker directly
104dc5f 
Running interactive container APIs was done by giving
the gateway implementation access to worker controller
directly, but it should be passed with a build job instead.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 0971dffaab93d91e51af984b44c745b35b3c5b4d)
(cherry picked from commit 0c5daa2)
@tonistiigi @dcermak
llbsolver: make sure interactive container API validates entitlements
35615b9 
Ensure interactive calls validate same conditions that
the build requests do. Refactor of the build side is to ensure
we use the same validation function for both cases. There
was no validation issue with the LLB validation.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit d1970522d7145be5f4a1f1a028b1910bb527126c)
(cherry picked from commit 65c3c9c)
@AkihiroSuda AkihiroSuda changed the title Backport CVE-2024-23653 [v0.11] Backport CVE-2024-23653 Feb 12, 2024
dcermak added a commit to SUSE/docker that referenced this pull request Mar 6, 2024
@dcermak
Vendor in latest buildkit v0.11 branch including CVE patches:
6608550 
- moby/buildkit#4638
- moby/buildkit#4639
- moby/buildkit#4640

additionally change the version in builder/builder-next/worker/worker.go
and
adjust calls to NewGatewayFrontend() in builder/builder-next (Worker is no
longer implementing the correct interface)
This was referenced Mar 20, 2024
Closed
Closed
@thompson-shaun
Copy link
Collaborator

Once a new feature release is cut, no support is offered for the previous feature release. An exception might be if a security release suddenly appears very soon after a new feature release. There are no LTS releases. If you need a different support cycle, consider using a product that includes BuildKit, (eg. Docker) instead.

https://github.com/moby/buildkit/blob/master/PROJECT.md#feature-releases

cyphar pushed a commit to cyphar/docker that referenced this pull request Jun 24, 2024
@dcermak @cyphar
cve-2024-23653: update buildkit to include CVE patches:
8117cb0 
- moby/buildkit#4638
- moby/buildkit#4639
- moby/buildkit#4640

additionally change the version in builder/builder-next/worker/worker.go
and adjust calls to NewGatewayFrontend() in builder/builder-next (Worker
is no longer implementing the correct interface).

Signed-off-by: Dan Čermák <dcermak@suse.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dcermak @thompson-shaun @tonistiigi