New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update hcsshim to v0.6.10 #36985

Merged
merged 1 commit into from May 3, 2018

Conversation

Projects
None yet
6 participants
@darstahl
Contributor

darstahl commented May 2, 2018

- What I did

Update hcsshim to v0.6.10 which includes security fixes to address CVE-2018-8115

- Description for the changelog

Security: Change to address CVE-2018-8115

(Addition by @jhowardmsft): Replaces #36938 which vendored v0.6.9. Hence also: Fixes docker/for-win#1947. Fixes #36919 where files are in certain circumstances omitted from layers on commit during a build step on Windows. See Microsoft/hcsshim#165 for more detail.

@carlfischer1 Both fixes should probably should be backported.

Update hcsshim to v0.6.10
Signed-off-by: Darren Stahl <darst@microsoft.com>
@darstahl

This comment has been minimized.

Contributor

darstahl commented May 2, 2018

This change only affects code that compiles on Windows so the other CI failures can be ignored. I'll restart them anyway, but they shouldn't matter.

This is also been tested by Docker Inc and Microsoft internally.

@jhowardmsft

LGTM. @johnstep PTAL

@thaJeztah

The previous PR (#36938) did not have a test case, will that be included as part of this one?

@jhowardmsft

This comment has been minimized.

Contributor

jhowardmsft commented May 3, 2018

@thaJeztah TL;DR No.

This is already in EE. Others are free to add test cases if they have time. Resources are limited. This fixes a CVE plus a reported bug, both of which have been verified by both MS and Docker Inc independently. If there needs to be a follow-up PR for tests, that should not block this PR.

@jhowardmsft

This comment has been minimized.

Contributor

jhowardmsft commented May 3, 2018

@codecov

This comment has been minimized.

codecov bot commented May 3, 2018

Codecov Report

❗️ No coverage uploaded for pull request base (master@51a9119). Click here to learn what that means.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master   #36985   +/-   ##
=========================================
  Coverage          ?   35.38%           
=========================================
  Files             ?      614           
  Lines             ?    45736           
  Branches          ?        0           
=========================================
  Hits              ?    16183           
  Misses            ?    27414           
  Partials          ?     2139
@johnstep

johnstep approved these changes May 3, 2018 edited

LGTM

I found and fixed a separate bug (see Microsoft/hcsshim#169) and also wrote an integration test that covers that issue, plus checks that $Recycle.Bin is not committed, and that files are not missing. After this PR is merged, I will vendor hcsshim v0.6.11 into my test branch and open a moby PR.

@thaJeztah

lgtm

@thaJeztah thaJeztah merged commit e890301 into moby:master May 3, 2018

9 checks passed

codecov/patch Coverage not affected.
Details
codecov/project No report found to compare against
Details
dco-signed All commits are signed
experimental Jenkins build Docker-PRs-experimental 40492 has succeeded
Details
janky Jenkins build Docker-PRs 49232 has succeeded
Details
powerpc Jenkins build Docker-PRs-powerpc 9668 has succeeded
Details
vendor Jenkins build Docker-PRs-vendor 4231 has succeeded
Details
windowsRS1 Jenkins build Docker-PRs-WoW-RS1 20628 has succeeded
Details
z Jenkins build Docker-PRs-s390x 9589 has succeeded
Details
@mback2k

This comment has been minimized.

mback2k commented May 7, 2018

Could we please also get a new preview version (like 17.10.0-ee-preview-3) with these bugfixes? I have to spent hours of building docker images locally and uploading them to my Windows Server 1709. Waiting for more than 1 hour between each test run due to slow build and upload time locally is very annoying. It would be very appreciated.

@darstahl darstahl deleted the darstahl:revendorHcsshim branch May 9, 2018

@mback2k

This comment has been minimized.

mback2k commented Jun 28, 2018

@thaJeztah Could you please tell us if the new release of "18.03.1-ee-1 (2018-06-27)" includes hcsshim v0.6.11 or at least v0.6.10?

@thaJeztah

This comment has been minimized.

Member

thaJeztah commented Jun 28, 2018

@mback2k yes; all current versions of Docker (EE, CE) have the fix in place

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment