Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update hcsshim to v0.6.10 #36985

Merged
merged 1 commit into from May 3, 2018
Merged

Update hcsshim to v0.6.10 #36985

merged 1 commit into from May 3, 2018

Conversation

darstahl
Copy link
Contributor

@darstahl darstahl commented May 2, 2018
edited by lowenna

- What I did

Update hcsshim to v0.6.10 which includes security fixes to address CVE-2018-8115

- Description for the changelog

Security: Change to address CVE-2018-8115

(Addition by @jhowardmsft): Replaces #36938 which vendored v0.6.9. Hence also: Fixes docker/for-win#1947. Fixes #36919 where files are in certain circumstances omitted from layers on commit during a build step on Windows. See microsoft/hcsshim#165 for more detail.

@carlfischer1 Both fixes should probably should be backported.

@darstahl
Update hcsshim to v0.6.10
d1fa012 
Signed-off-by: Darren Stahl <darst@microsoft.com>
@darstahl
Copy link
Contributor Author

darstahl commented May 2, 2018

This change only affects code that compiles on Windows so the other CI failures can be ignored. I'll restart them anyway, but they shouldn't matter.

This is also been tested by Docker Inc and Microsoft internally.

@lowenna lowenna mentioned this pull request May 3, 2018
Closed
lowenna
lowenna approved these changes May 3, 2018
View reviewed changes
Copy link
Member

@lowenna lowenna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. @johnstep PTAL

thaJeztah
thaJeztah requested changes May 3, 2018
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous PR (#36938) did not have a test case, will that be included as part of this one?

@lowenna
Copy link
Member

lowenna commented May 3, 2018

@thaJeztah TL;DR No.

This is already in EE. Others are free to add test cases if they have time. Resources are limited. This fixes a CVE plus a reported bug, both of which have been verified by both MS and Docker Inc independently. If there needs to be a follow-up PR for tests, that should not block this PR.

@lowenna
Copy link
Member

lowenna commented May 3, 2018

@carlfischer1 FYI

@codecov
Copy link

codecov bot commented May 3, 2018
edited

Codecov Report

❗ No coverage uploaded for pull request base (master@51a9119). Click here to learn what that means.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master   #36985   +/-   ##
=========================================
  Coverage          ?   35.38%           
=========================================
  Files             ?      614           
  Lines             ?    45736           
  Branches          ?        0           
=========================================
  Hits              ?    16183           
  Misses            ?    27414           
  Partials          ?     2139

johnstep
johnstep approved these changes May 3, 2018
View reviewed changes
Copy link
Member

@johnstep johnstep left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I found and fixed a separate bug (see microsoft/hcsshim#169) and also wrote an integration test that covers that issue, plus checks that $Recycle.Bin is not committed, and that files are not missing. After this PR is merged, I will vendor hcsshim v0.6.11 into my test branch and open a moby PR.

thaJeztah
thaJeztah approved these changes May 3, 2018
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@thaJeztah thaJeztah merged commit e890301 into moby:master May 3, 2018
@mback2k
Copy link

mback2k commented May 7, 2018

Could we please also get a new preview version (like 17.10.0-ee-preview-3) with these bugfixes? I have to spent hours of building docker images locally and uploading them to my Windows Server 1709. Waiting for more than 1 hour between each test run due to slow build and upload time locally is very annoying. It would be very appreciated.

@darstahl darstahl deleted the revendorHcsshim branch May 9, 2018 22:52
@thaJeztah thaJeztah mentioned this pull request Jun 4, 2018
Closed
@mback2k
Copy link

mback2k commented Jun 28, 2018

@thaJeztah Could you please tell us if the new release of "18.03.1-ee-1 (2018-06-27)" includes hcsshim v0.6.11 or at least v0.6.10?

@thaJeztah
Copy link
Member

@mback2k yes; all current versions of Docker (EE, CE) have the fix in place

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@johnstep johnstep johnstep approved these changes

@lowenna lowenna lowenna approved these changes

Assignees

@johnstep johnstep

Labels
status/2-code-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Docker for Windows does not persist some files Layers go missing between RUN statements
6 participants
@darstahl @lowenna @mback2k @thaJeztah @johnstep @GordonTheTurtle