Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update hcsshim to v0.6.10 #36985

Merged
merged 1 commit into from May 3, 2018
Merged

Update hcsshim to v0.6.10 #36985

merged 1 commit into from May 3, 2018

Conversation

@darstahl
Copy link
Contributor

@darstahl darstahl commented May 2, 2018

- What I did

Update hcsshim to v0.6.10 which includes security fixes to address CVE-2018-8115

- Description for the changelog

Security: Change to address CVE-2018-8115

(Addition by @jhowardmsft): Replaces #36938 which vendored v0.6.9. Hence also: Fixes docker/for-win#1947. Fixes #36919 where files are in certain circumstances omitted from layers on commit during a build step on Windows. See microsoft/hcsshim#165 for more detail.

@carlfischer1 Both fixes should probably should be backported.

Signed-off-by: Darren Stahl <darst@microsoft.com>
@darstahl
Copy link
Contributor Author

@darstahl darstahl commented May 2, 2018

This change only affects code that compiles on Windows so the other CI failures can be ignored. I'll restart them anyway, but they shouldn't matter.

This is also been tested by Docker Inc and Microsoft internally.

@lowenna
lowenna approved these changes May 3, 2018
Copy link
Contributor

@lowenna lowenna left a comment

LGTM. @johnstep PTAL

Copy link
Member

@thaJeztah thaJeztah left a comment

The previous PR (#36938) did not have a test case, will that be included as part of this one?

@lowenna
Copy link
Contributor

@lowenna lowenna commented May 3, 2018

@thaJeztah TL;DR No.

This is already in EE. Others are free to add test cases if they have time. Resources are limited. This fixes a CVE plus a reported bug, both of which have been verified by both MS and Docker Inc independently. If there needs to be a follow-up PR for tests, that should not block this PR.

@lowenna
Copy link
Contributor

@lowenna lowenna commented May 3, 2018

@codecov
Copy link

@codecov codecov bot commented May 3, 2018

Codecov Report

No coverage uploaded for pull request base (master@51a9119). Click here to learn what that means.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master   #36985   +/-   ##
=========================================
  Coverage          ?   35.38%           
=========================================
  Files             ?      614           
  Lines             ?    45736           
  Branches          ?        0           
=========================================
  Hits              ?    16183           
  Misses            ?    27414           
  Partials          ?     2139
Copy link
Member

@johnstep johnstep left a comment

LGTM

I found and fixed a separate bug (see microsoft/hcsshim#169) and also wrote an integration test that covers that issue, plus checks that $Recycle.Bin is not committed, and that files are not missing. After this PR is merged, I will vendor hcsshim v0.6.11 into my test branch and open a moby PR.

Copy link
Member

@thaJeztah thaJeztah left a comment

lgtm

@thaJeztah thaJeztah merged commit e890301 into moby:master May 3, 2018
9 checks passed
9 checks passed
codecov/patch Coverage not affected.
Details
codecov/project No report found to compare against
Details
dco-signed All commits are signed
experimental Jenkins build Docker-PRs-experimental 40492 has succeeded
Details
janky Jenkins build Docker-PRs 49232 has succeeded
Details
powerpc Jenkins build Docker-PRs-powerpc 9668 has succeeded
Details
vendor Jenkins build Docker-PRs-vendor 4231 has succeeded
Details
windowsRS1 Jenkins build Docker-PRs-WoW-RS1 20628 has succeeded
Details
z Jenkins build Docker-PRs-s390x 9589 has succeeded
Details
@mback2k
Copy link

@mback2k mback2k commented May 7, 2018

Could we please also get a new preview version (like 17.10.0-ee-preview-3) with these bugfixes? I have to spent hours of building docker images locally and uploading them to my Windows Server 1709. Waiting for more than 1 hour between each test run due to slow build and upload time locally is very annoying. It would be very appreciated.

@darstahl darstahl deleted the darstahl:revendorHcsshim branch May 9, 2018
@mback2k
Copy link

@mback2k mback2k commented Jun 28, 2018

@thaJeztah Could you please tell us if the new release of "18.03.1-ee-1 (2018-06-27)" includes hcsshim v0.6.11 or at least v0.6.10?

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Jun 28, 2018

@mback2k yes; all current versions of Docker (EE, CE) have the fix in place

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

6 participants