fix(deps): update module github.com/moby/moby to v24.0.9+incompatible #3323
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
renovate
bot
deleted the
renovate/go-github.com/moby/moby-vulnerability
branch
6543
changed the title
anbraten
added a commit
that referenced
this pull request
Mar 19, 2024
## [2.4.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/2.4.0) - 2024-03-19 ### 🔒 Security - Improve security context handling [[#3482](#3482)] - fix(deps): update module github.com/moby/moby to v24.0.9+incompatible [[#3323](#3323)] ### ✨ Features - Cli setup command [[#3384](#3384)] - Add bitbucket datacenter (server) support [[#2503](#2503)] - Cli updater [[#3382](#3382)] ### 📚 Documentation - Delete docs for v0.15.x [[#3508](#3508)] - Add deployment plugin [[#3495](#3495)] - Bump follow-redirects and fix broken anchors [[#3488](#3488)] - fix: plugin doc page not found [[#3480](#3480)] - Documentation improvements [[#3376](#3376)] - fix(deps): update docs npm deps non-major [[#3455](#3455)] - Add "Sonatype Nexus" plugin [[#3446](#3446)] - Add blog post [[#3439](#3439)] - Add "Gradle Wrapper Validation" plugin [[#3435](#3435)] - Add blog post [[#3410](#3410)] - Extend core ideas documentation [[#3405](#3405)] - docs: fix contributions link [[#3363](#3363)] - Update/fix some docs [[#3359](#3359)] - chore(deps): update dependency marked to v12 [[#3325](#3325)] ### 🐛 Bug Fixes - Fix skip setup for some general cli commands [[#3498](#3498)] - Move generic agent flags to cmd/agent/core [[#3484](#3484)] - Fix usage of WOODPECKER_DATABASE_DATASOURCE_FILE [[#3404](#3404)] - Set pull-request id and labels on pr-closed event [[#3442](#3442)] - Update org name on login [[#3409](#3409)] - Do not alter secret key upper-/lowercase [[#3375](#3375)] - fix: can't run multiple services on k8s [[#3395](#3395)] - Fix agent polling [[#3378](#3378)] - Remove empty strings from slice before parsing agent config [[#3387](#3387)] - Set correct link for commit [[#3368](#3368)] - Fix schema links [[#3369](#3369)] - Fix correctly handle gitlab pr closed events [[#3362](#3362)] - fix: update schema event_enum to remove error warning when.event [[#3357](#3357)] - Fix version check on next [[#3340](#3340)] - Ignore gitlab merge request events without code changes [[#3338](#3338)] - Ignore gitlab push events without commits [[#3339](#3339)] - Consider gitlab inherited permissions [[#3308](#3308)] - fix: agent panic when node is terminated during step execution [[#3331](#3331)] ### 📈 Enhancement - Enable golangci linter gomnd [[#3171](#3171)] - Apply "grpcnotrace" go build tag [[#3448](#3448)] - Simplify store interfaces [[#3437](#3437)] - Deprecate alternative names on secrets [[#3406](#3406)] - Store workflows/steps for blocked pipeline [[#2757](#2757)] - Parse email from Gitea webhook [[#3420](#3420)] - Replace http types on forge interface [[#3374](#3374)] - Prevent agent deletion when it's still running tasks [[#3377](#3377)] - Refactor internal services [[#915](#915)] - Lint for event filter and deprecate `exclude` [[#3222](#3222)] - Allow editing all environment variables in pipeline popups [[#3314](#3314)] - Parse backend options in backend [[#3227](#3227)] - Make agent usable for external backends [[#3270](#3270)] - Add no branches text [[#3312](#3312)] - Add loading spinner to repo list [[#3310](#3310)] ### Misc - Post on mastodon when releasing a new version [[#3509](#3509)] - chore(deps): update dependency alpine_3_18/ca-certificates to v20240226 [[#3501](#3501)] - fix(deps): update module github.com/google/go-github/v59 to v60 [[#3493](#3493)] - fix(deps): update dependency @intlify/unplugin-vue-i18n to v3 [[#3492](#3492)] - chore(deps): update dependency vue-tsc to v2 [[#3491](#3491)] - chore(deps): update dependency eslint-config-airbnb-typescript to v18 [[#3490](#3490)] - chore(deps): update web npm deps non-major [[#3489](#3489)] - fix(deps): update golang (packages) [[#3486](#3486)] - fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] [[#3487](#3487)] - chore(deps): update docker.io/techknowlogick/xgo docker tag to go-1.22.1 [[#3476](#3476)] - chore(deps): update docker.io/golang docker tag to v1.22.1 [[#3475](#3475)] - Update prettier version [[#3471](#3471)] - chore(deps): update woodpeckerci/plugin-ready-release-go docker tag to v1.1.0 [[#3464](#3464)] - chore(deps): lock file maintenance [[#3465](#3465)] - chore(deps): update postgres docker tag to v16.2 [[#3461](#3461)] - chore(deps): update lycheeverse/lychee docker tag to v0.14.3 [[#3429](#3429)] - fix(deps): update golang (packages) [[#3430](#3430)] - More `when` filters [[#3407](#3407)] - Apply `documentation`/`ui` label to corresponding renovate updates [[#3400](#3400)] - chore(deps): update dependency eslint-plugin-simple-import-sort to v12 [[#3396](#3396)] - chore(deps): update typescript-eslint monorepo to v7 (major) [[#3397](#3397)] - fix(deps): update module github.com/google/go-github/v58 to v59 [[#3398](#3398)] - chore(deps): update docker.io/techknowlogick/xgo docker tag to go-1.22.0 [[#3392](#3392)] - chore(deps): update docker.io/golang docker tag [[#3391](#3391)] - fix(deps): update golang (packages) [[#3393](#3393)] - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v3.1.0 [[#3394](#3394)] - Add link checking [[#3371](#3371)] - Apply `dependencies` label to all PRs [[#3358](#3358)] - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v3.0.1 [[#3324](#3324)] --------- Co-authored-by: 6543 <m.huber@kithara.com> Co-authored-by: Anbraten <6918444+anbraten@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v24.0.8+incompatible->v24.0.9+incompatibleGitHub Vulnerability Alerts
CVE-2024-24557
The classic builder cache system is prone to cache poisoning if the image is built
FROM scratch.Also, changes to some instructions (most important being
HEALTHCHECKandONBUILD) would not cause a cache miss.An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
For example, an attacker could create an image that is considered as a valid cache candidate for:
when in fact the malicious image used as a cache would be an image built from a different Dockerfile.
In the second case, the attacker could for example substitute a different
HEALTCHECKcommand.Impact
23.0+ users are only affected if they explicitly opted out of Buildkit (
DOCKER_BUILDKIT=0environment variable) or are using the/buildAPI endpoint (which uses the classic builder by default).All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.
Image build API endpoint (
/build) andImageBuildfunction fromgithub.com/docker/docker/clientis also affected as it the uses classic builder by default.Patches
Patches are included in Moby releases:
Workarounds
--no-cacheor use Buildkit if possible (DOCKER_BUILDKIT=1, it's default on 23.0+ assuming that the buildx plugin is installed).Version = types.BuilderBuildKitorNoCache = trueinImageBuildOptionsforImageBuildcall.Release Notes
moby/moby (github.com/moby/moby)
v24.0.9+incompatibleCompare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - "before 4am" (UTC).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.