Closed renovate[bot] closed 6 months ago
Coverage from tests in ./e2e_test/...
for ./consensus/istanbul/...
at commit 900eb1ae5749af20024bca30f4d07570ad59b41e
coverage: 63.2% of statements in consensus/istanbul coverage: 41.4% of statements in consensus/istanbul/announce coverage: 54.6% of statements in consensus/istanbul/backend coverage: 0.0% of statements in consensus/istanbul/backend/backendtest coverage: 24.3% of statements in consensus/istanbul/backend/internal/replica coverage: 64.9% of statements in consensus/istanbul/core coverage: 45.0% of statements in consensus/istanbul/db coverage: 0.0% of statements in consensus/istanbul/proxy coverage: 64.2% of statements in consensus/istanbul/uptime coverage: 51.8% of statements in consensus/istanbul/validator coverage: 79.2% of statements in consensus/istanbul/validator/random
Test failures: |
---|
TestStartStopValidators: e2e_test
|
This test report was produced by the test-summary action. Made with ā¤ļø in Cambridge. |
This PR contains the following updates:
v24.0.7+incompatible
->v24.0.9+incompatible
GitHub Vulnerability Alerts
CVE-2024-24557
The classic builder cache system is prone to cache poisoning if the image is built
FROM scratch
. Also, changes to some instructions (most important beingHEALTHCHECK
andONBUILD
) would not cause a cache miss.An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
For example, an attacker could create an image that is considered as a valid cache candidate for:
when in fact the malicious image used as a cache would be an image built from a different Dockerfile.
In the second case, the attacker could for example substitute a different
HEALTCHECK
command.Impact
23.0+ users are only affected if they explicitly opted out of Buildkit (
DOCKER_BUILDKIT=0
environment variable) or are using the/build
API endpoint (which uses the classic builder by default).All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.
Image build API endpoint (
/build
) andImageBuild
function fromgithub.com/docker/docker/client
is also affected as it the uses classic builder by default.Patches
Patches are included in Moby releases:
Workarounds
--no-cache
or use Buildkit if possible (DOCKER_BUILDKIT=1
, it's default on 23.0+ assuming that the buildx plugin is installed).Version = types.BuilderBuildKit
orNoCache = true
inImageBuildOptions
forImageBuild
call.Classic builder cache poisoning
CVE-2024-24557 / GHSA-xw73-rw38-6vjc
More information
#### Details The classic builder cache system is prone to cache poisoning if the image is built `FROM scratch`. Also, changes to some instructions (most important being `HEALTHCHECK` and `ONBUILD`) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. For example, an attacker could create an image that is considered as a valid cache candidate for: ``` FROM scratch MAINTAINER Pawel ``` when in fact the malicious image used as a cache would be an image built from a different Dockerfile. In the second case, the attacker could for example substitute a different `HEALTCHECK` command. ##### Impact 23.0+ users are only affected if they explicitly opted out of Buildkit (`DOCKER_BUILDKIT=0` environment variable) or are using the `/build` API endpoint (which uses the classic builder by default). All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting. Image build API endpoint (`/build`) and `ImageBuild` function from `github.com/docker/docker/client` is also affected as it the uses classic builder by default. ##### Patches Patches are included in Moby releases: - v25.0.2 - v24.0.9 ##### Workarounds - Use `--no-cache` or use Buildkit if possible (`DOCKER_BUILDKIT=1`, it's default on 23.0+ assuming that the buildx plugin is installed). - Use `Version = types.BuilderBuildKit` or `NoCache = true` in `ImageBuildOptions` for `ImageBuild` call. #### Severity - CVSS Score: 6.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L` #### References - [https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc](https://togithub.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc) - [https://nvd.nist.gov/vuln/detail/CVE-2024-24557](https://nvd.nist.gov/vuln/detail/CVE-2024-24557) - [https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae](https://togithub.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae) - [https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd](https://togithub.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd) - [https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff](https://togithub.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff) - [https://github.com/moby/moby](https://togithub.com/moby/moby) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xw73-rw38-6vjc) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
docker/docker (github.com/docker/docker)
### [`v24.0.9+incompatible`](https://togithub.com/docker/docker/compare/v24.0.8...v24.0.9) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.8...v24.0.9) ### [`v24.0.8+incompatible`](https://togithub.com/docker/docker/compare/v24.0.7...v24.0.8) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.7...v24.0.8)Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.