fix(deps): update module github.com/docker/docker to v24.0.9+incompatible [security]

renovate[bot] commented 6 months ago

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/docker/docker	`v24.0.7+incompatible` -> `v24.0.9+incompatible`

GitHub Vulnerability Alerts

CVE-2024-24557

The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss.

An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.

For example, an attacker could create an image that is considered as a valid cache candidate for:

FROM scratch
MAINTAINER Pawel

when in fact the malicious image used as a cache would be an image built from a different Dockerfile.

In the second case, the attacker could for example substitute a different HEALTCHECK command.

Impact

23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint (which uses the classic builder by default).

All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.

Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default.

Patches

Patches are included in Moby releases:

v25.0.2
v24.0.9

Workarounds

Use --no-cache or use Buildkit if possible (DOCKER_BUILDKIT=1, it's default on 23.0+ assuming that the buildx plugin is installed).
Use Version = types.BuilderBuildKit or NoCache = true in ImageBuildOptions for ImageBuild call.

Classic builder cache poisoning

CVE-2024-24557 / GHSA-xw73-rw38-6vjc

More information

#### Details The classic builder cache system is prone to cache poisoning if the image is built `FROM scratch`. Also, changes to some instructions (most important being `HEALTHCHECK` and `ONBUILD`) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. For example, an attacker could create an image that is considered as a valid cache candidate for: ``` FROM scratch MAINTAINER Pawel ``` when in fact the malicious image used as a cache would be an image built from a different Dockerfile. In the second case, the attacker could for example substitute a different `HEALTCHECK` command. ##### Impact 23.0+ users are only affected if they explicitly opted out of Buildkit (`DOCKER_BUILDKIT=0` environment variable) or are using the `/build` API endpoint (which uses the classic builder by default). All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting. Image build API endpoint (`/build`) and `ImageBuild` function from `github.com/docker/docker/client` is also affected as it the uses classic builder by default. ##### Patches Patches are included in Moby releases: - v25.0.2 - v24.0.9 ##### Workarounds - Use `--no-cache` or use Buildkit if possible (`DOCKER_BUILDKIT=1`, it's default on 23.0+ assuming that the buildx plugin is installed). - Use `Version = types.BuilderBuildKit` or `NoCache = true` in `ImageBuildOptions` for `ImageBuild` call. #### Severity - CVSS Score: 6.9 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L` #### References - [https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc](https://togithub.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc) - [https://nvd.nist.gov/vuln/detail/CVE-2024-24557](https://nvd.nist.gov/vuln/detail/CVE-2024-24557) - [https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae](https://togithub.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae) - [https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd](https://togithub.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd) - [https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff](https://togithub.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff) - [https://github.com/moby/moby](https://togithub.com/moby/moby) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xw73-rw38-6vjc) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

Release Notes

docker/docker (github.com/docker/docker)

### [`v24.0.9+incompatible`](https://togithub.com/docker/docker/compare/v24.0.8...v24.0.9) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.8...v24.0.9) ### [`v24.0.8+incompatible`](https://togithub.com/docker/docker/compare/v24.0.7...v24.0.8) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.7...v24.0.8)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

github-actions[bot] commented 6 months ago

Coverage from tests in ./e2e_test/... for ./consensus/istanbul/... at commit 900eb1ae5749af20024bca30f4d07570ad59b41e

coverage: 50.1% of statements across all listed packages

coverage:  63.2% of statements in consensus/istanbul
coverage:  41.4% of statements in consensus/istanbul/announce
coverage:  54.6% of statements in consensus/istanbul/backend
coverage:   0.0% of statements in consensus/istanbul/backend/backendtest
coverage:  24.3% of statements in consensus/istanbul/backend/internal/replica
coverage:  64.9% of statements in consensus/istanbul/core
coverage:  45.0% of statements in consensus/istanbul/db
coverage:   0.0% of statements in consensus/istanbul/proxy
coverage:  64.2% of statements in consensus/istanbul/uptime
coverage:  51.8% of statements in consensus/istanbul/validator
coverage:  79.2% of statements in consensus/istanbul/validator/random

github-actions[bot] commented 6 months ago

5891 passed, 1 failed, 45 skipped

Test failures:

Test failures:
TestStartStopValidators: e2e_test `Failed` `Checking getExchangeSpenders. spenders = [0x000000000000000000000000000000000000d028] Checking medianRate. numerator = 1000000000000000000000000 denominator = 1000000000000000000000000 Checking gas price minimum. cusdValue = 100000000 e2e_test.go:330:`
_{This test report was produced by the test-summary action. Made with ❤️ in Cambridge.}

TestStartStopValidators: e2e_test

Failed

Checking getExchangeSpenders. spenders = [0x000000000000000000000000000000000000d028]
Checking medianRate. numerator = 1000000000000000000000000  denominator = 1000000000000000000000000 
Checking gas price minimum. cusdValue = 100000000
    e2e_test.go:330:

_{This test report was produced by the test-summary action. Made with ❤️ in Cambridge.}

celo-org / celo-blockchain