chore(deps): update module github.com/docker/docker to v26.1.5+incompatible [security]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/docker/docker	`v24.0.9+incompatible` -> `v26.1.5+incompatible`
github.com/docker/docker	`v26.1.4+incompatible` -> `v26.1.5+incompatible`

GitHub Vulnerability Alerts

CVE-2024-41110

A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users.

Impact

Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.

A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.

Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.

Vulnerability details

AuthZ bypass and privilege escalation: An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly.
Initial fix: The issue was fixed in Docker Engine v18.09.1 January 2019..
Regression: The fix was not included in Docker Engine v19.03 or newer versions. This was identified in April 2024 and patches were released for the affected versions on July 23, 2024. The issue was assigned CVE-2024-41110.

Patches

docker-ce v27.1.1 containes patches to fix the vulnerability.
Patches have also been merged into the master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches.

Remediation steps

If you are running an affected version, update to the most recent patched version.
Mitigation if unable to update immediately:
- Avoid using AuthZ plugins.
- Restrict access to the Docker API to trusted parties, following the principle of least privilege.

References

Release Notes

docker/docker (github.com/docker/docker)

### [`v26.1.5+incompatible`](https://togithub.com/docker/docker/compare/v26.1.4...v26.1.5) [Compare Source](https://togithub.com/docker/docker/compare/v26.1.4...v26.1.5) ### [`v26.1.4+incompatible`](https://togithub.com/docker/docker/compare/v26.1.3...v26.1.4) [Compare Source](https://togithub.com/docker/docker/compare/v26.1.3...v26.1.4) ### [`v26.1.3+incompatible`](https://togithub.com/docker/docker/compare/v26.1.2...v26.1.3) [Compare Source](https://togithub.com/docker/docker/compare/v26.1.2...v26.1.3) ### [`v26.1.2+incompatible`](https://togithub.com/docker/docker/compare/v26.1.1...v26.1.2) [Compare Source](https://togithub.com/docker/docker/compare/v26.1.1...v26.1.2) ### [`v26.1.1+incompatible`](https://togithub.com/docker/docker/compare/v26.1.0...v26.1.1) [Compare Source](https://togithub.com/docker/docker/compare/v26.1.0...v26.1.1) ### [`v26.1.0+incompatible`](https://togithub.com/docker/docker/compare/v26.0.2...v26.1.0) [Compare Source](https://togithub.com/docker/docker/compare/v26.0.2...v26.1.0) ### [`v26.0.2+incompatible`](https://togithub.com/docker/docker/compare/v26.0.1...v26.0.2) [Compare Source](https://togithub.com/docker/docker/compare/v26.0.1...v26.0.2) ### [`v26.0.1+incompatible`](https://togithub.com/docker/docker/compare/v26.0.0...v26.0.1) [Compare Source](https://togithub.com/docker/docker/compare/v26.0.0...v26.0.1) ### [`v26.0.0+incompatible`](https://togithub.com/docker/docker/compare/v25.0.5...v26.0.0) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.6...v26.0.0) ### [`v25.0.6+incompatible`](https://togithub.com/docker/docker/compare/v25.0.5...v25.0.6) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.5...v25.0.6) ### [`v25.0.5+incompatible`](https://togithub.com/docker/docker/compare/v25.0.4...v25.0.5) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.4...v25.0.5) ### [`v25.0.4+incompatible`](https://togithub.com/docker/docker/compare/v25.0.3...v25.0.4) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.3...v25.0.4) ### [`v25.0.3+incompatible`](https://togithub.com/docker/docker/compare/v25.0.2...v25.0.3) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.2...v25.0.3) ### [`v25.0.2+incompatible`](https://togithub.com/docker/docker/compare/v25.0.1...v25.0.2) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.1...v25.0.2) ### [`v25.0.1+incompatible`](https://togithub.com/docker/docker/compare/v25.0.0...v25.0.1) [Compare Source](https://togithub.com/docker/docker/compare/v25.0.0...v25.0.1) ### [`v25.0.0+incompatible`](https://togithub.com/docker/docker/compare/v24.0.9...v25.0.0) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.9...v25.0.0)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go mod tidy
go: downloading github.com/go-quicktest/qt v1.101.0
go: downloading github.com/jsimonetti/rtnetlink v0.0.0-20211022192332-93da33804786
go: downloading github.com/vishvananda/netlink v1.1.0
go: downloading github.com/stretchr/testify v1.9.0
go: downloading github.com/Microsoft/hcsshim/test v0.0.0-20210514012740-eba372547321
go: downloading github.com/containerd/go-runc v1.0.0
go: downloading gotest.tools/v3 v3.5.1
go: downloading github.com/kr/pretty v0.3.1
go: downloading github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/coreos/go-systemd/v22 v22.3.2
go: downloading github.com/godbus/dbus/v5 v5.0.6
go: downloading github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
go: downloading github.com/BurntSushi/toml v0.3.1
go: downloading github.com/imdario/mergo v0.3.5
go: downloading github.com/containerd/console v1.0.3
go: downloading github.com/prometheus/procfs v0.15.1
go: downloading go.opentelemetry.io/otel/exporters/otlp v0.20.0
go: downloading go.opentelemetry.io/otel/sdk v0.20.0
go: downloading go.opentelemetry.io/otel/oteltest v0.20.0
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.11.0
go: downloading github.com/shoenig/test v0.6.4
go: downloading github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6
go: downloading github.com/morikuni/aec v1.0.0
go: downloading github.com/golang/mock v1.6.0
go: downloading go.etcd.io/bbolt v1.3.6
go: downloading golang.org/x/time v0.5.0
go: downloading github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1
go: finding module for package go.opentelemetry.io/otel/semconv/v1.21.0
go: finding module for package go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
go: downloading go.opentelemetry.io v0.1.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0
go: found go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0
go: downloading google.golang.org/grpc v1.64.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094
go: downloading go.opentelemetry.io/proto/otlp v0.7.0
go: downloading github.com/cenkalti/backoff/v4 v4.3.0
go: downloading github.com/golang/protobuf v1.5.4
go: downloading github.com/grpc-ecosystem/grpc-gateway v1.16.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094
go: downloading google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368
go: finding module for package go.opentelemetry.io/otel/semconv/v1.21.0
go: github.com/mozillazg/ptcpdump/internal/metadata/container/docker imports
    github.com/docker/docker/client tested by
    github.com/docker/docker/client.test imports
    github.com/docker/docker/testutil imports
    go.opentelemetry.io/otel/semconv/v1.21.0: module go.opentelemetry.io/otel@latest found (v1.28.0, replaced by go.opentelemetry.io/otel@v0.20.0), but does not contain package go.opentelemetry.io/otel/semconv/v1.21.0
go: github.com/mozillazg/ptcpdump/internal/metadata/container/docker imports
    github.com/docker/docker/client tested by
    github.com/docker/docker/client.test imports
    github.com/docker/docker/testutil imports
    go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp imports
    go.opentelemetry.io/proto/otlp/collector/trace/v1 imports
    github.com/grpc-ecosystem/grpc-gateway/runtime imports
    google.golang.org/genproto/googleapis/api/httpbody: ambiguous import: found package google.golang.org/genproto/googleapis/api/httpbody in multiple modules:
    google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 (/tmp/renovate/cache/others/go/pkg/mod/google.golang.org/genproto@v0.0.0-20220107163113-42d7afdf6368/googleapis/api/httpbody)
    google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 (/tmp/renovate/cache/others/go/pkg/mod/google.golang.org/genproto/googleapis/api@v0.0.0-20240701130421-f6361c86f094/httpbody)

mozillazg / ptcpdump