Closed renovate[bot] closed 3 weeks ago
Totals | |
---|---|
Change from base Build 9424963144: | 0.0% |
Covered Lines: | 1967 |
Relevant Lines: | 5813 |
Totals | |
---|---|
Change from base Build 9457527930: | 33.8% |
Covered Lines: | 1967 |
Relevant Lines: | 5813 |
Totals | |
---|---|
Change from base Build 9475293993: | 0.0% |
Covered Lines: | 1967 |
Relevant Lines: | 5813 |
Totals | |
---|---|
Change from base Build 9491714671: | 0.0% |
Covered Lines: | 1967 |
Relevant Lines: | 5813 |
Totals | |
---|---|
Change from base Build 9508182972: | 0.0% |
Covered Lines: | 1967 |
Relevant Lines: | 5813 |
This PR contains the following updates:
v23.0.12+incompatible
->v24.0.9+incompatible
GitHub Vulnerability Alerts
CVE-2024-24557
The classic builder cache system is prone to cache poisoning if the image is built
FROM scratch
. Also, changes to some instructions (most important beingHEALTHCHECK
andONBUILD
) would not cause a cache miss.An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
For example, an attacker could create an image that is considered as a valid cache candidate for:
when in fact the malicious image used as a cache would be an image built from a different Dockerfile.
In the second case, the attacker could for example substitute a different
HEALTCHECK
command.Impact
23.0+ users are only affected if they explicitly opted out of Buildkit (
DOCKER_BUILDKIT=0
environment variable) or are using the/build
API endpoint (which uses the classic builder by default).All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.
Image build API endpoint (
/build
) andImageBuild
function fromgithub.com/docker/docker/client
is also affected as it the uses classic builder by default.Patches
Patches are included in Moby releases:
Workarounds
--no-cache
or use Buildkit if possible (DOCKER_BUILDKIT=1
, it's default on 23.0+ assuming that the buildx plugin is installed).Version = types.BuilderBuildKit
orNoCache = true
inImageBuildOptions
forImageBuild
call.Release Notes
docker/docker (github.com/docker/docker)
### [`v24.0.9+incompatible`](https://togithub.com/docker/docker/compare/v24.0.8...v24.0.9) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.8...v24.0.9) ### [`v24.0.8+incompatible`](https://togithub.com/docker/docker/compare/v24.0.7...v24.0.8) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.7...v24.0.8) ### [`v24.0.7+incompatible`](https://togithub.com/docker/docker/compare/v24.0.6...v24.0.7) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.6...v24.0.7) ### [`v24.0.6+incompatible`](https://togithub.com/docker/docker/compare/v24.0.5...v24.0.6) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.5...v24.0.6) ### [`v24.0.5+incompatible`](https://togithub.com/docker/docker/compare/v24.0.4...v24.0.5) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.4...v24.0.5) ### [`v24.0.4+incompatible`](https://togithub.com/docker/docker/compare/v24.0.3...v24.0.4) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.3...v24.0.4) ### [`v24.0.3+incompatible`](https://togithub.com/docker/docker/compare/v24.0.2...v24.0.3) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.2...v24.0.3) ### [`v24.0.2+incompatible`](https://togithub.com/docker/docker/compare/v24.0.1...v24.0.2) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.1...v24.0.2) ### [`v24.0.1+incompatible`](https://togithub.com/docker/docker/compare/v24.0.0...v24.0.1) [Compare Source](https://togithub.com/docker/docker/compare/v24.0.0...v24.0.1) ### [`v24.0.0+incompatible`](https://togithub.com/docker/docker/compare/v23.0.9...v24.0.0) [Compare Source](https://togithub.com/docker/docker/compare/v23.0.12...v24.0.0)Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.