More information
#### Details
A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.
#### Severity
Unknown
#### References
- [https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8](https://togithub.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8)
- [https://github.com/moby/buildkit/pull/4603](https://togithub.com/moby/buildkit/pull/4603)
- [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2494) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).
BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts
More information
#### Details
##### Impact
Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.
##### Patches
The issue has been fixed in v0.12.5
##### Workarounds
Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with `--mount=type=cache,source=...` options.
##### References
https://www.openwall.com/lists/oss-security/2019/05/28/1
#### Severity
- CVSS Score: 8.7 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N`
#### References
- [https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv](https://togithub.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv)
- [https://nvd.nist.gov/vuln/detail/CVE-2024-23651](https://nvd.nist.gov/vuln/detail/CVE-2024-23651)
- [https://github.com/moby/buildkit/pull/4604](https://togithub.com/moby/buildkit/pull/4604)
- [https://github.com/moby/buildkit](https://togithub.com/moby/buildkit)
- [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m3r6-h7wv-7xxv) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
Host system file access in github.com/moby/buildkit
More information
#### Details
Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.
#### Severity
Unknown
#### References
- [https://github.com/moby/buildkit/pull/4604](https://togithub.com/moby/buildkit/pull/4604)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2493) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).
More information
#### Details
BuildKit provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.
#### Severity
Unknown
#### References
- [https://github.com/moby/buildkit/pull/4602](https://togithub.com/moby/buildkit/pull/4602)
- [https://github.com/moby/buildkit/commit/92cc595cfb12891d4b3ae476e067c74250e4b71e](https://togithub.com/moby/buildkit/commit/92cc595cfb12891d4b3ae476e067c74250e4b71e)
- [https://github.com/moby/buildkit/commit/5026d95aa3336e97cfe46e3764f52d08bac7a10e](https://togithub.com/moby/buildkit/commit/5026d95aa3336e97cfe46e3764f52d08bac7a10e)
- [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2497) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).
BuildKit vulnerable to possible host system access from mount stub cleaner
More information
#### Details
##### Impact
A malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.
##### Patches
The issue has been fixed in v0.12.5
##### Workarounds
Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing `RUN --mount` feature.
##### References
#### Severity
- CVSS Score: 10.0 / 10 (Critical)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H`
#### References
- [https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8](https://togithub.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8)
- [https://nvd.nist.gov/vuln/detail/CVE-2024-23652](https://nvd.nist.gov/vuln/detail/CVE-2024-23652)
- [https://github.com/moby/buildkit/pull/4603](https://togithub.com/moby/buildkit/pull/4603)
- [https://github.com/moby/buildkit](https://togithub.com/moby/buildkit)
- [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-4v98-7qmw-rqr8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
More information
#### Details
A malicious BuildKit client or frontend could craft a request that could lead to a BuildKit daemon crashing with a panic.
#### Severity
Unknown
#### References
- [https://github.com/moby/buildkit/pull/4601](https://togithub.com/moby/buildkit/pull/4601)
- [https://github.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330](https://togithub.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330)
- [https://github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c](https://togithub.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c)
- [https://github.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae](https://togithub.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae)
- [https://github.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987](https://togithub.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987)
- [https://github.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee](https://togithub.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee)
- [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2492) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).
Buildkit's interactive containers API does not validate entitlements check
More information
#### Details
##### Impact
In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.
##### Patches
The issue has been fixed in v0.12.5 .
##### Workarounds
Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command.
##### References
#### Severity
- CVSS Score: 9.8 / 10 (Critical)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
#### References
- [https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g](https://togithub.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g)
- [https://nvd.nist.gov/vuln/detail/CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23653)
- [https://github.com/moby/buildkit/pull/4602](https://togithub.com/moby/buildkit/pull/4602)
- [https://github.com/moby/buildkit](https://togithub.com/moby/buildkit)
- [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-wr6v-9f75-vh2g) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
BuildKit vulnerable to possible panic when incorrect parameters sent from frontend
More information
#### Details
##### Impact
A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.
##### Patches
The issue has been fixed in v0.12.5
##### Workarounds
Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command.
##### References
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
#### References
- [https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx](https://togithub.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx)
- [https://nvd.nist.gov/vuln/detail/CVE-2024-23650](https://nvd.nist.gov/vuln/detail/CVE-2024-23650)
- [https://github.com/moby/buildkit/pull/4601](https://togithub.com/moby/buildkit/pull/4601)
- [https://github.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987](https://togithub.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987)
- [https://github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c](https://togithub.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c)
- [https://github.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee](https://togithub.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee)
- [https://github.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae](https://togithub.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae)
- [https://github.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330](https://togithub.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330)
- [https://github.com/moby/buildkit](https://togithub.com/moby/buildkit)
- [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9p26-698r-w4hx) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
Release Notes
moby/buildkit (github.com/moby/buildkit)
### [`v0.12.5`](https://togithub.com/moby/buildkit/releases/tag/v0.12.5)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.12.4...v0.12.5)
https://hub.docker.com/r/moby/buildkit
##### Notable changes:
##### This release contains following security fixes:
- Runc has been updated to v1.1.12 addressing https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
- Fix possible race condition with accessing subpaths from cache mounts https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv
- Fix possible host system access from mount stub cleaner https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8
- Fix interactive containers API validation against entitlements https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g
- Fix possible panic when incorrect parameters sent from frontend https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx
### [`v0.12.4`](https://togithub.com/moby/buildkit/releases/tag/v0.12.4)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.12.3...v0.12.4)
Welcome to the 0.12.4 release of buildkit!
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
##### Notable changes
- Fix possible concurrent map access on remote cache export [#4346](https://togithub.com/moby/buildkit/issues/4346)
- Fix hang on debug server listener [#4361](https://togithub.com/moby/buildkit/issues/4361)
- Fix possible deadlock in History API under high number of parallel builds [#4362](https://togithub.com/moby/buildkit/issues/4362)
- Fix possible panic on handling deleted records in History API [#4451](https://togithub.com/moby/buildkit/issues/4451)
- Fix possible data corruption in zstd library [#4372](https://togithub.com/moby/buildkit/issues/4372)
### [`v0.12.3`](https://togithub.com/moby/buildkit/releases/tag/v0.12.3)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.12.2...v0.12.3)
Welcome to the 0.12.3 release of buildkit!
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
##### Notable changes
- Fix possible duplicate source files in provenance attestation for chained builds [#4190](https://togithub.com/moby/buildkit/issues/4190)
- Fix possible negative step time in progressbar for step shared with other build request [#4183](https://togithub.com/moby/buildkit/issues/4183)
- Fix properly closing history and cache DB on shutdown to avoid corruption [#4185](https://togithub.com/moby/buildkit/issues/4185) [#4189](https://togithub.com/moby/buildkit/issues/4189)
- Fix incorrect error handling for invalid HTTP source URLs [#4201](https://togithub.com/moby/buildkit/issues/4201)
- Fix fallback cases for ambiguous insecure configuration provided for registry used as push target. [#4299](https://togithub.com/moby/buildkit/issues/4299)
- Fix possible data race with parallel image config resolves [#4157](https://togithub.com/moby/buildkit/issues/4157)
- Fix regression in v0.12 for clients waiting on buildkitd to become available [#4200](https://togithub.com/moby/buildkit/issues/4200)
- Fix Cgroup NS handling for hosts supporting only CgroupV1 [#4308](https://togithub.com/moby/buildkit/issues/4308)
### [`v0.12.2`](https://togithub.com/moby/buildkit/releases/tag/v0.12.2)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.12.1...v0.12.2)
Welcome to the 0.12.2 release of buildkit!
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
##### Notable changes
- Fix possible discarded network error when exporting result to client [#4117](https://togithub.com/moby/buildkit/issues/4117)
- Avoid unnecessary memory allocations when writing build progress [#4116](https://togithub.com/moby/buildkit/issues/4116)
### [`v0.12.1`](https://togithub.com/moby/buildkit/releases/tag/v0.12.1)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.12.0...v0.12.1)
Welcome to the 0.12.1 release of buildkit!
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
##### Notable changes
- Fix possible goroutine leak in resource monitor for failed containers [#4081](https://togithub.com/moby/buildkit/issues/4081)
- Fix possible tracing socket path length error on some configurations [#3483](https://togithub.com/moby/buildkit/issues/3483)
### [`v0.12.0`](https://togithub.com/moby/buildkit/releases/tag/v0.12.0)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.6...v0.12.0)
buildkit 0.12.0
Welcome to the 0.12.0 release of buildkit!
*This is a pre-release of buildkit*
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
##### Contributors
- Tõnis Tiigi
- Justin Chadwell
- CrazyMax
- Sebastiaan van Stijn
- Akihiro Suda
- Erik Sipsma
- Gabriel Adrian Samfira
- Kohei Tokunaga
- Alex Couture-Beil
- Cory Bennett
- Brian Goff
- Nick Santos
- Wei Zhang
- Alex Suraci
- Alexis Murzeau
- Changwei Ge
- David Karlsson
- Paweł Gronowski
- Aaron Lehmann
- Jordan Goasdoue
- Seiya Miyata
- Ben Longo
- Jacob Gillespie
- Alan Fregtman
- Andy Alt
- Bertrand Paquet
- Chaerim Yeo
- Chris Goller
- Cory Snider
- Dan Duvall
- Gabriel
- Gahl Saraf
- George
- Hugo Santos
- Ilya Dmitrichenko
- Kang, Matthew
- Matias Insaurralde
- Matt Kang
- Nick Miyake
- Pranav Pandit
- Sertac Ozercan
- Vladislav Ivanov
- Yan Song
- Yurii Rashkovskii
- [@ggjulio](https://togithub.com/ggjulio)
- [@chengjoey](https://togithub.com/chengjoey)
- [@lomot](https://togithub.com/lomot)
##### Notable Changes
- Default Dockerfile frontend has been updated to [1.6.0](https://togithub.com/moby/buildkit/releases/tag/dockerfile%2F1.6.0)
- Remote cache export/import to the registry now supports OCI image manifest compatible format when setting `image-manifest=true` [#3724](https://togithub.com/moby/buildkit/issues/3724)
- Local and Tar exporters now support `platform-split=false` option to merge all artifacts for multiple platforms to the same directory. [#3161](https://togithub.com/moby/buildkit/issues/3161)
- Provenance attestation can now capture resource usage information for the system and individual build steps. This information can be written to exported attestation by setting `capture-usage=true` attestation option and is set automatically for History API records. This feature depends on CgroupV2, and some fields require kernel configured with `CONFIG_PSI` enabled. [#3860](https://togithub.com/moby/buildkit/issues/3860) [#3999](https://togithub.com/moby/buildkit/issues/3999)
- `SOURCE_DATE_EPOCH` value for reproducible builds is now set as the creation timestamp when exporting image to containerd image store [#3263](https://togithub.com/moby/buildkit/issues/3263)
- `buildctl` has new `--wait` flag to block RPCs until the connection becomes available [#3586](https://togithub.com/moby/buildkit/issues/3586)
- WCOW support for certain actions has improved [#3783](https://togithub.com/moby/buildkit/issues/3783) [#3782](https://togithub.com/moby/buildkit/issues/3782) [#3907](https://togithub.com/moby/buildkit/issues/3907) [#3906](https://togithub.com/moby/buildkit/issues/3906) [#3545](https://togithub.com/moby/buildkit/issues/3545) [#3544](https://togithub.com/moby/buildkit/issues/3544) [#3516](https://togithub.com/moby/buildkit/issues/3516) [#3908](https://togithub.com/moby/buildkit/issues/3908)
- Stargz support is out of experimental [#3637](https://togithub.com/moby/buildkit/issues/3637)
- Creating layer blobs now uses deterministic timestamps for whiteout files when Overlay snapshotter is supported for more reproducible builds [#3981](https://togithub.com/moby/buildkit/issues/3981)
- Source policy support now also applies to image config metadata requests. These requests can return a new source reference defined by the policy that the frontend can use in follow-up LLB requests. [#3956](https://togithub.com/moby/buildkit/issues/3956) [#4014](https://togithub.com/moby/buildkit/issues/4014)
- Sourcemaps in provenance attestations and errors now allow setting the source language name [#3620](https://togithub.com/moby/buildkit/issues/3620)
- File operations are now always platform-independent for better direct cache reuse [#3858](https://togithub.com/moby/buildkit/issues/3858)
- When exporting an image to Containerd image store, unpack logic now works for multi-platform images by unpacking only the native platform by default [#3982](https://togithub.com/moby/buildkit/issues/3982) [#3983](https://togithub.com/moby/buildkit/issues/3983)
- Cgroup namespace isolation is enabled for containers on supported systems [#4003](https://togithub.com/moby/buildkit/issues/4003)
- New DockerUI package is provided by frontend authors who want to target `docker buildx` flags without the need to copy code from Dockerfile frontend [#3606](https://togithub.com/moby/buildkit/issues/3606)
- Downloading image layers in the exporter can now work in parallel for different platforms [#3984](https://togithub.com/moby/buildkit/issues/3984)
- Zstd compressed layers are now supported also with Docker-style mediatypes [#3968](https://togithub.com/moby/buildkit/issues/3968)
- Secret environment variables can now be set using the interactive container API [#3957](https://togithub.com/moby/buildkit/issues/3957)
- TOML buildkitd config now supports multiple units for storage limits [#3773](https://togithub.com/moby/buildkit/issues/3773)
- gRPC API now enables reflection [#3790](https://togithub.com/moby/buildkit/issues/3790)
- HTTP sources now have better caching for servers that handle `Accept-Encoding` differently for different HTTP methods [#3745](https://togithub.com/moby/buildkit/issues/3745) [#3788](https://togithub.com/moby/buildkit/issues/3788)
- New `buildctl` commands `debug histories` and `prune-histories` [#3498](https://togithub.com/moby/buildkit/issues/3498)
- Loading SBOM generator image can now be configured with resolve mode parameter [#3446](https://togithub.com/moby/buildkit/issues/3446)
- Gateway frontend source image can now be set with defining named context [#3633](https://togithub.com/moby/buildkit/issues/3633)
- Performance improvements to scanning local files for context upload [#3977](https://togithub.com/moby/buildkit/issues/3977)
- Interactive container API now supports setting container Hostname [#3680](https://togithub.com/moby/buildkit/issues/3680)
- History API now uses a separate Containerd namespace for its objects, fixing some issues when the same blobs are used by image store [#3833](https://togithub.com/moby/buildkit/issues/3833)
- Make files created by Git source more deterministic [#3598](https://togithub.com/moby/buildkit/issues/3598)
- Git source now handles URLs that define subdir and empty reference [#3596](https://togithub.com/moby/buildkit/issues/3596)
- Remote cache export now supports `registry.insecure` option like the Image exporter [#3501](https://togithub.com/moby/buildkit/issues/3501)
- Azure Blob storage cache export supports setting the account name as parameter [#3476](https://togithub.com/moby/buildkit/issues/3476)
- New client APIs for configuring TLS authentication to use system certificates [#3760](https://togithub.com/moby/buildkit/issues/3760)
- Fixes for copying Unicode filenames with local context [#3946](https://togithub.com/moby/buildkit/issues/3946) [#4009](https://togithub.com/moby/buildkit/issues/4009)
- Fix the issue where some builds could fail with "missing provenance" error [#3945](https://togithub.com/moby/buildkit/issues/3945)
- Fix lazy loaded layers reuse for cache when running parallel builds [#3109](https://togithub.com/moby/buildkit/issues/3109)
- Fix issue with missing GC label for layers when exporting image to containerd image store [#3161](https://togithub.com/moby/buildkit/issues/3161)
- Fix possible progressbar panic on resizing terminal window [#3967](https://togithub.com/moby/buildkit/issues/3967)
- Fix possible "inconsistent graph state" error when running parallel cached, and no-cache builds [#3953](https://togithub.com/moby/buildkit/issues/3953)
- Fix possible zero build step index numbers on progressbar [#3942](https://togithub.com/moby/buildkit/issues/3942) [#3838](https://togithub.com/moby/buildkit/issues/3838)
- Fix possible "container does not exist" error [#3940](https://togithub.com/moby/buildkit/issues/3940)
- Fix possible "concurrent map read and write" error [#3938](https://togithub.com/moby/buildkit/issues/3938)
- Fix possible issue where the status stream could be missing for History record [#3937](https://togithub.com/moby/buildkit/issues/3937)
- Fix possible data races [#4004](https://togithub.com/moby/buildkit/issues/4004) [#3994](https://togithub.com/moby/buildkit/issues/3994) [#4010](https://togithub.com/moby/buildkit/issues/4010)
- Fix OCI layout URIs in provenance attestation [#3918](https://togithub.com/moby/buildkit/issues/3918)
- Fix regression bug in v0.11.x OpenTelemetry trace delegation from the client [#3909](https://togithub.com/moby/buildkit/issues/3909)
- Fix possible deadlock on network error [#3857](https://togithub.com/moby/buildkit/issues/3857)
- Fix filtering out deleted History API records [#3827](https://togithub.com/moby/buildkit/issues/3827) [#3733](https://togithub.com/moby/buildkit/issues/3733)
- Fix possible build cache reference leak [#3851](https://togithub.com/moby/buildkit/issues/3851) [#3815](https://togithub.com/moby/buildkit/issues/3815)
- Fix possible FD leak in SSH forwarding [#3848](https://togithub.com/moby/buildkit/issues/3848)
- Fix possible concurrent map access in Client library [#3813](https://togithub.com/moby/buildkit/issues/3813)
- Fixes for Runc container SIGKILL/exit-code handling [#3754](https://togithub.com/moby/buildkit/issues/3754) [#3765](https://togithub.com/moby/buildkit/issues/3765) [#3658](https://togithub.com/moby/buildkit/issues/3658) [#3722](https://togithub.com/moby/buildkit/issues/3722)
- Fix creating `oci-layout` file when exporting uncompressed OCI layout [#3729](https://togithub.com/moby/buildkit/issues/3729)
##### Dependency Changes
- **github.com/AdaLogics/go-fuzz-headers** [`43070de`](https://togithub.com/moby/buildkit/commit/43070de90fa1) ***new***
- **github.com/AdamKorcz/go-118-fuzz-build** [`5330a85`](https://togithub.com/moby/buildkit/commit/5330a85ea652) ***new***
- **github.com/Masterminds/semver/v3** v3.1.0 ***new***
- **github.com/Microsoft/go-winio** v0.5.2 -> v0.6.1
- **github.com/Microsoft/hcsshim** v0.9.6 -> v0.10.0-rc.8
- **github.com/anchore/go-struct-converter** [`c68fdcf`](https://togithub.com/moby/buildkit/commit/c68fdcfa2092) ***new***
- **github.com/aws/aws-sdk-go-v2** v1.16.3 -> v1.17.6
- **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.14.5 ***new***
- **github.com/aws/smithy-go** v1.11.2 -> v1.13.5
- **github.com/containerd/cgroups** v1.0.4 -> v1.1.0
- **github.com/containerd/containerd** v1.6.14 -> v1.7.2
- **github.com/containerd/continuity** v0.3.0 -> v0.4.1
- **github.com/containerd/fifo** v1.0.0 -> v1.1.0
- **github.com/containerd/go-cni** v1.1.6 -> v1.1.9
- **github.com/containerd/go-runc** v1.0.0 -> v1.1.0
- **github.com/containerd/nydus-snapshotter** v0.3.1 -> v0.8.2
- **github.com/containerd/stargz-snapshotter** v0.13.0 -> v0.14.3
- **github.com/containerd/ttrpc** v1.1.0 -> v1.2.2
- **github.com/containerd/typeurl/v2** v2.1.1 ***new***
- **github.com/containernetworking/cni** v1.1.1 -> v1.1.2
- **github.com/cyphar/filepath-securejoin** v0.2.3 ***new***
- **github.com/docker/cli** v23.0.0-rc.1 -> v24.0.2
- **github.com/docker/distribution** v2.8.1 -> v2.8.2
- **github.com/docker/docker** v23.0.0-rc.1 -> [`98d3da7`](https://togithub.com/moby/buildkit/commit/98d3da79ef9c)
- **github.com/felixge/httpsnoop** v1.0.2 -> v1.0.3
- **github.com/golang/protobuf** v1.5.2 -> v1.5.3
- **github.com/grpc-ecosystem/grpc-gateway/v2** v2.11.3 ***new***
- **github.com/hanwen/go-fuse/v2** [`f57e95b`](https://togithub.com/moby/buildkit/commit/f57e95bda82d) -> v2.2.0
- **github.com/hashicorp/go-cleanhttp** v0.5.1 -> v0.5.2
- **github.com/hashicorp/go-retryablehttp** v0.7.1 -> v0.7.2
- **github.com/klauspost/compress** v1.15.12 -> v1.16.3
- **github.com/opencontainers/image-spec** [`02efb9a`](https://togithub.com/moby/buildkit/commit/02efb9a75ee1) -> v1.1.0-rc3
- **github.com/opencontainers/runc** v1.1.3 -> v1.1.7
- **github.com/opencontainers/runtime-spec** [`1c3f411`](https://togithub.com/moby/buildkit/commit/1c3f411f0417) -> v1.1.0-rc.2
- **github.com/opencontainers/selinux** v1.10.2 -> v1.11.0
- **github.com/pelletier/go-toml** v1.9.4 -> v1.9.5
- **github.com/prometheus/common** v0.37.0 -> v0.42.0
- **github.com/prometheus/procfs** v0.8.0 -> v0.9.0
- **github.com/spdx/tools-golang** [`d6f5855`](https://togithub.com/moby/buildkit/commit/d6f58551be3f) -> v0.5.1
- **github.com/stretchr/testify** v1.8.0 -> v1.8.3
- **github.com/tonistiigi/fsutil** [`fb43384`](https://togithub.com/moby/buildkit/commit/fb433841cbfa) -> [`36ef4d8`](https://togithub.com/moby/buildkit/commit/36ef4d8c0dbb)
- **github.com/tonistiigi/vt100** [`8066bb9`](https://togithub.com/moby/buildkit/commit/8066bb97264f) -> [`f9a4f7e`](https://togithub.com/moby/buildkit/commit/f9a4f7ef6531)
- **github.com/urfave/cli** v1.22.4 -> v1.22.12
- **go.etcd.io/bbolt** v1.3.6 -> v1.3.7
- **go.opencensus.io** v0.23.0 -> v0.24.0
- **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.29.0 -> v0.40.0
- **go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace** v0.29.0 -> v0.40.0
- **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.29.0 -> v0.40.0
- **go.opentelemetry.io/otel** v1.4.1 -> v1.14.0
- **go.opentelemetry.io/otel/exporters/jaeger** v1.4.1 -> v1.14.0
- **go.opentelemetry.io/otel/exporters/otlp/internal/retry** v1.4.1 -> v1.14.0
- **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.4.1 -> v1.14.0
- **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.4.1 -> v1.14.0
- **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.4.1 -> v1.14.0
- **go.opentelemetry.io/otel/metric** v0.27.0 -> v0.37.0
- **go.opentelemetry.io/otel/sdk** v1.4.1 -> v1.14.0
- **go.opentelemetry.io/otel/trace** v1.4.1 -> v1.14.0
- **go.opentelemetry.io/proto/otlp** v0.12.0 -> v0.19.0
- **golang.org/x/mod** v0.9.0 ***new***
- **golang.org/x/tools** v0.7.0 ***new***
- **google.golang.org/genproto** [`7780775`](https://togithub.com/moby/buildkit/commit/7780775163c4) -> [`7f2fa6f`](https://togithub.com/moby/buildkit/commit/7f2fa6fef1f4)
- **google.golang.org/grpc** v1.50.1 -> v1.53.0
- **kernel.org/pub/linux/libs/security/libcap/cap** v1.2.67 ***new***
- **kernel.org/pub/linux/libs/security/libcap/psx** v1.2.67 ***new***
Previous release can be found at [v0.11.6](https://togithub.com/moby/buildkit/releases/tag/v0.11.6)
### [`v0.11.6`](https://togithub.com/moby/buildkit/releases/tag/v0.11.6)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.5...v0.11.6)
https://hub.docker.com/r/moby/buildkit
Notable changes:
- Revert previous signal handling fix to make sure no process leaks happen. The signaling issue will be fixed in the next feature release. [https://github.com/moby/buildkit/pull/3757](https://togithub.com/moby/buildkit/pull/3757)
- Update runc to v1.1.5 for security [https://github.com/moby/buildkit/pull/3763](https://togithub.com/moby/buildkit/pull/3763)
- Update containerd to v1.6.20 . Brings in fix for not writing local user/group names in differ. [#3736](https://togithub.com/moby/buildkit/issues/3736)
- Fix possible "duplicate output 0" error on parallel builds [#3774](https://togithub.com/moby/buildkit/issues/3774)
- Fix token management for servers that don't return proper `IssuedAt` value [#3779](https://togithub.com/moby/buildkit/issues/3779)
- Fix SBOM and provenance processing for certain nil-result cases [#3805](https://togithub.com/moby/buildkit/issues/3805)
### [`v0.11.5`](https://togithub.com/moby/buildkit/releases/tag/v0.11.5)
[Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.4...v0.11.5)
https://hub.docker.com/r/moby/buildkit
##### Notable changes:
- Fix process termination handling to Runc when running interactive processes [#3722](https://togithub.com/moby/buildkit/issues/3722)
- Fix gateway exec tty cleanup on context.Canceled [#3658](https://togithub.com/moby/buildkit/issues/3658)
- Register builds before recording build history to avoid possible timeout error [#3726](https://togithub.com/moby/buildkit/issues/3726)
- Fix performance regression in creating LLB graphs [#3732](https://togithub.com/moby/buildkit/issues/3732)
- Fix sorting of build history records for GC [#3733](https://togithub.com/moby/buildkit/issues/3733)
- Fix an issue where linking builds with providing LLB inputs dropped the original source information for such inputs [#3678](https://togithub.com/moby/buildkit/issues/3678)
- Fix running BuildKit on BottleRocket OS [#3697](https://togithub.com/moby/buildkit/issues/3697)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v0.11.4
->v0.12.5
Host system modification in github.com/moby/buildkit
CVE-2024-23652 / GHSA-4v98-7qmw-rqr8 / GO-2024-2494
More information
#### Details A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. #### Severity Unknown #### References - [https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8](https://togithub.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8) - [https://github.com/moby/buildkit/pull/4603](https://togithub.com/moby/buildkit/pull/4603) - [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2494) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts
CVE-2024-23651 / GHSA-m3r6-h7wv-7xxv / GO-2024-2493
More information
#### Details ##### Impact Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. ##### Patches The issue has been fixed in v0.12.5 ##### Workarounds Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with `--mount=type=cache,source=...` options. ##### References https://www.openwall.com/lists/oss-security/2019/05/28/1 #### Severity - CVSS Score: 8.7 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N` #### References - [https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv](https://togithub.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv) - [https://nvd.nist.gov/vuln/detail/CVE-2024-23651](https://nvd.nist.gov/vuln/detail/CVE-2024-23651) - [https://github.com/moby/buildkit/pull/4604](https://togithub.com/moby/buildkit/pull/4604) - [https://github.com/moby/buildkit](https://togithub.com/moby/buildkit) - [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m3r6-h7wv-7xxv) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Host system file access in github.com/moby/buildkit
CVE-2024-23651 / GHSA-m3r6-h7wv-7xxv / GO-2024-2493
More information
#### Details Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. #### Severity Unknown #### References - [https://github.com/moby/buildkit/pull/4604](https://togithub.com/moby/buildkit/pull/4604) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2493) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).Privilege escalation in github.com/moby/buildkit
CVE-2024-23653 / GHSA-wr6v-9f75-vh2g / GO-2024-2497
More information
#### Details BuildKit provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. #### Severity Unknown #### References - [https://github.com/moby/buildkit/pull/4602](https://togithub.com/moby/buildkit/pull/4602) - [https://github.com/moby/buildkit/commit/92cc595cfb12891d4b3ae476e067c74250e4b71e](https://togithub.com/moby/buildkit/commit/92cc595cfb12891d4b3ae476e067c74250e4b71e) - [https://github.com/moby/buildkit/commit/5026d95aa3336e97cfe46e3764f52d08bac7a10e](https://togithub.com/moby/buildkit/commit/5026d95aa3336e97cfe46e3764f52d08bac7a10e) - [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2497) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).BuildKit vulnerable to possible host system access from mount stub cleaner
CVE-2024-23652 / GHSA-4v98-7qmw-rqr8 / GO-2024-2494
More information
#### Details ##### Impact A malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. ##### Patches The issue has been fixed in v0.12.5 ##### Workarounds Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing `RUN --mount` feature. ##### References #### Severity - CVSS Score: 10.0 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H` #### References - [https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8](https://togithub.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8) - [https://nvd.nist.gov/vuln/detail/CVE-2024-23652](https://nvd.nist.gov/vuln/detail/CVE-2024-23652) - [https://github.com/moby/buildkit/pull/4603](https://togithub.com/moby/buildkit/pull/4603) - [https://github.com/moby/buildkit](https://togithub.com/moby/buildkit) - [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-4v98-7qmw-rqr8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Panic in github.com/moby/buildkit
CVE-2024-23650 / GHSA-9p26-698r-w4hx / GO-2024-2492
More information
#### Details A malicious BuildKit client or frontend could craft a request that could lead to a BuildKit daemon crashing with a panic. #### Severity Unknown #### References - [https://github.com/moby/buildkit/pull/4601](https://togithub.com/moby/buildkit/pull/4601) - [https://github.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330](https://togithub.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330) - [https://github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c](https://togithub.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c) - [https://github.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae](https://togithub.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae) - [https://github.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987](https://togithub.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987) - [https://github.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee](https://togithub.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee) - [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2492) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).Buildkit's interactive containers API does not validate entitlements check
CVE-2024-23653 / GHSA-wr6v-9f75-vh2g / GO-2024-2497
More information
#### Details ##### Impact In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. ##### Patches The issue has been fixed in v0.12.5 . ##### Workarounds Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command. ##### References #### Severity - CVSS Score: 9.8 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g](https://togithub.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g) - [https://nvd.nist.gov/vuln/detail/CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23653) - [https://github.com/moby/buildkit/pull/4602](https://togithub.com/moby/buildkit/pull/4602) - [https://github.com/moby/buildkit](https://togithub.com/moby/buildkit) - [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-wr6v-9f75-vh2g) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).BuildKit vulnerable to possible panic when incorrect parameters sent from frontend
CVE-2024-23650 / GHSA-9p26-698r-w4hx / GO-2024-2492
More information
#### Details ##### Impact A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. ##### Patches The issue has been fixed in v0.12.5 ##### Workarounds Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command. ##### References #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L` #### References - [https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx](https://togithub.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx) - [https://nvd.nist.gov/vuln/detail/CVE-2024-23650](https://nvd.nist.gov/vuln/detail/CVE-2024-23650) - [https://github.com/moby/buildkit/pull/4601](https://togithub.com/moby/buildkit/pull/4601) - [https://github.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987](https://togithub.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987) - [https://github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c](https://togithub.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c) - [https://github.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee](https://togithub.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee) - [https://github.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae](https://togithub.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae) - [https://github.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330](https://togithub.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330) - [https://github.com/moby/buildkit](https://togithub.com/moby/buildkit) - [https://github.com/moby/buildkit/releases/tag/v0.12.5](https://togithub.com/moby/buildkit/releases/tag/v0.12.5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9p26-698r-w4hx) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
moby/buildkit (github.com/moby/buildkit)
### [`v0.12.5`](https://togithub.com/moby/buildkit/releases/tag/v0.12.5) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.12.4...v0.12.5) https://hub.docker.com/r/moby/buildkit ##### Notable changes: ##### This release contains following security fixes: - Runc has been updated to v1.1.12 addressing https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv - Fix possible race condition with accessing subpaths from cache mounts https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv - Fix possible host system access from mount stub cleaner https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8 - Fix interactive containers API validation against entitlements https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g - Fix possible panic when incorrect parameters sent from frontend https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx ### [`v0.12.4`](https://togithub.com/moby/buildkit/releases/tag/v0.12.4) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.12.3...v0.12.4) Welcome to the 0.12.4 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Notable changes - Fix possible concurrent map access on remote cache export [#4346](https://togithub.com/moby/buildkit/issues/4346) - Fix hang on debug server listener [#4361](https://togithub.com/moby/buildkit/issues/4361) - Fix possible deadlock in History API under high number of parallel builds [#4362](https://togithub.com/moby/buildkit/issues/4362) - Fix possible panic on handling deleted records in History API [#4451](https://togithub.com/moby/buildkit/issues/4451) - Fix possible data corruption in zstd library [#4372](https://togithub.com/moby/buildkit/issues/4372) ### [`v0.12.3`](https://togithub.com/moby/buildkit/releases/tag/v0.12.3) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.12.2...v0.12.3) Welcome to the 0.12.3 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Notable changes - Fix possible duplicate source files in provenance attestation for chained builds [#4190](https://togithub.com/moby/buildkit/issues/4190) - Fix possible negative step time in progressbar for step shared with other build request [#4183](https://togithub.com/moby/buildkit/issues/4183) - Fix properly closing history and cache DB on shutdown to avoid corruption [#4185](https://togithub.com/moby/buildkit/issues/4185) [#4189](https://togithub.com/moby/buildkit/issues/4189) - Fix incorrect error handling for invalid HTTP source URLs [#4201](https://togithub.com/moby/buildkit/issues/4201) - Fix fallback cases for ambiguous insecure configuration provided for registry used as push target. [#4299](https://togithub.com/moby/buildkit/issues/4299) - Fix possible data race with parallel image config resolves [#4157](https://togithub.com/moby/buildkit/issues/4157) - Fix regression in v0.12 for clients waiting on buildkitd to become available [#4200](https://togithub.com/moby/buildkit/issues/4200) - Fix Cgroup NS handling for hosts supporting only CgroupV1 [#4308](https://togithub.com/moby/buildkit/issues/4308) ### [`v0.12.2`](https://togithub.com/moby/buildkit/releases/tag/v0.12.2) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.12.1...v0.12.2) Welcome to the 0.12.2 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Notable changes - Fix possible discarded network error when exporting result to client [#4117](https://togithub.com/moby/buildkit/issues/4117) - Avoid unnecessary memory allocations when writing build progress [#4116](https://togithub.com/moby/buildkit/issues/4116) ### [`v0.12.1`](https://togithub.com/moby/buildkit/releases/tag/v0.12.1) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.12.0...v0.12.1) Welcome to the 0.12.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Notable changes - Fix possible goroutine leak in resource monitor for failed containers [#4081](https://togithub.com/moby/buildkit/issues/4081) - Fix possible tracing socket path length error on some configurations [#3483](https://togithub.com/moby/buildkit/issues/3483) ### [`v0.12.0`](https://togithub.com/moby/buildkit/releases/tag/v0.12.0) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.6...v0.12.0) buildkit 0.12.0 Welcome to the 0.12.0 release of buildkit! *This is a pre-release of buildkit* Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - Justin Chadwell - CrazyMax - Sebastiaan van Stijn - Akihiro Suda - Erik Sipsma - Gabriel Adrian Samfira - Kohei Tokunaga - Alex Couture-Beil - Cory Bennett - Brian Goff - Nick Santos - Wei Zhang - Alex Suraci - Alexis Murzeau - Changwei Ge - David Karlsson - Paweł Gronowski - Aaron Lehmann - Jordan Goasdoue - Seiya Miyata - Ben Longo - Jacob Gillespie - Alan Fregtman - Andy Alt - Bertrand Paquet - Chaerim Yeo - Chris Goller - Cory Snider - Dan Duvall - Gabriel - Gahl Saraf - George - Hugo Santos - Ilya Dmitrichenko - Kang, Matthew - Matias Insaurralde - Matt Kang - Nick Miyake - Pranav Pandit - Sertac Ozercan - Vladislav Ivanov - Yan Song - Yurii Rashkovskii - [@ggjulio](https://togithub.com/ggjulio) - [@chengjoey](https://togithub.com/chengjoey) - [@lomot](https://togithub.com/lomot) ##### Notable Changes - Default Dockerfile frontend has been updated to [1.6.0](https://togithub.com/moby/buildkit/releases/tag/dockerfile%2F1.6.0) - Remote cache export/import to the registry now supports OCI image manifest compatible format when setting `image-manifest=true` [#3724](https://togithub.com/moby/buildkit/issues/3724) - Local and Tar exporters now support `platform-split=false` option to merge all artifacts for multiple platforms to the same directory. [#3161](https://togithub.com/moby/buildkit/issues/3161) - Provenance attestation can now capture resource usage information for the system and individual build steps. This information can be written to exported attestation by setting `capture-usage=true` attestation option and is set automatically for History API records. This feature depends on CgroupV2, and some fields require kernel configured with `CONFIG_PSI` enabled. [#3860](https://togithub.com/moby/buildkit/issues/3860) [#3999](https://togithub.com/moby/buildkit/issues/3999) - `SOURCE_DATE_EPOCH` value for reproducible builds is now set as the creation timestamp when exporting image to containerd image store [#3263](https://togithub.com/moby/buildkit/issues/3263) - `buildctl` has new `--wait` flag to block RPCs until the connection becomes available [#3586](https://togithub.com/moby/buildkit/issues/3586) - WCOW support for certain actions has improved [#3783](https://togithub.com/moby/buildkit/issues/3783) [#3782](https://togithub.com/moby/buildkit/issues/3782) [#3907](https://togithub.com/moby/buildkit/issues/3907) [#3906](https://togithub.com/moby/buildkit/issues/3906) [#3545](https://togithub.com/moby/buildkit/issues/3545) [#3544](https://togithub.com/moby/buildkit/issues/3544) [#3516](https://togithub.com/moby/buildkit/issues/3516) [#3908](https://togithub.com/moby/buildkit/issues/3908) - Stargz support is out of experimental [#3637](https://togithub.com/moby/buildkit/issues/3637) - Creating layer blobs now uses deterministic timestamps for whiteout files when Overlay snapshotter is supported for more reproducible builds [#3981](https://togithub.com/moby/buildkit/issues/3981) - Source policy support now also applies to image config metadata requests. These requests can return a new source reference defined by the policy that the frontend can use in follow-up LLB requests. [#3956](https://togithub.com/moby/buildkit/issues/3956) [#4014](https://togithub.com/moby/buildkit/issues/4014) - Sourcemaps in provenance attestations and errors now allow setting the source language name [#3620](https://togithub.com/moby/buildkit/issues/3620) - File operations are now always platform-independent for better direct cache reuse [#3858](https://togithub.com/moby/buildkit/issues/3858) - When exporting an image to Containerd image store, unpack logic now works for multi-platform images by unpacking only the native platform by default [#3982](https://togithub.com/moby/buildkit/issues/3982) [#3983](https://togithub.com/moby/buildkit/issues/3983) - Cgroup namespace isolation is enabled for containers on supported systems [#4003](https://togithub.com/moby/buildkit/issues/4003) - New DockerUI package is provided by frontend authors who want to target `docker buildx` flags without the need to copy code from Dockerfile frontend [#3606](https://togithub.com/moby/buildkit/issues/3606) - Downloading image layers in the exporter can now work in parallel for different platforms [#3984](https://togithub.com/moby/buildkit/issues/3984) - Zstd compressed layers are now supported also with Docker-style mediatypes [#3968](https://togithub.com/moby/buildkit/issues/3968) - Secret environment variables can now be set using the interactive container API [#3957](https://togithub.com/moby/buildkit/issues/3957) - TOML buildkitd config now supports multiple units for storage limits [#3773](https://togithub.com/moby/buildkit/issues/3773) - gRPC API now enables reflection [#3790](https://togithub.com/moby/buildkit/issues/3790) - HTTP sources now have better caching for servers that handle `Accept-Encoding` differently for different HTTP methods [#3745](https://togithub.com/moby/buildkit/issues/3745) [#3788](https://togithub.com/moby/buildkit/issues/3788) - New `buildctl` commands `debug histories` and `prune-histories` [#3498](https://togithub.com/moby/buildkit/issues/3498) - Loading SBOM generator image can now be configured with resolve mode parameter [#3446](https://togithub.com/moby/buildkit/issues/3446) - Gateway frontend source image can now be set with defining named context [#3633](https://togithub.com/moby/buildkit/issues/3633) - Performance improvements to scanning local files for context upload [#3977](https://togithub.com/moby/buildkit/issues/3977) - Interactive container API now supports setting container Hostname [#3680](https://togithub.com/moby/buildkit/issues/3680) - History API now uses a separate Containerd namespace for its objects, fixing some issues when the same blobs are used by image store [#3833](https://togithub.com/moby/buildkit/issues/3833) - Make files created by Git source more deterministic [#3598](https://togithub.com/moby/buildkit/issues/3598) - Git source now handles URLs that define subdir and empty reference [#3596](https://togithub.com/moby/buildkit/issues/3596) - Remote cache export now supports `registry.insecure` option like the Image exporter [#3501](https://togithub.com/moby/buildkit/issues/3501) - Azure Blob storage cache export supports setting the account name as parameter [#3476](https://togithub.com/moby/buildkit/issues/3476) - New client APIs for configuring TLS authentication to use system certificates [#3760](https://togithub.com/moby/buildkit/issues/3760) - Fixes for copying Unicode filenames with local context [#3946](https://togithub.com/moby/buildkit/issues/3946) [#4009](https://togithub.com/moby/buildkit/issues/4009) - Fix the issue where some builds could fail with "missing provenance" error [#3945](https://togithub.com/moby/buildkit/issues/3945) - Fix lazy loaded layers reuse for cache when running parallel builds [#3109](https://togithub.com/moby/buildkit/issues/3109) - Fix issue with missing GC label for layers when exporting image to containerd image store [#3161](https://togithub.com/moby/buildkit/issues/3161) - Fix possible progressbar panic on resizing terminal window [#3967](https://togithub.com/moby/buildkit/issues/3967) - Fix possible "inconsistent graph state" error when running parallel cached, and no-cache builds [#3953](https://togithub.com/moby/buildkit/issues/3953) - Fix possible zero build step index numbers on progressbar [#3942](https://togithub.com/moby/buildkit/issues/3942) [#3838](https://togithub.com/moby/buildkit/issues/3838) - Fix possible "container does not exist" error [#3940](https://togithub.com/moby/buildkit/issues/3940) - Fix possible "concurrent map read and write" error [#3938](https://togithub.com/moby/buildkit/issues/3938) - Fix possible issue where the status stream could be missing for History record [#3937](https://togithub.com/moby/buildkit/issues/3937) - Fix possible data races [#4004](https://togithub.com/moby/buildkit/issues/4004) [#3994](https://togithub.com/moby/buildkit/issues/3994) [#4010](https://togithub.com/moby/buildkit/issues/4010) - Fix OCI layout URIs in provenance attestation [#3918](https://togithub.com/moby/buildkit/issues/3918) - Fix regression bug in v0.11.x OpenTelemetry trace delegation from the client [#3909](https://togithub.com/moby/buildkit/issues/3909) - Fix possible deadlock on network error [#3857](https://togithub.com/moby/buildkit/issues/3857) - Fix filtering out deleted History API records [#3827](https://togithub.com/moby/buildkit/issues/3827) [#3733](https://togithub.com/moby/buildkit/issues/3733) - Fix possible build cache reference leak [#3851](https://togithub.com/moby/buildkit/issues/3851) [#3815](https://togithub.com/moby/buildkit/issues/3815) - Fix possible FD leak in SSH forwarding [#3848](https://togithub.com/moby/buildkit/issues/3848) - Fix possible concurrent map access in Client library [#3813](https://togithub.com/moby/buildkit/issues/3813) - Fixes for Runc container SIGKILL/exit-code handling [#3754](https://togithub.com/moby/buildkit/issues/3754) [#3765](https://togithub.com/moby/buildkit/issues/3765) [#3658](https://togithub.com/moby/buildkit/issues/3658) [#3722](https://togithub.com/moby/buildkit/issues/3722) - Fix creating `oci-layout` file when exporting uncompressed OCI layout [#3729](https://togithub.com/moby/buildkit/issues/3729) ##### Dependency Changes - **github.com/AdaLogics/go-fuzz-headers** [`43070de`](https://togithub.com/moby/buildkit/commit/43070de90fa1) ***new*** - **github.com/AdamKorcz/go-118-fuzz-build** [`5330a85`](https://togithub.com/moby/buildkit/commit/5330a85ea652) ***new*** - **github.com/Masterminds/semver/v3** v3.1.0 ***new*** - **github.com/Microsoft/go-winio** v0.5.2 -> v0.6.1 - **github.com/Microsoft/hcsshim** v0.9.6 -> v0.10.0-rc.8 - **github.com/anchore/go-struct-converter** [`c68fdcf`](https://togithub.com/moby/buildkit/commit/c68fdcfa2092) ***new*** - **github.com/aws/aws-sdk-go-v2** v1.16.3 -> v1.17.6 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.14.5 ***new*** - **github.com/aws/smithy-go** v1.11.2 -> v1.13.5 - **github.com/containerd/cgroups** v1.0.4 -> v1.1.0 - **github.com/containerd/containerd** v1.6.14 -> v1.7.2 - **github.com/containerd/continuity** v0.3.0 -> v0.4.1 - **github.com/containerd/fifo** v1.0.0 -> v1.1.0 - **github.com/containerd/go-cni** v1.1.6 -> v1.1.9 - **github.com/containerd/go-runc** v1.0.0 -> v1.1.0 - **github.com/containerd/nydus-snapshotter** v0.3.1 -> v0.8.2 - **github.com/containerd/stargz-snapshotter** v0.13.0 -> v0.14.3 - **github.com/containerd/ttrpc** v1.1.0 -> v1.2.2 - **github.com/containerd/typeurl/v2** v2.1.1 ***new*** - **github.com/containernetworking/cni** v1.1.1 -> v1.1.2 - **github.com/cyphar/filepath-securejoin** v0.2.3 ***new*** - **github.com/docker/cli** v23.0.0-rc.1 -> v24.0.2 - **github.com/docker/distribution** v2.8.1 -> v2.8.2 - **github.com/docker/docker** v23.0.0-rc.1 -> [`98d3da7`](https://togithub.com/moby/buildkit/commit/98d3da79ef9c) - **github.com/felixge/httpsnoop** v1.0.2 -> v1.0.3 - **github.com/golang/protobuf** v1.5.2 -> v1.5.3 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.11.3 ***new*** - **github.com/hanwen/go-fuse/v2** [`f57e95b`](https://togithub.com/moby/buildkit/commit/f57e95bda82d) -> v2.2.0 - **github.com/hashicorp/go-cleanhttp** v0.5.1 -> v0.5.2 - **github.com/hashicorp/go-retryablehttp** v0.7.1 -> v0.7.2 - **github.com/klauspost/compress** v1.15.12 -> v1.16.3 - **github.com/opencontainers/image-spec** [`02efb9a`](https://togithub.com/moby/buildkit/commit/02efb9a75ee1) -> v1.1.0-rc3 - **github.com/opencontainers/runc** v1.1.3 -> v1.1.7 - **github.com/opencontainers/runtime-spec** [`1c3f411`](https://togithub.com/moby/buildkit/commit/1c3f411f0417) -> v1.1.0-rc.2 - **github.com/opencontainers/selinux** v1.10.2 -> v1.11.0 - **github.com/pelletier/go-toml** v1.9.4 -> v1.9.5 - **github.com/prometheus/common** v0.37.0 -> v0.42.0 - **github.com/prometheus/procfs** v0.8.0 -> v0.9.0 - **github.com/spdx/tools-golang** [`d6f5855`](https://togithub.com/moby/buildkit/commit/d6f58551be3f) -> v0.5.1 - **github.com/stretchr/testify** v1.8.0 -> v1.8.3 - **github.com/tonistiigi/fsutil** [`fb43384`](https://togithub.com/moby/buildkit/commit/fb433841cbfa) -> [`36ef4d8`](https://togithub.com/moby/buildkit/commit/36ef4d8c0dbb) - **github.com/tonistiigi/vt100** [`8066bb9`](https://togithub.com/moby/buildkit/commit/8066bb97264f) -> [`f9a4f7e`](https://togithub.com/moby/buildkit/commit/f9a4f7ef6531) - **github.com/urfave/cli** v1.22.4 -> v1.22.12 - **go.etcd.io/bbolt** v1.3.6 -> v1.3.7 - **go.opencensus.io** v0.23.0 -> v0.24.0 - **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.29.0 -> v0.40.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace** v0.29.0 -> v0.40.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.29.0 -> v0.40.0 - **go.opentelemetry.io/otel** v1.4.1 -> v1.14.0 - **go.opentelemetry.io/otel/exporters/jaeger** v1.4.1 -> v1.14.0 - **go.opentelemetry.io/otel/exporters/otlp/internal/retry** v1.4.1 -> v1.14.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.4.1 -> v1.14.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.4.1 -> v1.14.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.4.1 -> v1.14.0 - **go.opentelemetry.io/otel/metric** v0.27.0 -> v0.37.0 - **go.opentelemetry.io/otel/sdk** v1.4.1 -> v1.14.0 - **go.opentelemetry.io/otel/trace** v1.4.1 -> v1.14.0 - **go.opentelemetry.io/proto/otlp** v0.12.0 -> v0.19.0 - **golang.org/x/mod** v0.9.0 ***new*** - **golang.org/x/tools** v0.7.0 ***new*** - **google.golang.org/genproto** [`7780775`](https://togithub.com/moby/buildkit/commit/7780775163c4) -> [`7f2fa6f`](https://togithub.com/moby/buildkit/commit/7f2fa6fef1f4) - **google.golang.org/grpc** v1.50.1 -> v1.53.0 - **kernel.org/pub/linux/libs/security/libcap/cap** v1.2.67 ***new*** - **kernel.org/pub/linux/libs/security/libcap/psx** v1.2.67 ***new*** Previous release can be found at [v0.11.6](https://togithub.com/moby/buildkit/releases/tag/v0.11.6) ### [`v0.11.6`](https://togithub.com/moby/buildkit/releases/tag/v0.11.6) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.5...v0.11.6) https://hub.docker.com/r/moby/buildkit Notable changes: - Revert previous signal handling fix to make sure no process leaks happen. The signaling issue will be fixed in the next feature release. [https://github.com/moby/buildkit/pull/3757](https://togithub.com/moby/buildkit/pull/3757) - Update runc to v1.1.5 for security [https://github.com/moby/buildkit/pull/3763](https://togithub.com/moby/buildkit/pull/3763) - Update containerd to v1.6.20 . Brings in fix for not writing local user/group names in differ. [#3736](https://togithub.com/moby/buildkit/issues/3736) - Fix possible "duplicate output 0" error on parallel builds [#3774](https://togithub.com/moby/buildkit/issues/3774) - Fix token management for servers that don't return proper `IssuedAt` value [#3779](https://togithub.com/moby/buildkit/issues/3779) - Fix SBOM and provenance processing for certain nil-result cases [#3805](https://togithub.com/moby/buildkit/issues/3805) ### [`v0.11.5`](https://togithub.com/moby/buildkit/releases/tag/v0.11.5) [Compare Source](https://togithub.com/moby/buildkit/compare/v0.11.4...v0.11.5) https://hub.docker.com/r/moby/buildkit ##### Notable changes: - Fix process termination handling to Runc when running interactive processes [#3722](https://togithub.com/moby/buildkit/issues/3722) - Fix gateway exec tty cleanup on context.Canceled [#3658](https://togithub.com/moby/buildkit/issues/3658) - Register builds before recording build history to avoid possible timeout error [#3726](https://togithub.com/moby/buildkit/issues/3726) - Fix performance regression in creating LLB graphs [#3732](https://togithub.com/moby/buildkit/issues/3732) - Fix sorting of build history records for GC [#3733](https://togithub.com/moby/buildkit/issues/3733) - Fix an issue where linking builds with providing LLB inputs dropped the original source information for such inputs [#3678](https://togithub.com/moby/buildkit/issues/3678) - Fix running BuildKit on BottleRocket OS [#3697](https://togithub.com/moby/buildkit/issues/3697)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.