full diff: https://github.com/go-yaml/yaml/compare/v2.2.4...v2.2.8
includes:
- go-yaml/yaml@f90ceb4 Fix check for non-map alias merging in v2
- fix for "yaml.Unmarshal crashes on "assignment to entry in nil map""
- go-yaml/yaml 543 Port stale simple_keys fix to v2
- go-yaml/yaml@1f64d61 Fix issue in simple_keys improvements
- fixes "Invalid simple_keys now cause panics later in decode"
- go-yaml/yaml 555 Optimize cases with long potential simple_keys
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Without this patch, the containerd daemon fails to start using the
default configuration example:
containerd[37139]: containerd: time: missing unit in duration 100000000
Signed-off-by: Mihai Coman <mihai.cmn@gmail.com>
Errors like `"type with url %s: not found"` are typical for non-builtin
event types, and should not resultin exiting `ctr`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
full diff: 60c769a6c5...69ecbb4d6d
Includes 69ecbb4d6d
(forward-port of 8b5121be2f),
to address CVE-2020-7919:
Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/go/compare/go1.13.6...go1.13.7
go1.13.7 (released 2020/01/28) includes two security fixes. One mitigates
the CVE-2020-0601 certificate verification bypass on Windows. The other affects
only 32-bit architectures.
https://github.com/golang/go/issues?q=milestone%3AGo1.13.7+label%3ACherryPickApproved
- X.509 certificate validation bypass on Windows 10
A Windows vulnerability allows attackers to spoof valid certificate chains when
the system root store is in use. These releases include a mitigation for Go
applications, but it’s strongly recommended that affected users install the
Windows security update to protect their system.
This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/go-yaml/yaml/compare/v2.2.4...v2.2.8
includes:
- go-yaml/yaml@f90ceb4f40 Fix check for non-map alias merging in v2
- fix for "yaml.Unmarshal crashes on "assignment to entry in nil map""
- go-yaml/yaml 543 Port stale simple_keys fix to v2
- go-yaml/yaml@1f64d6156d Fix issue in simple_keys improvements
- fixes "Invalid simple_keys now cause panics later in decode"
- go-yaml/yaml 555 Optimize cases with long potential simple_keys
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
List generated by running:
`git diff c9d45e652619589b4bf9 vendor.conf`
in the containerd/cri repositoru
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
opencontainers/selinux/issues/61 has a request for a new release
Here's the full diff:
3a1f366feb...5215b1806f
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
CGO is explicitly enabled for the test steps, as `-race` is passed to
`go test`, which depends on CGO to function.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
When pull image with unpack option, the fetch action will defer blobs
download until unpack. If create image record in ImageService before
blobs download, the following requests to use image will fail because
there is still missing blobs download.
In order to fix concurrent issue, need to create image record after
blobs download.
Fix: #3937
Signed-off-by: Wei Fu <fuweid89@gmail.com>
