From the mailing list:
We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:
- net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.
This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.
- net/url: JoinPath does not strip relative path components in all circumstances
JoinPath and URL.JoinPath would not remove `../` path components appended to a
relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
URL `https://go.dev/../go`, despite the JoinPath documentation stating that
`../` path elements are cleaned from the result.
Thanks to q0jt for reporting this issue.
This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
Release notes:
go1.19.1 (released 2022-09-06) includes security fixes to the net/http and
net/url packages, as well as bug fixes to the compiler, the go command, the pprof
command, the linker, the runtime, and the crypto/tls and crypto/x509 packages.
See the Go 1.19.1 milestone on the issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Ran actionlint against all our actions and it found this variable that
is based on a non-existent property (there is no matrix definition in
this action yaml). The variable is also unused so simply removing it.
Signed-off-by: Phil Estes <estesp@amazon.com>
The [Openlab][1] has deprecated zuul jobs. We don't see any active the
zuul jobs in PR. Remove it and we need to seek new solution for ARM64
CI test.
[1]: <https://github.com/theopenlab>
Signed-off-by: Wei Fu <fuweid89@gmail.com>
This comment was added in 09a0c9471b when the
Windows integration tests were enabled. The PR (microsoft/hcsshim#931) was
merged, and part of hcsshim v0.9.0, and support for resource limits on Windows
was added in 2bc77b8a28, so it looks like this
comment is no longer current.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The event parameter wasn't actually used when processing oom events,
likely because it's only ever available for reads.
Additionally clarify flush is for eventfds, and point to where the
buffer size of 8 is coming from.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Our GitHub Actions CI timeout setting was different than the config
file; we are now getting somewhat regular timeouts on the Windows
linting jobs so this should solve that and give us room in case runs
start taking longer
Signed-off-by: Phil Estes <estesp@amazon.com>
This assertion is flaky on Windows.
Because of Go, Windows' time.Now resolution is lower than Linux.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
It has been disabled since some fuzzers were coming from
cncf/cncf-fuzzing repository and keeping them up-to-date was difficult.
However, the external repository is no longer used from oss-fuzz since
https://github.com/google/oss-fuzz/pull/8360.
As like other unit/integration tests, we should maintain the fuzzers in
this repository and fix any failures.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
ForceRemoveAll was only used in tests/fuzzing, but added hcsshim as dependency
for the sys package. Moving this to integration/client makes the "sys" package
slightly more lightweight, and may help simplifying dependency-management.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This code was copied from github.com/moby/moby/pkg/archive;
28842d3f09,
which got later simplified in
a5aed699cf
This patch aligns the containerd implementation with those changes, and uses
filepath.ToSlash() unconditionally on all platforms, as it's a no-op on platforms
that use a forward-slash; https://github.com/golang/go/blob/go1.19/src/path/filepath/path.go#L175-L183
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Use the IoctlRetInt, IoctlSetInt and IoctlLoopSetStatus64 helper
functions defined in the golang.org/x/sys/unix package instead of
manually wrapping these using a locally defined ioctl function.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
These functions were originally copied from the docker / moby repository in
4a7a8efc2d. Migrating these functions to use the
github.com/moby/sys/sequential module allows them being shared between moby,
docker/cli, and containerd, and to allow using them without importing all of sys
which also depends on hcsshim and more.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This error was added in c5843b7615, but no longer
used since a5a9f91832, which implemented Windows
support.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
For Kata Containers, starting a privileged container will fail
if passing all host devices to container due to the permission
issue, like the `privileged_without_host_devices` for CRI service,
add a `privileged-without-host-devices` to `ctr run` command will
disable passing all host devices to containers.
Signed-off-by: bin liu <liubin0329@gmail.com>
