conmon
conmon copied to clipboard
chore(deps): update module github.com/docker/docker to v24.0.9+incompatible [security]
This PR contains the following updates:
Package | Change | Age | Adoption | Passing | Confidence |
---|---|---|---|---|---|
github.com/docker/docker | v24.0.7+incompatible -> v24.0.9+incompatible |
GitHub Vulnerability Alerts
CVE-2024-24557
The classic builder cache system is prone to cache poisoning if the image is built FROM scratch
.
Also, changes to some instructions (most important being HEALTHCHECK
and ONBUILD
) would not cause a cache miss.
An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
For example, an attacker could create an image that is considered as a valid cache candidate for:
FROM scratch
MAINTAINER Pawel
when in fact the malicious image used as a cache would be an image built from a different Dockerfile.
In the second case, the attacker could for example substitute a different HEALTCHECK
command.
Impact
23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0
environment variable) or are using the /build
API endpoint (which uses the classic builder by default).
All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.
Image build API endpoint (/build
) and ImageBuild
function from github.com/docker/docker/client
is also affected as it the uses classic builder by default.
Patches
Patches are included in Moby releases:
- v25.0.2
- v24.0.9
- v23.0.10
Workarounds
- Use
--no-cache
or use Buildkit if possible (DOCKER_BUILDKIT=1
, it's default on 23.0+ assuming that the buildx plugin is installed). - Use
Version = types.BuilderBuildKit
orNoCache = true
inImageBuildOptions
forImageBuild
call.
Release Notes
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.