diff --git a/0001-fix-cve-2024-29018.patch b/0001-fix-cve-2024-29018.patch deleted file mode 100644 index 709be1f8a1a326ba0eaad69605157294c5b631c8..0000000000000000000000000000000000000000 --- a/0001-fix-cve-2024-29018.patch +++ /dev/null @@ -1,212 +0,0 @@ -From a9b119d4858a40936583262cb8d878036a0171dd Mon Sep 17 00:00:00 2001 -From: root -Date: Sun, 14 Apr 2024 19:46:56 +0800 -Subject: [PATCH] fix cve-2024-29018 - ---- - integration/networking/bridge_test.go | 20 +++++++++++++++----- - libnetwork/endpoint.go | 8 +++++++- - libnetwork/resolver.go | 21 +++++++++++++++++---- - libnetwork/sandbox_dns_unix.go | 5 +---- - 4 files changed, 40 insertions(+), 14 deletions(-) - -diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go -index e3d1fe2..4be3e55 100644 ---- a/integration/networking/bridge_test.go -+++ b/integration/networking/bridge_test.go -@@ -36,7 +36,8 @@ func TestBridgeICC(t *testing.T) { - name string - bridgeOpts []func(*types.NetworkCreate) - ctr1MacAddress string -- linkLocal bool -+ isIPv6 bool -+ isLinkLocal bool - pingHost string - }{ - { -@@ -55,6 +56,7 @@ func TestBridgeICC(t *testing.T) { - network.WithIPv6(), - network.WithIPAM("fdf1:a844:380c:b200::/64", "fdf1:a844:380c:b200::1"), - }, -+ isIPv6: true, - }, - { - name: "IPv6 ULA on internal network", -@@ -74,7 +76,8 @@ func TestBridgeICC(t *testing.T) { - // 2. the one dynamically assigned by the IPAM driver. - network.WithIPAM("fe80::/64", "fe80::1"), - }, -- linkLocal: true, -+ isLinkLocal: true, -+ isIPv6: true, - }, - { - name: "IPv6 link-local address on internal network", -@@ -84,7 +87,8 @@ func TestBridgeICC(t *testing.T) { - // See the note above about link-local addresses. - network.WithIPAM("fe80::/64", "fe80::1"), - }, -- linkLocal: true, -+ isLinkLocal: true, -+ isIPv6: true, - }, - { - // As for 'LL non-internal', but ping the container by name instead of by address -@@ -122,6 +126,7 @@ func TestBridgeICC(t *testing.T) { - // specify one here to hardcode the SLAAC LL address below. - ctr1MacAddress: "02:42:ac:11:00:02", - pingHost: "fe80::42:acff:fe11:2%eth0", -+ isIPv6: true, - }, - { - name: "IPv6 internal network with SLAAC LL address", -@@ -133,6 +138,7 @@ func TestBridgeICC(t *testing.T) { - // specify one here to hardcode the SLAAC LL address below. - ctr1MacAddress: "02:42:ac:11:00:02", - pingHost: "fe80::42:acff:fe11:2%eth0", -+ isIPv6: true, - }, - } - -@@ -162,7 +168,7 @@ func TestBridgeICC(t *testing.T) { - - pingHost := tc.pingHost - if pingHost == "" { -- if tc.linkLocal { -+ if tc.isLinkLocal { - inspect := container.Inspect(ctx, t, c, id1) - pingHost = inspect.NetworkSettings.Networks[bridgeName].GlobalIPv6Address + "%eth0" - } else { -@@ -170,7 +176,11 @@ func TestBridgeICC(t *testing.T) { - } - } - -- pingCmd := []string{"ping", "-c1", "-W3", pingHost} -+ pingCmd := []string{"ping", "-c1", "-W3"} -+ if tc.isIPv6 { -+ pingCmd = append(pingCmd, "-6") -+ } -+ pingCmd = append(pingCmd, pingHost) - - ctr2Name := fmt.Sprintf("ctr-icc-%d-2", tcID) - attachCtx, cancel := context.WithTimeout(ctx, 5*time.Second) -diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go -index d9c257d..93ddbc9 100644 ---- a/libnetwork/endpoint.go -+++ b/libnetwork/endpoint.go -@@ -538,8 +538,11 @@ func (ep *Endpoint) sbJoin(sb *Sandbox, options ...EndpointOption) (err error) { - return sb.setupDefaultGW() - } - -- moveExtConn := sb.getGatewayEndpoint() != extEp -+ currentExtEp := sb.getGatewayEndpoint() -+ // Enable upstream forwarding if the sandbox gained external connectivity. -+ sb.resolver.SetForwardingPolicy(currentExtEp != nil) - -+ moveExtConn := currentExtEp != extEp - if moveExtConn { - if extEp != nil { - log.G(context.TODO()).Debugf("Revoking external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) -@@ -735,6 +738,9 @@ func (ep *Endpoint) sbLeave(sb *Sandbox, force bool, options ...EndpointOption) - - // New endpoint providing external connectivity for the sandbox - extEp = sb.getGatewayEndpoint() -+ // Disable upstream forwarding if the sandbox lost external connectivity. -+ sb.resolver.SetForwardingPolicy(extEp != nil) -+ - if moveExtConn && extEp != nil { - log.G(context.TODO()).Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) - extN, err := extEp.getNetworkFromStore() -diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go -index 9df2154..6da595c 100644 ---- a/libnetwork/resolver.go -+++ b/libnetwork/resolver.go -@@ -9,6 +9,7 @@ import ( - "strconv" - "strings" - "sync" -+ "sync/atomic" - "time" - - "github.com/containerd/log" -@@ -75,7 +76,7 @@ type Resolver struct { - tcpListen *net.TCPListener - err error - listenAddress string -- proxyDNS bool -+ proxyDNS atomic.Bool - startCh chan struct{} - logger *log.Entry - -@@ -85,15 +86,17 @@ type Resolver struct { - - // NewResolver creates a new instance of the Resolver - func NewResolver(address string, proxyDNS bool, backend DNSBackend) *Resolver { -- return &Resolver{ -+ r := &Resolver{ - backend: backend, -- proxyDNS: proxyDNS, - listenAddress: address, - err: fmt.Errorf("setup not done yet"), - startCh: make(chan struct{}, 1), - fwdSem: semaphore.NewWeighted(maxConcurrent), - logInverval: rate.Sometimes{Interval: logInterval}, - } -+ r.proxyDNS.Store(proxyDNS) -+ -+ return r - } - - func (r *Resolver) log(ctx context.Context) *log.Entry { -@@ -103,6 +106,8 @@ func (r *Resolver) log(ctx context.Context) *log.Entry { - return r.logger - } - -+ -+ - // SetupFunc returns the setup function that should be run in the container's - // network namespace. - func (r *Resolver) SetupFunc(port int) func() { -@@ -194,6 +199,14 @@ func (r *Resolver) SetExtServers(extDNS []extDNSEntry) { - } - } - -+// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to -+// external servers. -+func (r *Resolver) SetForwardingPolicy(policy bool) { -+ if r != nil { -+ r.proxyDNS.Store(policy) -+ } -+} -+ - // NameServer returns the IP of the DNS resolver for the containers. - func (r *Resolver) NameServer() string { - return r.listenAddress -@@ -421,7 +434,7 @@ func (r *Resolver) serveDNS(w dns.ResponseWriter, query *dns.Msg) { - return - } - -- if r.proxyDNS { -+ if r.proxyDNS.Load(){ - // If the user sets ndots > 0 explicitly and the query is - // in the root domain don't forward it out. We will return - // failure and let the client retry with the search domain -diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go -index e30f394..505c5f5 100644 ---- a/libnetwork/sandbox_dns_unix.go -+++ b/libnetwork/sandbox_dns_unix.go -@@ -30,10 +30,7 @@ const ( - func (sb *Sandbox) startResolver(restore bool) { - sb.resolverOnce.Do(func() { - var err error -- // The embedded resolver is always started with proxyDNS set as true, even when the sandbox is only attached to -- // an internal network. This way, it's the driver responsibility to make sure `connect` syscall fails fast when -- // no external connectivity is available (eg. by not setting a default gateway). -- sb.resolver = NewResolver(resolverIPSandbox, true, sb) -+ sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb) - defer func() { - if err != nil { - sb.resolver = nil --- -2.27.0 - diff --git a/0002-fix-cve-2024-32473.patch b/0002-fix-cve-2024-32473.patch deleted file mode 100644 index 0499aba144a07fa44f7f240804acc7701e6e1f93..0000000000000000000000000000000000000000 --- a/0002-fix-cve-2024-32473.patch +++ /dev/null @@ -1,185 +0,0 @@ -From ed2e2bd1cb6491cc76e6681db122844400762a2e Mon Sep 17 00:00:00 2001 -From: lvxiangcong -Date: Mon, 22 Apr 2024 10:59:42 +0800 -Subject: [PATCH] fix cve-2024-32473 - ---- - integration/network/ipvlan/ipvlan_test.go | 25 +++++++++++++++ - integration/network/macvlan/macvlan_test.go | 29 +++++++++++++++++ - integration/networking/bridge_test.go | 35 +++++++++++++++++++++ - libnetwork/osl/interface_linux.go | 21 ++++++++----- - 4 files changed, 103 insertions(+), 7 deletions(-) - -diff --git a/integration/network/ipvlan/ipvlan_test.go b/integration/network/ipvlan/ipvlan_test.go -index 130b60d..adb42cd 100644 ---- a/integration/network/ipvlan/ipvlan_test.go -+++ b/integration/network/ipvlan/ipvlan_test.go -@@ -87,6 +87,9 @@ func TestDockerNetworkIpvlan(t *testing.T) { - }, { - name: "Addressing", - test: testIpvlanAddressing, -+ }, { -+ name: "NoIPv6", -+ test: testIpvlanNoIPv6, - }, - } { - -@@ -438,3 +441,25 @@ func ipvlanKernelSupport(t *testing.T) bool { - - return ipvlanSupported - } -+ -+// Check that an ipvlan interface with '--ipv6=false' doesn't get kernel-assigned -+// IPv6 addresses, but the loopback interface does still have an IPv6 address ('::1'). -+func testIpvlanNoIPv6(t *testing.T, ctx context.Context, client dclient.APIClient) { -+ const netName = "ipvlannet" -+ net.CreateNoError(ctx, t, client, netName, net.WithIPvlan("", "l3")) -+ assert.Check(t, n.IsNetworkAvailable(ctx, client, netName)) -+ -+ id := container.Run(ctx, t, client, container.WithNetworkMode(netName)) -+ -+ loRes := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "lo"}) -+ assert.Check(t, is.Contains(loRes.Combined(), " inet ")) -+ assert.Check(t, is.Contains(loRes.Combined(), " inet6 ")) -+ -+ eth0Res := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "eth0"}) -+ assert.Check(t, is.Contains(eth0Res.Combined(), " inet ")) -+ assert.Check(t, !strings.Contains(eth0Res.Combined(), " inet6 "), -+ "result.Combined(): %s", eth0Res.Combined()) -+ -+ sysctlRes := container.ExecT(ctx, t, client, id, []string{"sysctl", "-n", "net.ipv6.conf.eth0.disable_ipv6"}) -+ assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1")) -+} -diff --git a/integration/network/macvlan/macvlan_test.go b/integration/network/macvlan/macvlan_test.go -index c41373c..c907ffb 100644 ---- a/integration/network/macvlan/macvlan_test.go -+++ b/integration/network/macvlan/macvlan_test.go -@@ -71,6 +71,9 @@ func TestDockerNetworkMacvlan(t *testing.T) { - }, { - name: "Addressing", - test: testMacvlanAddressing, -+ }, { -+ name: "NoIPv6", -+ test: testMacvlanNoIPv6, - }, - } { - tc := tc -@@ -275,3 +278,29 @@ func testMacvlanAddressing(ctx context.Context, client client.APIClient) func(*t - assert.Check(t, strings.Contains(result.Combined(), "default via 2001:db8:abca::254 dev eth0")) - } - } -+ -+// Check that a macvlan interface with '--ipv6=false' doesn't get kernel-assigned -+// IPv6 addresses, but the loopback interface does still have an IPv6 address ('::1'). -+func testMacvlanNoIPv6(t *testing.T, ctx context.Context, client client.APIClient) { -+ const netName = "macvlannet" -+ -+ net.CreateNoError(ctx, t, client, netName, -+ net.WithMacvlan(""), -+ net.WithOption("macvlan_mode", "bridge"), -+ ) -+ assert.Check(t, n.IsNetworkAvailable(ctx, client, netName)) -+ -+ id := container.Run(ctx, t, client, container.WithNetworkMode(netName)) -+ -+ loRes := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "lo"}) -+ assert.Check(t, is.Contains(loRes.Combined(), " inet ")) -+ assert.Check(t, is.Contains(loRes.Combined(), " inet6 ")) -+ -+ eth0Res := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "eth0"}) -+ assert.Check(t, is.Contains(eth0Res.Combined(), " inet ")) -+ assert.Check(t, !strings.Contains(eth0Res.Combined(), " inet6 "), -+ "result.Combined(): %s", eth0Res.Combined()) -+ -+ sysctlRes := container.ExecT(ctx, t, client, id, []string{"sysctl", "-n", "net.ipv6.conf.eth0.disable_ipv6"}) -+ assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1")) -+} -diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go -index e3d1fe2..7dfcd28 100644 ---- a/integration/networking/bridge_test.go -+++ b/integration/networking/bridge_test.go -@@ -3,6 +3,7 @@ package networking - import ( - "context" - "fmt" -+ "strings" - "testing" - "time" - -@@ -477,3 +478,37 @@ func TestDefaultBridgeAddresses(t *testing.T) { - }) - } - } -+ -+// Check that an interface to an '--ipv6=false' network has no IPv6 -+// address - either IPAM assigned, or kernel-assigned LL, but the loopback -+// interface does still have an IPv6 address ('::1'). -+func TestNonIPv6Network(t *testing.T) { -+ skip.If(t, testEnv.DaemonInfo.OSType == "windows") -+ -+ ctx := setupTest(t) -+ d := daemon.New(t) -+ d.StartWithBusybox(ctx, t) -+ defer d.Stop(t) -+ -+ c := d.NewClientT(t) -+ defer c.Close() -+ -+ const netName = "testnet" -+ network.CreateNoError(ctx, t, c, netName) -+ defer network.RemoveNoError(ctx, t, c, netName) -+ -+ id := container.Run(ctx, t, c, container.WithNetworkMode(netName)) -+ defer c.ContainerRemove(ctx, id, containertypes.RemoveOptions{Force: true}) -+ -+ loRes := container.ExecT(ctx, t, c, id, []string{"ip", "a", "show", "dev", "lo"}) -+ assert.Check(t, is.Contains(loRes.Combined(), " inet ")) -+ assert.Check(t, is.Contains(loRes.Combined(), " inet6 ")) -+ -+ eth0Res := container.ExecT(ctx, t, c, id, []string{"ip", "a", "show", "dev", "eth0"}) -+ assert.Check(t, is.Contains(eth0Res.Combined(), " inet ")) -+ assert.Check(t, !strings.Contains(eth0Res.Combined(), " inet6 "), -+ "result.Combined(): %s", eth0Res.Combined()) -+ -+ sysctlRes := container.ExecT(ctx, t, c, id, []string{"sysctl", "-n", "net.ipv6.conf.eth0.disable_ipv6"}) -+ assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1")) -+} -diff --git a/libnetwork/osl/interface_linux.go b/libnetwork/osl/interface_linux.go -index 27e079d..e559ab9 100644 ---- a/libnetwork/osl/interface_linux.go -+++ b/libnetwork/osl/interface_linux.go -@@ -367,17 +367,24 @@ func setInterfaceIP(nlh *netlink.Handle, iface netlink.Link, i *Interface) error - } - - func setInterfaceIPv6(nlh *netlink.Handle, iface netlink.Link, i *Interface) error { -- if i.AddressIPv6() == nil { -+ addr := i.AddressIPv6() -+ // IPv6 must be enabled on the interface if and only if the network is -+ // IPv6-enabled. For an interface on an IPv4-only network, if IPv6 isn't -+ // disabled, the interface will be put into IPv6 multicast groups making -+ // it unexpectedly susceptible to NDP cache poisoning, route injection, etc. -+ // (At present, there will always be a pre-configured IPv6 address if the -+ // network is IPv6-enabled.) -+ if err := setIPv6(i.ns.path, i.DstName(), addr != nil); err != nil { -+ return fmt.Errorf("failed to configure ipv6: %v", err) -+ } -+ if addr == nil { - return nil - } -- if err := checkRouteConflict(nlh, i.AddressIPv6(), netlink.FAMILY_V6); err != nil { -+ if err := checkRouteConflict(nlh, addr, netlink.FAMILY_V6); err != nil { - return err - } -- if err := setIPv6(i.ns.path, i.DstName(), true); err != nil { -- return fmt.Errorf("failed to enable ipv6: %v", err) -- } -- ipAddr := &netlink.Addr{IPNet: i.AddressIPv6(), Label: "", Flags: syscall.IFA_F_NODAD} -- return nlh.AddrAdd(iface, ipAddr) -+ nlAddr := &netlink.Addr{IPNet: addr, Label: "", Flags: syscall.IFA_F_NODAD} -+ return nlh.AddrAdd(iface, nlAddr) - } - - func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *Interface) error { --- -2.25.1 - diff --git a/backport-CVE-2024-41110.patch b/backport-CVE-2024-41110.patch deleted file mode 100644 index 1af6d1e9d77dd2f39ba00c1ba4c6ecf3e861ffc9..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-41110.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 9659c3a52bac57e615b5fb49b0652baca448643e Mon Dec 1 00:00:00 2001 -From: Jameson Hyde -Date: Mon, 1 Dec 2018 09:57:10 +0800 -Subject: [PATCH] Authz plugin security fixes for 0-length content and path validation -https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919 -https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76 - -If url includes scheme, urlPath will drop hostname, which would not m… -…atch the auth check - -Signed-off-by: Sebastiaan van Stijn -Signed-off-by: Eli Uriegas - ---- - pkg/authorization/authz.go | 38 +++++++++++-- - pkg/authorization/authz_unix_test.go | 84 +++++++++++++++++++++++++++- - 2 files changed, 115 insertions(+), 7 deletions(-) - -diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go -index 1eb4431..d568a2b 100644 ---- a/pkg/authorization/authz.go -+++ b/pkg/authorization/authz.go -@@ -8,6 +8,8 @@ import ( - "io" - "mime" - "net/http" -+ "net/url" -+ "regexp" - "strings" - - "github.com/containerd/log" -@@ -53,10 +55,23 @@ type Ctx struct { - authReq *Request - } - -+func isChunked(r *http.Request) bool { -+ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked -+ if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") { -+ return true -+ } -+ for _, v := range r.TransferEncoding { -+ if strings.EqualFold(v, "chunked") { -+ return true -+ } -+ } -+ return false -+} -+ - // AuthZRequest authorized the request to the docker daemon using authZ plugins - func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error { - var body []byte -- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize { -+ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize { - var err error - body, r.Body, err = drainBody(r.Body) - if err != nil { -@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error { - if sendBody(ctx.requestURI, rm.Header()) { - ctx.authReq.ResponseBody = rm.RawBody() - } -- - for _, plugin := range ctx.plugins { - log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name()) - -@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) { - return nil, newBody, err - } - -+func isAuthEndpoint(urlPath string) (bool, error) { -+ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional) -+ matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath) -+ if err != nil { -+ return false, err -+ } -+ return matched, nil -+} -+ - // sendBody returns true when request/response body should be sent to AuthZPlugin --func sendBody(url string, header http.Header) bool { -+func sendBody(inURL string, header http.Header) bool { -+ u, err := url.Parse(inURL) -+ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected -+ if err != nil { -+ return false -+ } -+ - // Skip body for auth endpoint -- if strings.HasSuffix(url, "/auth") { -+ isAuth, err := isAuthEndpoint(u.Path) -+ if isAuth || err != nil { - return false - } - -diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go -index c9b18d9..66b4d20 100644 ---- a/pkg/authorization/authz_unix_test.go -+++ b/pkg/authorization/authz_unix_test.go -@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) { - - func TestSendBody(t *testing.T) { - var ( -- url = "nothing.com" - testcases = []struct { -+ url string - contentType string - expected bool - }{ -@@ -219,15 +219,93 @@ func TestSendBody(t *testing.T) { - contentType: "", - expected: false, - }, -+ { -+ url: "nothing.com/auth", -+ contentType: "", -+ expected: false, -+ }, -+ { -+ url: "nothing.com/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "nothing.com/auth?p1=test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "nothing.com/test?p1=/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, -+ { -+ url: "nothing.com/something/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, -+ { -+ url: "nothing.com/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "nothing.com/v1.24/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "nothing.com/v1/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "www.nothing.com/v1.24/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "https://www.nothing.com/v1.24/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "http://nothing.com/v1.24/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "www.nothing.com/test?p1=/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, -+ { -+ url: "http://www.nothing.com/test?p1=/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, -+ { -+ url: "www.nothing.com/something/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, -+ { -+ url: "https://www.nothing.com/something/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, - } - ) - - for _, testcase := range testcases { - header := http.Header{} - header.Set("Content-Type", testcase.contentType) -+ if testcase.url == "" { -+ testcase.url = "nothing.com" -+ } - -- if b := sendBody(url, header); b != testcase.expected { -- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b) -+ if b := sendBody(testcase.url, header); b != testcase.expected { -+ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b) - } - } - } --- -2.33.0 - diff --git a/cli-25.0.3.tar.gz b/cli-27.2.1.tar.gz similarity index 46% rename from cli-25.0.3.tar.gz rename to cli-27.2.1.tar.gz index 9c91c25f6e6416225ffba2da9592bcf07fe277e9..4829991ce0f5d4f2d2845c6ebebd05ea9f5ac2e1 100644 Binary files a/cli-25.0.3.tar.gz and b/cli-27.2.1.tar.gz differ diff --git a/moby-25.0.3.tar.gz b/moby-27.2.1.tar.gz similarity index 63% rename from moby-25.0.3.tar.gz rename to moby-27.2.1.tar.gz index 2cb68b06f96515708dd778d6708a7bd9358c7720..72451f772223da89205589c22f82f73b53049917 100644 Binary files a/moby-25.0.3.tar.gz and b/moby-27.2.1.tar.gz differ diff --git a/moby.spec b/moby.spec index 268e0f5a78af869b8bdd67ecad6b807664290f30..bcbc77e2d169b78a88e129a7ee25c8b37e93b57c 100644 --- a/moby.spec +++ b/moby.spec @@ -6,8 +6,9 @@ %define _debugsource_template %{nil} Name: docker -Version: 25.0.3 -Release: 11 +Epoch: 2 +Version: 27.2.1 +Release: 1 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -20,16 +21,13 @@ Source2: tini-0.19.0.tar.gz Source3: docker.service Source4: docker.socket Source5: docker.sysconfig -Patch0000: 0001-fix-cve-2024-29018.patch -Patch0001: 0002-fix-cve-2024-32473.patch Patch0002: 0003-add-loongarch64-seccomp-support.patch Patch0003: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch -Patch9000: backport-CVE-2024-41110.patch Patch9001: backport-tini.c-a-function-declaration-without-a-prototype-is.patch -Requires: %{name}-engine = %{version}-%{release} -Requires: %{name}-client = %{version}-%{release} +Requires: %{name}-engine = %{epoch}:%{version}-%{release} +Requires: %{name}-client = %{epoch}:%{version}-%{release} # conflicting packages Conflicts: docker-ce @@ -74,7 +72,7 @@ BuildRequires: selinux-policy-devel BuildRequires: systemd-devel BuildRequires: tar BuildRequires: which -BuildRequires: golang >= 1.18.0 +BuildRequires: golang >= 1.21.0 %description engine Docker daemon binary and related utilities @@ -91,13 +89,10 @@ Docker client binary and related utilities %prep %setup -q -n %{_source_client} %setup -q -T -n %{_source_engine} -b 1 -%patch0000 -p1 -%patch0001 -p1 -%patch0002 -p1 -%patch0003 -p1 -%patch9000 -p1 +%patch -P0002 -p1 +%patch -P0003 -p1 %setup -q -T -n %{_source_docker_init} -b 2 -%patch9001 -p1 +%patch -P9001 -p1 %build export GO111MODULE=off @@ -198,6 +193,10 @@ fi %systemd_postun_with_restart docker.service %changelog +* Sun Sep 22 2024 Funda Wang - 2:27.2.1-1 +- update to verison 27.2.1 +- bump epoch for update from docker + * Mon Sep 9 2024 tiberium - 25.0.3-11 - Type:bugfix - ID:NA