chore: Bump `github.com/docker/docker` to `v20.10.27` #52

pjbgf · 2024-02-08T13:58:56Z

Removes the following upstream CVEs:

┌──────────────────────────┬─────────────────────┬──────────┬──────────┬────────────────────────────────────┬──────────────────────────┬──────────────────────────────────────────────────────────────┐
│         Library          │    Vulnerability    │ Severity │  Status  │         Installed Version          │      Fixed Version       │                            Title                             │
├──────────────────────────┼─────────────────────┼──────────┼──────────┼────────────────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2023-28840      │ HIGH     │ fixed    │ v20.10.9+incompatible              │ 20.10.24, 23.0.3         │ moby: Encrypted overlay network may be unauthenticated       │
│                          │                     │          │          │                                    │                          │ https://avd.aquasec.com/nvd/cve-2023-28840                   │
│                          ├─────────────────────┼──────────┤          │                                    │                          ├──────────────────────────────────────────────────────────────┤
│                          │ CVE-2023-28841      │ MEDIUM   │          │                                    │                          │ moby: Encrypted overlay network traffic may be unencrypted   │
│                          │                     │          │          │                                    │                          │ https://avd.aquasec.com/nvd/cve-2023-28841                   │
│                          ├─────────────────────┤          │          │                                    │                          ├──────────────────────────────────────────────────────────────┤
│                          │ CVE-2023-28842      │          │          │                                    │                          │ moby: Encrypted overlay network with a single endpoint is    │
│                          │                     │          │          │                                    │                          │ unauthenticated                                              │
│                          │                     │          │          │                                    │                          │ https://avd.aquasec.com/nvd/cve-2023-28842                   │
│                          ├─────────────────────┤          │          │                                    ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ GHSA-jq35-85cj-fj4p │          │          │                                    │ 24.0.7, 23.0.8, 20.10.27 │ /sys/devices/virtual/powercap accessible by default to       │
│                          │                     │          │          │                                    │                          │ containers                                                   │
│                          │                     │          │          │                                    │                          │ https://github.com/advisories/GHSA-jq35-85cj-fj4p            │
├──────────────────────────┼─────────────────────┤          │          ├────────────────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto      │ CVE-2023-48795      │          │          │ v0.0.0-20220411220226-7b82a4e95df4 │ 0.17.0                   │ ssh: Prefix truncation attack on Binary Packet Protocol      │
│                          │                     │          │          │                                    │                          │ (BPP)                                                        │
│                          │                     │          │          │                                    │                          │ https://avd.aquasec.com/nvd/cve-2023-48795                   │
├──────────────────────────┼─────────────────────┼──────────┤          ├────────────────────────────────────┤                          ├──────────────────────────────────────────────────────────────┤
│ golang.org/x/net         │ CVE-2023-39325      │ HIGH     │          │ v0.7.0                             │                          │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                          │                     │          │          │                                    │                          │ excessive work (CVE-2023-44487)                              │
│                          │                     │          │          │                                    │                          │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                          ├─────────────────────┼──────────┤          │                                    ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2023-3978       │ MEDIUM   │          │                                    │ 0.13.0                   │ golang.org/x/net/html: Cross site scripting                  │
│                          │                     │          │          │                                    │                          │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                          ├─────────────────────┤          │          │                                    ├──────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2023-44487      │          │          │                                    │ 0.17.0                   │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                          │                     │          │          │                                    │                          │ to a DDoS attack...                                          │
│                          │                     │          │          │                                    │                          │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└──────────────────────────┴─────────────────────┴──────────┴──────────┴────────────────────────────────────┴──────────────────────────┴──────────────────────────────────────────────────────────────┘

Signed-off-by: Paulo Gomes <[email protected]>

FrankYang0529

LGTM. Thank you.

chore: Bump github.com/docker/docker to v20.10.27

5ef36f3

Signed-off-by: Paulo Gomes <[email protected]>

pjbgf requested a review from FrankYang0529 February 29, 2024 10:09

FrankYang0529 approved these changes Feb 29, 2024

View reviewed changes

FrankYang0529 requested a review from bk201 February 29, 2024 10:11

bk201 approved these changes Mar 1, 2024

View reviewed changes

bk201 merged commit e1d1d66 into harvester:master Mar 1, 2024
3 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: Bump `github.com/docker/docker` to `v20.10.27` #52

chore: Bump `github.com/docker/docker` to `v20.10.27` #52

pjbgf commented Feb 8, 2024

FrankYang0529 left a comment

chore: Bump github.com/docker/docker to v20.10.27 #52

chore: Bump github.com/docker/docker to v20.10.27 #52

Conversation

pjbgf commented Feb 8, 2024

FrankYang0529 left a comment

Choose a reason for hiding this comment

chore: Bump `github.com/docker/docker` to `v20.10.27` #52

chore: Bump `github.com/docker/docker` to `v20.10.27` #52