Housekeeping for docker

[nicholasdille]

No description provided.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/docker:26.1.4

📦 Image Reference ghcr.io/uniget-org/tools/docker:26.1.4

digest	sha256:a07b0d88203aabc8b512dc00156b9a6c7694e655b6d1e11c8a884f4896f88bd0
vulnerabilities
platform	linux/amd64
size	96 MB
packages	226

github.com/opencontainers/runc 1.1.12 (golang) pkg:golang/github.com/opencontainers/runc@1.1.12 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.2.0-rc.1 Fixed version 1.2.0-rc.1 CVSS Score 7.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Description Withdrawn Advisory This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue here for more information. Original Description A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.2.0-rc.1 Fixed version 1.2.0-rc.1 CVSS Score 7.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Description On CRI-O, an arbitrary systemd property can be injected via a Pod annotation: --- apiVersion: v1 kind: Pod metadata: name: poc-arbitrary-systemd-property-injection annotations: </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>golang.org/x/net</strong> <code>0.17.0</code> (golang)</summary> <small><code>pkg:golang/golang.org/x/net@0.17.0</code></small><br/> <a href="https://scout.docker.com/v/CVE-2023-45288?s=github&n=net&ns=golang.org%2Fx&t=golang&vr=%3C0.23.0"><img alt="medium 5.3: CVE--2023--45288" src="https://img.shields.io/badge/CVE--2023--45288-lightgrey?label=medium%205.3&labelColor=fbb552"/></a> <i>Uncontrolled Resource Consumption</i> <table> <tr><td>Affected range</td><td><code><0.23.0</code></td></tr> <tr><td>Fixed version</td><td><code>0.23.0</code></td></tr> <tr><td>CVSS Score</td><td><code>5.3</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code></td></tr> </table> <details><summary>Description</summary> <blockquote> An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. </blockquote> </details> </details></td></tr> </table>

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/docker-preview:26.1.4

📦 Image Reference ghcr.io/uniget-org/tools/docker-preview:26.1.4

digest	sha256:0a1b302da235d6e47e2deaec3d5fc8f7df9210294fe2981778aa5571a1e07e2e
vulnerabilities
platform	linux/amd64
size	96 MB
packages	226

github.com/opencontainers/runc 1.1.12 (golang) pkg:golang/github.com/opencontainers/runc@1.1.12 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.2.0-rc.1 Fixed version 1.2.0-rc.1 CVSS Score 7.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Description Withdrawn Advisory This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue here for more information. Original Description A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.2.0-rc.1 Fixed version 1.2.0-rc.1 CVSS Score 7.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Description On CRI-O, an arbitrary systemd property can be injected via a Pod annotation: --- apiVersion: v1 kind: Pod metadata: name: poc-arbitrary-systemd-property-injection annotations: </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>golang.org/x/net</strong> <code>0.17.0</code> (golang)</summary> <small><code>pkg:golang/golang.org/x/net@0.17.0</code></small><br/> <a href="https://scout.docker.com/v/CVE-2023-45288?s=github&n=net&ns=golang.org%2Fx&t=golang&vr=%3C0.23.0"><img alt="medium 5.3: CVE--2023--45288" src="https://img.shields.io/badge/CVE--2023--45288-lightgrey?label=medium%205.3&labelColor=fbb552"/></a> <i>Uncontrolled Resource Consumption</i> <table> <tr><td>Affected range</td><td><code><0.23.0</code></td></tr> <tr><td>Fixed version</td><td><code>0.23.0</code></td></tr> <tr><td>CVSS Score</td><td><code>5.3</code></td></tr> <tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code></td></tr> </table> <details><summary>Description</summary> <blockquote> An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. </blockquote> </details> </details></td></tr> </table>

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9400591740.

[github-actions]

PR is blocked and can not be merged. See https://github.com/uniget-org/tools/actions/runs/9400591740.