Commit Graph

97 Commits

Author SHA1 Message Date
Sebastiaan van Stijn d54cd0445e
update go to 1.18.4
go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the runtime/metrics package. See the Go 1.18.4 milestone on the
issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved

This update addresses:

CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.

Full diff: https://github.com/golang/go/compare/go1.18.3...go1.18.4

From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:

- net/http: improper sanitization of Transfer-Encoding header

  The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
  a "chunked" encoding. This could potentially allow for request smuggling, but
  only if combined with an intermediate server that also improperly failed to
  reject the header as invalid.

  This is CVE-2022-1705 and https://go.dev/issue/53188.

- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
  containing a nil value for the X-Forwarded-For header, ReverseProxy would set
  the client IP as the value of the X-Forwarded-For header, contrary to its
  documentation. In the more usual case where a Director function set the
  X-Forwarded-For header value to nil, ReverseProxy would leave the header
  unmodified as expected.

  This is https://go.dev/issue/53423 and CVE-2022-32148.

  Thanks to Christian Mehlmauer for reporting this issue.

- compress/gzip: stack exhaustion in Reader.Read

  Calling Reader.Read on an archive containing a large number of concatenated
  0-length compressed files can cause a panic due to stack exhaustion.

  This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

- encoding/xml: stack exhaustion in Unmarshal

  Calling Unmarshal on a XML document into a Go struct which has a nested field
  that uses the any field tag can cause a panic due to stack exhaustion.

  This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

- encoding/xml: stack exhaustion in Decoder.Skip

  Calling Decoder.Skip when parsing a deeply nested XML document can cause a
  panic due to stack exhaustion. The Go Security team discovered this issue, and
  it was independently reported by Juho Nurminen of Mattermost.

  This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

- encoding/gob: stack exhaustion in Decoder.Decode

  Calling Decoder.Decode on a message which contains deeply nested structures
  can cause a panic due to stack exhaustion.

  This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

- path/filepath: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

- io/fs: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

- go/parser: stack exhaustion in all Parse* functions

  Calling any of the Parse functions on Go source code which contains deeply
  nested types or declarations can cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-13 12:40:24 +02:00
Emmanuel Nuiro f06ab29a84 Fix typo in docker_compose_pull
Signed-off-by: Emmanuel Nuiro <emmanuel@nuiro.me>
2022-07-04 22:29:06 +02:00
Emmanuel Nuiro 7f5c166ec9 Fix typo in compose pull documentation
There was an invalid character between the two backticks at the end of the last snippet, causing the styling to break on the online documentation.

Signed-off-by: Emmanuel Nuiro <emmanuel@nuiro.me>
2022-07-04 21:45:53 +02:00
Sebastiaan van Stijn d2639a8638
update golang to 1.18.3
go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
compiler, and the crypto/tls and text/template/parse packages. See the Go
1.18.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.3+label%3ACherryPickApproved

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

- crypto/rand: rand.Read hangs with extremely large buffers
  On Windows, rand.Read will hang indefinitely if passed a buffer larger than
  1 << 32 - 1 bytes.

  Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
  for reporting this issue.

  This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
  Session tickets generated by crypto/tls did not contain a randomly generated
  ticket_age_add. This allows an attacker that can observe TLS handshakes to
  correlate successive connections by comparing ticket ages during session
  resumption.

  Thanks to GitHub user nervuri for reporting this.

  This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows

  If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
  are executed when Cmd.Path is unset and, in the working directory, there are
  binaries named either "..com" or "..exe", they will be executed.

  Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
  this.

  This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows

  On Windows, the `filepath.Clean` function could convert an invalid path to a
  valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

  Thanks to Unrud for reporting this issue.

  This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.

[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 09:56:16 +02:00
Guillaume Lours 71600a52bf
update golang version to 1.18
Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>
2022-05-20 22:13:55 +02:00
Guillaume Lours 6d9d75406c update usage of the index flag of the cp command
Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>
2022-05-10 10:50:40 +02:00
Guillaume Lours a983cf551d cp command: copy to all containers of a service as default behaviour
Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>
2022-05-10 10:50:40 +02:00
Daniel Lublin d89c143c39 Clarify what default work dir is when multiple compose files
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2022-05-03 13:14:34 +02:00
Eric Freese d871cb98e5 Fix search/replace typo in --no-TTY documentation
Commit abbba74b27 looks to have
accidentally replaced `pseudo-tty` with `pseudo-noTty` in several
places. In other places, it looks like it replaced `pseudo-tty` with
`pseudo-TTY`, so I used the uppercased version in these places as well.

For example, running version 2.3.3, I get this output:

```
% docker-compose run --help

...

Options:
  ...
  -T, --no-TTY                Disable pseudo-noTty allocation. By default docker compose run allocates a TTY
  ...
```

Signed-off-by: Eric Freese <ericdfreese@gmail.com>
2022-04-04 19:06:03 +02:00
Matthias Schoettle 6dbd6ffe11 fix typo in ssh option description
Signed-off-by: Matthias Schoettle <git@mattsch.com>
2022-03-31 10:14:13 -04:00
Guillaume Lours ff73827a6f Add support of ssh authentications defined in compose file or via cli flags
Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>
2022-03-31 12:47:15 +02:00
Guillaume Lours be187bae64 use a temp directory to generate doc to be sure working tree is clean
Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>
2022-03-18 10:42:05 +01:00
Guillaume Lours 099715fb6f update run no-TTY flag description as auto-detected by default
Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>
2022-03-18 10:42:05 +01:00
Guillaume Lours bf26cbd498 contenairized documetation generation
add docs validation (using same process a BuildX project)

Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>
2022-03-18 10:42:05 +01:00
Guillaume Lours 35ba6f68e5 generate reference api
Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>
2022-03-18 10:42:05 +01:00
Nicolas De Loof c843d373de restore TTY auto-detection using dockerCli.Out.IsTerminal
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2022-03-16 16:34:26 +01:00
Sebastiaan van Stijn 2d32d7450c ps: un-deprecate --filter, and enhance docs
Compose currently only supports a single filter options on --filter,
for which reason the --status flag was added, which is more convenient
to use.

However, the `--filter` flag is common among various docker commands, and
it's possible that additional filters get added at some point (which may
be less "commonly" used, and not warrant a dedicated flag).

This PR removes the "deprecated" mention from the flag, to keep consistency
with other commands, but adds documentation to explain how they relate to
eachother.

Also added a short example for the `--format` flag.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-10 20:39:19 +01:00
Sebastiaan van Stijn 42710b7c43 docs: also generate "usage" in MarkDown files
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-09 14:40:35 +01:00
Sebastiaan van Stijn b9b3a3d91f docs: update cli-docs-tool to v0.4.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-09 14:40:35 +01:00
Sebastiaan van Stijn 1d06741032 docs: fix trailing whitespace from markdown and regenerate
Trailing whitespace in Markdown can force line-breaks, which doesn't seem to
be the intent on these;

    find . -type f -print0 | xargs -0 perl -pi -e 's/ +$//'

The trailing whitespace also can cause the YAML to go wonky (although the
cli-docs-tool now takes that into account), and caused the "examples" section
to be missed in the `docker compose pull` page (something we should fix in
the tool).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-09 14:40:35 +01:00
Sebastiaan van Stijn 35b790dcdf docs: fix "source" path for YAML generator, and regenerate
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-09 14:40:35 +01:00
Zixuan James Li fcff39631a Add documentation for COMPOSE_IGNORE_ORPHANS
Signed-off-by: Zixuan James Li <359101898@qq.com>
2022-03-05 22:54:16 +01:00
Nicolas De Loof 981aea674d bump buildx to 0.7.1
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2022-02-21 14:28:22 +01:00
Dan Bámíkíyá 336b825fdd Fix the typo in the corresponding Yaml file also
Signed-off-by: Dan Bámíkíyá <dudeawesome732@gmail.com>
2022-02-11 15:10:08 +01:00
Dan Bámíkíyá 213d9166dc Fix typo in reference/compose_up
Signed-off-by: Dan Bámíkíyá <dudeawesome732@gmail.com>
2022-02-11 15:08:33 +01:00
Sebastiaan van Stijn 0b896c69ce [v2] docs: fix stray backtick, and add compose_version yaml
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-09-14 07:49:29 +02:00
Sebastiaan van Stijn 3678deed14 [v2] use "docker/cli-docs-tool" to generate docs
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-09-13 21:54:26 +02:00
Sebastiaan van Stijn fdc362bf55 [v2] docs: markdown and link fixes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-09-13 21:54:26 +02:00
Sebastiaan van Stijn 1c01e9d00f [v2] docs: regenerate yaml docs
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-09-13 21:54:26 +02:00
Nicolas De Loof 1ae9b3cb5d
move compose-cli code into docker/compose/v2
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2021-08-31 19:09:19 +02:00
Nicolas De Loof fcb91096b8
remove all references to cli from compose.v2 cmd package
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2021-08-31 15:41:20 +02:00
Ömer An 1754282871 Fix typo
Signed-off-by: Omer An <csioan@nus.edu.sg>
2021-08-11 12:09:23 +08:00
Imran Ibrahimli c3db7909ad Fix typo
Signed-off-by: iibrahimli <imranibrahimli98@gmail.com>
2021-08-09 14:54:14 +04:00
Manu 90a879fa3f Fix references to docker-compose command
Signed-off-by: Manuel Grabowski <git@manuelgrabowski.de>
2021-06-28 16:45:44 +02:00
Nicolas De Loof e2ea24ceb7 move compose-plugin commands under /cmd
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2021-06-15 15:52:48 +02:00
Nicolas De Loof abbba74b27
update reference docs
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2021-06-08 09:39:49 +02:00
Guillaume Tardif d61e62563e Update compose docs
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
2021-05-05 17:37:08 +02:00
Nicolas De loof ebbe86f18d
Merge pull request #1632 from rosven/documentation_fixes
fix documentation errors
2021-05-04 12:35:27 +02:00
Robin Svensson f92c1ebb3e fix documentation errors
Signed-off-by: Robin Svensson <euleriancycle@gmail.com>
2021-05-04 11:18:58 +02:00
Guillaume Tardif ad42fc6c4d
Merge pull request #1578 from rjruizes/patch-1
fix typo in ecs-architecture.md
2021-04-23 11:02:00 +02:00
Nicolas De Loof d8aa00a766 wrap compose cobra command to set exitcode according to metrics status
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2021-04-22 17:51:29 +02:00
Nicolas De Loof 0bdad7e551 pass compose.Service to cobra commands, dependency-injection style
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2021-04-22 17:50:56 +02:00
Roman Ruiz-Esparza 39b70e56ee fix typo in ecs-architecture.md
Signed-off-by: Roman Ruiz-Esparza <rjruizes@ncsu.edu>
2021-04-22 11:10:35 -04:00
Guillaume Tardif e0344ea7b4
Merge pull request #1415 from ulyssessouza/add-restart
Add restart command
2021-03-19 15:04:57 +01:00
Nicolas De Loof 3271801681
reference documentation
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2021-03-17 09:11:23 +01:00
Ulysses Souza 2fdc3bad48 Add restart command
Signed-off-by: Ulysses Souza <ulyssessouza@gmail.com>
2021-03-16 02:02:36 -03:00
Nicolas De Loof 59d4382f3c
generate reference documentation
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2021-03-09 13:44:13 +01:00
Sylvain Bellemare 43ecf005cb
Fix typos in docs/ecs-compose-features.md 2021-03-01 03:36:33 +00:00
Guillaume Tardif aca816d5d6 Remove example backend.
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
2021-01-19 11:29:48 +01:00
Guillaume Tardif 0ea97920c1 Move Context & context/store => api/context & api/context/store
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
2021-01-15 16:31:59 +01:00