Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade docker from 24.0.7 to 24.0.8 #3124

Merged
merged 1 commit into from
Feb 1, 2024
Merged

Upgrade docker from 24.0.7 to 24.0.8 #3124

merged 1 commit into from
Feb 1, 2024

Conversation

MPV
Copy link
Contributor

@MPV MPV commented Feb 1, 2024
edited

Release notes:

Which (among other things) includes a fix for the high CVE-2024-21626 (unsure of how exploitable it is in the runner though).

@MPV MPV requested a review from a team as a code owner February 1, 2024 15:26
@MPV
Copy link
Contributor Author

MPV commented Feb 1, 2024
edited

Steps to detect/verify the above mentioned CVE in the image:

$ docker scout cves \
	ghcr.io/actions/actions-runner:2.312.0 \
	--ignore-base --only-fixed \
	--only-package pkg:golang/github.com/opencontainers/runc

    ✓ SBOM of image already cached, 1137 packages indexed
    ✗ Detected 2 vulnerable packages with a total of 1 vulnerability


## Overview

                    │              Analyzed Image
────────────────────┼───────────────────────────────────────────
  Target            │  ghcr.io/actions/actions-runner:2.312.0
    digest          │  35d233155f17
    platform        │ linux/arm64
    vulnerabilities │    0C     2H     0M     0L
    size            │ 316 MB
    packages        │ 3


## Packages and Vulnerabilities

   0C     1H     0M     0L  github.com/opencontainers/runc 1.1.9
pkg:golang/github.com/opencontainers/runc@1.1.9

    ✗ HIGH CVE-2024-21626 [Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')]
      https://scout.docker.com/v/CVE-2024-21626?s=github&n=runc&ns=github.com%2Fopencontainers&t=golang&vr=%3E%3D1.0.0-rc93%2C%3C%3D1.1.11
      Affected range : >=1.0.0-rc93
                     : <=1.1.11
      Fixed version  : 1.1.12
      CVSS Score     : 8.6
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H


   0C     1H     0M     0L  github.com/opencontainers/runc 1.1.7
pkg:golang/github.com/opencontainers/runc@1.1.7

    ✗ HIGH CVE-2024-21626 [Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')]
      https://scout.docker.com/v/CVE-2024-21626?s=github&n=runc&ns=github.com%2Fopencontainers&t=golang&vr=%3E%3D1.0.0-rc93%2C%3C%3D1.1.11
      Affected range : >=1.0.0-rc93
                     : <=1.1.11
      Fixed version  : 1.1.12
      CVSS Score     : 8.6
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H



2 vulnerabilities found in 2 packages
  LOW       0
  MEDIUM    0
  HIGH      2
  CRITICAL  0

@MPV MPV mentioned this pull request Feb 1, 2024
Merged
@TingluoHuang TingluoHuang merged commit 3e5433e into actions:main Feb 1, 2024
10 checks passed
@MPV MPV deleted the patch-1 branch February 1, 2024 16:31
@brian-keebo
Copy link

According to this Docker Security Advisory further updates are necessary. I think DOCKER_VERSION needs to be 24.0.9 and BUILDX_VERSION needs to be 0.12.5.

@MPV MPV mentioned this pull request Feb 2, 2024
Merged
@MPV
Copy link
Contributor Author

MPV commented Feb 2, 2024

According to this Docker Security Advisory further updates are necessary. I think DOCKER_VERSION needs to be 24.0.9 and BUILDX_VERSION needs to be 0.12.5.

@brian-keebo I made a follow-up PR here (for docker) then:

But regarding "buildx" 0.12.5 I don't see any such releases published yet (when I look I only see 0.12.1 here yet):

Maybe it's the case that they're waiting on these?

@github-actions github-actions bot mentioned this pull request Feb 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TingluoHuang TingluoHuang TingluoHuang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@MPV @brian-keebo @TingluoHuang