mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2025-03-29 20:39:54 +02:00
6ffb3b1bd6
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/moby/moby](https://togithub.com/moby/moby) | `v24.0.8+incompatible` -> `v24.0.9+incompatible` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-24557](https://togithub.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc) The classic builder cache system is prone to cache poisoning if the image is built `FROM scratch`. Also, changes to some instructions (most important being `HEALTHCHECK` and `ONBUILD`) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. For example, an attacker could create an image that is considered as a valid cache candidate for: ``` FROM scratch MAINTAINER Pawel ``` when in fact the malicious image used as a cache would be an image built from a different Dockerfile. In the second case, the attacker could for example substitute a different `HEALTCHECK` command. ### Impact 23.0+ users are only affected if they explicitly opted out of Buildkit (`DOCKER_BUILDKIT=0` environment variable) or are using the `/build` API endpoint (which uses the classic builder by default). All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting. Image build API endpoint (`/build`) and `ImageBuild` function from `github.com/docker/docker/client` is also affected as it the uses classic builder by default. ### Patches Patches are included in Moby releases: - v25.0.2 - v24.0.9 ### Workarounds - Use `--no-cache` or use Buildkit if possible (`DOCKER_BUILDKIT=1`, it's default on 23.0+ assuming that the buildx plugin is installed). - Use `Version = types.BuilderBuildKit` or `NoCache = true` in `ImageBuildOptions` for `ImageBuild` call. --- ### Release Notes <details> <summary>moby/moby (github.com/moby/moby)</summary> ### [`v24.0.9+incompatible`](https://togithub.com/moby/moby/compare/v24.0.8...v24.0.9) [Compare Source](https://togithub.com/moby/moby/compare/v24.0.8...v24.0.9) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - "before 4am" (UTC). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/woodpecker-ci/woodpecker). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com>
Woodpecker
Woodpecker is a simple yet powerful CI/CD engine with great extensibility.
🫶 Support
Please consider donating and become a backer. 🙏 [Become a backer]
📖 Documentation
✨ Contribute
📣 Translate
We use an own Weblate instance at translate.woodpecker-ci.org.
👋 Who uses Woodpecker?
Woodpecker is used by itself multiple well-known companies, organizations like Codeberg, hobbyist and many others.
Leave a comment if you're using it as well.
Also consider using the topic WoodpeckerCI in your repository, so others can learn from your config and use the hashtag #WoodpeckerCI when talking about the project on social media!
Here are some places where people mention Woodpecker:
✨ Stars over time
License
Woodpecker is Apache 2.0 licensed with the source files in this repository having a header indicating which license they are under and what copyrights apply.
Files under the docs/ folder are licensed under Creative Commons Attribution-ShareAlike 4.0 International Public License.