Commit Graph

4618 Commits

Author SHA1 Message Date
Sebastiaan van Stijn
53ecd322ff Merge pull request #52828 from thaJeztah/sync_api
api/swagger: sync changes to versioned copies
2026-06-12 16:01:47 +02:00
Sopho Merkviladze
0b2c3780be api: declare ImageAttestations platform and type as repeatable
Both query parameters are now collectionFormat: multi arrays in the
swagger so they can accept multiple values later without an API
version bump. The server still operates on a single platform and
rejects requests passing more than one; type is read directly as a
list of repeated values instead of a comma-separated string.

Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
2026-06-12 16:20:52 +04:00
Sopho Merkviladze
a0b6dbc2fc api: add GET /images/{name}/attestations endpoint
Add a new Engine API endpoint that returns the in-toto attestation
statements attached to an image for a given platform. The endpoint
locates the attestation manifest(s) referencing the requested platform's
image manifest, enumerates the statement layers, and returns each
layer's OCI descriptor (including media type, digest, size, and
annotations) together with its in-toto predicate type.

Query parameters:
  - platform: JSON-encoded OCI platform; defaults to the daemon's host
    platform if omitted.
  - type: comma-separated list of in-toto predicate type URIs; if
    omitted, all statements are returned.
  - statement: boolean, defaults to false. When true, the daemon reads
    each matching statement blob and includes the verbatim in-toto JSON
    in the response. When false (or omitted), statement blobs are not
    read and the Statement field is absent from each entry.

The manifest-chain walk (locating the platform image manifest and its
associated attestation manifest) is delegated to policy-helpers'
image.ResolveSignatureChain so that moby and BuildKit agree on how to
interpret the attestation storage format. The statement-layer iteration
and blob reading is inlined: when statement bodies are requested it
fails fast on the first unreadable blob and reads matching blobs
eagerly into memory; otherwise statement-layer blobs are never read
from the content store.

The endpoint is implemented for the containerd image store. The legacy
graphdriver store returns errdefs.NotImplemented (HTTP 501).

Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
2026-06-12 13:40:58 +04:00
Paweł Gronowski
2badd7ece3 api: Bump to 1.55
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2026-06-11 19:37:35 +02:00
Sebastiaan van Stijn
bff5b9cf84 api/swagger: sync swarm join endpoint to older docs versions
Syncs changes from 2ecaac9631
and d5f6bdb027 to older API
versions, in addition to formatting changes.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-06-11 15:38:04 +02:00
Sebastiaan van Stijn
8368bcd28f api/swagger: move position of ImageInspect.Identity
commit 6d133c5ec6 moved this field in
the swagger; move it back to align with older API versions.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-06-11 15:37:38 +02:00
Ashutosh Anand
2ecaac9631 docs: clarify swarm join required fields
Document that /swarm/join requires ListenAddr, RemoteAddrs, and JoinToken in the Engine API spec.

ListenAddr is already required by join validation, while a non-empty listen address without a port uses the default swarm listening port. This keeps the API docs aligned with current behavior without changing swarm runtime behavior.

Fixes #49159

Signed-off-by: Ashutosh Anand <ashutoshanand2560@gmail.com>
2026-06-05 10:11:41 +05:30
Paweł Gronowski
c3967c40c0 update to go1.26.4
This release include 3 security fixes following the security policy:

- mime: quadratic complexity in WordDecoder.DecodeHeader

    Decoding a maliciously-crafted MIME header containing many invalid
    encoded-words could consume excessive CPU.
    The MIME decoder now better handles this case.

    Thanks to p4p3r (https://hackerone.com/p4p3r_hak) for reporting this issue.

    This is CVE-2026-42504 and Go issue https://go.dev/issue/79217.

- net/textproto: arbitrary input are included in errors without any escaping

    When returning errors, functions in the net/textproto package would
    include its input as part of the error, without any escaping. Note that
    said input is often controlled by external parties when using this
    package naturally. For example, a net/http client uses ReadMIMEHeader
    when parsing the headers it receive from a server.

    As a result, an attacker could inject arbitrary content into the error.
    Practically, this can result in an attacker injecting misleading
    content, terminal control bytes, etc. into a victim's output or logs.

    This is CVE-2026-42507 and Go issue https://go.dev/issue/79346

- crypto/x509: split candidate hostname only once

    (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop
    over all DNS Subject Alternative Name (SAN) entries. This caused
    strings.Split(host, ".") to execute repeatedly on the same input hostname.

    With a large DNS SAN list, verification costs scaled quadratically based on the
    number of SAN entries multiplied by the hostname's label count. Because
    x509.Verify validates hostnames before building the certificate chain, this
    overhead occurred even for untrusted certificates.

    Thanks to Jakub Ciolek (https://ciolek.dev) for reporting this issue.

    This is CVE-2026-27145 and https://go.dev/issue/79694.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.26.4

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2026-06-03 17:13:02 +02:00
Paweł Gronowski
0fdc152a31 update to go1.26.3
This release include 11 security fixes:

- cmd/go: malicious module proxy can bypass checksum database

    A malicious module proxy could exploit a flaw in the go command's
    validation of module checksums to bypass checksum database validation.

    This vulnerability affects any user using an untrusted module proxy
    (GOMODPROXY) or checksum database (GOSUMDB).

    A malicious module proxy can serve altered versions of the Go toolchain.
    When selecting a different version of the Go toolchain than the
    currently installed toolchain (due to the GOTOOLCHAIN environment variable,
    or a go.work or go.mod with a toolchain line), the go command will download
    and execute a toolchain provided by the module proxy. A malicious module
    proxy can bypass checksum database validation for this downloaded
    toolchain.

    Since this vulnerability affects the security of toolchain downloads,
    setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade
    your base Go toolchain.

    The go tool always validates the hash of a toolchain before executing it,
    so fixed versions will refuse to execute any cached, altered versions of the
    toolchain.

    The go tool trusts go.sum files to contain accurate hashes of the current
    module's dependencies. A malicious proxy exploiting this vulnerability to
    serve an altered module will have caused an incorrect hash to be recorded
    in the go.sum. Users who have configured a non-trusted GOPROXY can determine
    if they have been affected by running "rm go.sum ; go mod tidy ; go mod verify",
    which will revalidate all dependencies of the current module.

    The specific flaw in more detail:

    The go command consults the checksum database to validate downloaded modules,
    when a module is not listed in the go.sum file. It verifies that the module hash
    reported by the checksum database matches the hash of the downloaded module.
    If, however, the checksum database returns a successful response that contains
    no entry for the module, the go command incorrectly permitted validation to succeed.

    A module proxy may mirror or proxy the checksum database, in which case the go
    command will not connect to the checksum database directly. Checksums reported
    by the checksum database are cryptographically signed, so a malicious proxy
    cannot alter the reported checksum for a module. However, a proxy which returns
    an empty checksum response, or a checksum response for an unrelated module,
    could cause the go command to proceed as if a downloaded module has been validated.

    The go command now properly checks checksum database responses to ensure
    that the expected module signature is present, not just that if a signature is
    present it matches the expectation.

    Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.

    This is CVE-2026-42501 and Go issue https://go.dev/issue/79070.

- net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters

    When used with a Rewrite function, or a Director function which parses query parameters,
    ReverseProxy sanitizes the forwarded request to remove query parameters which are not
    parsed by url.ParseQuery. ReverseProxy did not take ParseQuery's limit on the total number
    of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account.
    This could permit ReverseProxy to forward a request containing a query parameter
    that was not visible to the Rewrite function.

    For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" could forward the parameter
    "hidden=y" while hiding it from the proxy's Rewrite function.

    ReverseProxy now avoids forwarding parameters that exceed the ParseQuery limit.

    This is CVE-2026-39825 and Go issue https://go.dev/issue/78948.

- net: panic in Dial and LookupPort when handling NUL byte on Windows

    The Dial and LookupPort functions would panic on Windows when provided
    with an input containing a NUL (0). These functions now return an error
    rather than panicking.

    This is CVE-2026-39836 and Go issue https://go.dev/issue/79006.

- net/mail: quadratic string concatenation in consumePhrase

    Pathological inputs could cause DoS through consumePhrase
    when parsing an email address according to RFC 5322.

    This is CVE-2026-42499 and Go issue https://go.dev/issue/78987.

- net/mail: quadratic string concatentation in consumeComment

    Well-crafted inputs reaching ParseAddress, ParseAddressList,
    and ParseDate were able to trigger excessive CPU exhaustion
    and memory allocations.

    This is CVE-2026-39820 and Go issue https://go.dev/issue/78566.

- cmd/go: "go bug" follows symlinks in predictable temporary filenames

    The "go bug" command wrote to two files with predictable names in
    the system temporary directory (for example, "/tmp").

    An attacker with access to the temporary directory could create a
    symlink in one of these names, causing "go bug" to overwrite the
    target of the symlink.

    The "go bug" command now uses os.MkdirTemp to create a safe
    working directory.

    Thanks to Harshit Gupta (Mr HAX) for reporting this issue.

    This is CVE-2026-39819 and Go issue https://go.dev/issue/78584.

- cmd/go: "go tool pack" does not sanitize output paths

    The "go tool pack" subcommand is a minimal version of the Unix ar utility.
    It is used by the compiler as an internal tool with known-good inputs.

    The "pack" subcommand did not sanitize output filenames.
    When invoked to extract a malicious archive file, it could write
    files to arbitrary locations on the filesystem.

    The "pack" subcommand now refuses to extract files with names
    containing any directory components.

    Thanks to Harshit Gupta (Mr HAX) for reporting this issue.

    This is CVE-2026-39817 and Go issue https://go.dev/issue/78778.

- net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of
    writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a
    value of 0.

    This allows potential DoS against a client by a malicious server. HTTP/2
    transport now properly checks that the received SETTINGS_MAX_FRAME_SIZE is
    valid.

    Thanks to Marwan Atia (marwansamir688@gmail.com) for reporting this issue.

    This is CVE-2026-33814 and Go issue https://go.dev/issue/78476.

- html/template: escaper bypass leads to XSS

    If a trusted template author were to write a
    tag containing an empty type attribute or a type
    attribute with an ASCII whitespace, the execution of
    the template would incorrectly escape any data passed
    into the block.

    Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.

    This is CVE-2026-39826 and Go issue https://go.dev/issue/78981.

- net: crash when handling long CNAME response

    When using LookupCNAME with the cgo DNS resolver,
    a very long CNAME response could trigger a double-free of C memory
    and a crash. The double-free has been fixed.

    Thanks to hamayanhamayan for reporting this issue.

    This is CVE-2026-33811 and Go issue https://go.dev/issue/78803.

- html/template: bypass of meta content URL escaping causes XSS

    CVE-2026-27142 fixed a vulnerability in which URLs were not
    correctly escaped inside of a tag's attribute.
    If the URL content were to insert ASCII whitespaces around the
    = rune inside of the attribute, the escaper would
    fail to similarly escape it, leading to XSS.

    Dynamic inputs to a tag's attribute are now
    whitespace sanitized prior to escaping.

    Thanks to Samy Ghannad for reporting this issue.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2026-05-07 19:13:15 +02:00
Sebastiaan van Stijn
179985cf89 Merge pull request #52358 from geekcoderr/52355-topology-swagger
api: align Topology swagger with Segments JSON shape
2026-04-19 02:28:58 +02:00
Sebastiaan van Stijn
dc48cea266 api/docs: cleanup changelog
Follow-up to ca69153e28 and
0d2d3f348d, which restored old API docs.

This patch aligns the formatting of older versions with the format we use now.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-16 13:46:49 +02:00
Nishant Maheshwari
5c80a6e826 api: align Topology in versioned OpenAPI specs with Segments JSON shape
Apply the same Topology schema fix as api/swagger.yaml to v1.42–v1.54
document snapshots so clients generating from pinned API versions see the
correct Segments map shape.

Signed-off-by: Nishant Maheshwari <mnishant222@gmail.com>
Made-with: Cursor
2026-04-16 01:26:25 +05:30
Nishant Maheshwari
c4f4eb3f5f api: align Topology swagger with Segments JSON shape
Signed-off-by: Nishant Maheshwari <mnishant222@gmail.com>
2026-04-14 02:04:36 +05:30
Sebastiaan van Stijn
3d5c9936a3 Merge pull request #52312 from thaJeztah/api_restore_history
api/docs: restore API docs and change-logs for API v1.0 - v1.23
2026-04-09 14:24:26 +02:00
Sebastiaan van Stijn
3541b0d0fd update to Go 1.26.2
go1.26.2 (released 2026-04-07) includes security fixes to the go command,
the compiler, and the archive/tar, crypto/tls, crypto/x509, html/template,
and os packages, as well as bug fixes to the go command, the go fix command,
the compiler, the linker, the runtime, and the net, net/http, and net/url
packages. See the Go 1.26.2 milestone on our issue tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.26.2+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.26.1...go1.26.2

From the security announce:

We have just released Go versions 1.26.2 and 1.25.9, minor point releases.

These releases include 10 security fixes following the security policy:

- os: Root.Chmod can follow symlinks out of the root on Linux

  On Linux, if the target of Root.Chmod is replaced with a symlink while
  the chmod operation is in progress, Chmod could operate on the target
  of the symlink, even when the target lies outside the root.

  The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag,
  which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its
  target before acting and returns an error if the target is a symlink
  lying outside the root, so the impact is limited to cases where the
  target is replaced with a symlink between the check and operation.

  On Linux, Root.Chmod now uses the fchmodat2 syscall when available, and
  an workaround using /proc/self/fd otherwise.

  Thanks to Uuganbayar Lkhamsuren for reporting this issue.

  This is CVE-2026-32282 and Go issue https://go.dev/issue/78293.

- html/template: JS template literal context incorrectly tracked

  Context was not properly tracked across template branches for JS template
  literals, leading to possibly incorrect escaping of content when branches were
  used.

  Additionally template actions within JS template literals did not properly
  track
  the brace depth, leading to incorrect escaping being applied.

  These issues could cause actions within JS template literals to be incorrectly
  or improperly escaped, leading to XSS vulnerabilities.

  This only affects templates that use template actions within JS template
  literals.

  This is CVE-2026-32289 and Go issue https://go.dev/issue/78331.

- crypto/x509: excluded DNS constraints not properly applied to wildcard domains

  When verifying a certificate chain containing excluded DNS constraints, these
  constraints are not correctly applied to wildcard DNS SANs which use a
  different
  case than the constraint.

  For example, if a certificate contains the DNS name "*.example.com" and the
  excluded DNS name "EXAMPLE.COM", the constraint will not be applied.

  This only affects validation of otherwise trusted certificate chains, issued
  by
  a root CA in the VerifyOptions.Roots CertPool, or in the system certificate
  pool.

  This issue only affects Go 1.26.

  Thank you to Riyas from Saintgits College of Engineering, k1rnt, @1seal for
  reporting this issue.

  This is CVE-2026-33810 and Go issue https://go.dev/issue/78332.

- cmd/compile: no-op interface conversion bypasses overlap checking

  Previously, the compiler failed to unwrap pointers contained within
  a no-op interface conversion leading to an incorrect determination
  of a non-overlapping move.

  To prevent unsafe move operations, the compiler will now unwrap all
  such conversions before considering a move non-overlapping.

  Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue.

  This is CVE-2026-27144 and Go issue https://go.dev/issue/78371.

- cmd/compile: possible memory corruption after bound check elimination

  Previously, slices and arrays accessed using induction variables
  were sometimes incorrectly proved in-bound. If the induction variable
  used for indexing were to overflow or underflow, it could allow access
  to memory beyond the scope of the original slice or array.

  To prevent this behavior, the compiler ensures that any mutated induction
  variable that overflows/underflows with respect to its loop condition
  is not used for bound check elimination.

  Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue.

  This is CVE-2026-27143 and Go issue https://go.dev/issue/78333.

- archive/tar: unbounded allocation when parsing old format GNU sparse map

  tar.Reader could allocate an unbounded amount of memory when reading
  a maliciously-crafted archive containing a large number of sparse
  regions encoded in the "old GNU sparse map" format.

  We now limit both the number of old GNU sparse map extension blocks,
  and the total number of sparse file entries, regardless of encoding.

  Thanks to Colin Walters (wal...@verbum.org) who initially reported this issue.
  Thanks also to Uuganbayar Lkhamsuren (https://github.com/uug4na) and Jakub
  Ciolek
  who additionally reported this issue.

  This is CVE-2026-32288 and Go issue https://go.dev/issue/78301.

- crypto/tls: multiple key update handshake messages can cause connection to
  deadlock

  If one side of the TLS connection sends multiple key update messages
  post-handshake in a single record, the connection can deadlock, causing
  uncontrolled consumption of resources. This can lead to a denial of service.

  This only affects TLS 1.3.

  Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue.

  This is CVE-2026-32283 and Go issue https://go.dev/issue/78334.

- cmd/go: trust layer bypass when using cgo and SWIG

  A well-crafted SWIG source file could take advantage
  of a file-naming convention used inside the trust
  boundary of the cgo compiler. Doing so could result
  in arbitrary code execution during build time.

  SWIG files are disallowed from using this convention.

  Thank you to Juho Forsén of Mattermost for reporting this issue.

  This is CVE-2026-27140 and Go issue https://go.dev/issue/78335.

- crypto/x509: unexpected work during chain building

  During chain building, the amount of work that is done is not correctly
  limited
  when a large number of intermediate certificates are passed in
  VerifyOptions.Intermediates, which can lead to a denial of service. This
  affects
  both direct users of crypto/x509 and users of crypto/tls.

  Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue.

  This is CVE-2026-32280 and Go issue https://go.dev/issue/78282.

- crypto/x509: inefficient policy validation

  Validating certificate chains which use policies is unexpectedly inefficient
  when certificates in the chain contain a very large number of policy mappings,
  possibly causing denial of service.

  This only affects validation of otherwise trusted certificate chains, issued
  by
  a root CA in the VerifyOptions.Roots CertPool, or in the system certificate
  pool.

  Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue.

  This is CVE-2026-32281 and Go issue https://go.dev/issue/78281.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-08 00:43:19 +02:00
Sebastiaan van Stijn
a2eaebb011 api/docs: lower deprecation heading to a h4
Prevent the heading to show up in the TOC on docs.docker.com

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-06 01:10:03 +02:00
Sebastiaan van Stijn
ca69153e28 api/docs: restore changelog for API v1.0 - v1.13
This reverts commit 1d5f479e01.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-05 15:53:20 +02:00
Sebastiaan van Stijn
1055b7a1a6 api/docs: restore API versions v1.0 - v1.13
This reverts commit d2382f7b96.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-05 15:53:19 +02:00
Sebastiaan van Stijn
0d2d3f348d api/docs: restore API versions v1.14 - v1.17
This reverts commit 68f9a45440.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-05 15:53:16 +02:00
Sebastiaan van Stijn
dc824e3d8d api/docs: restore API versions v1.18 - v1.23
This reverts commit d54be2ee6d.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-05 15:53:15 +02:00
Sebastiaan van Stijn
b8057a3a58 api/types/network: fix handling of unmapped ports (ephemeral ports)
commit 4c24542e95 changed `PortRange.All()`
to omit zero values for ports, but this caused a regression; the zero-value
is used in some places to assign an ephemeral port, e.g.: `--port 80` is an
implicit `--port 0:80`, or `--port <ephemeral port>:80`, where the daemon
picks a random port number from the ephemeral port range as host-port.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-02 11:49:01 +02:00
Sebastiaan van Stijn
e0999bd5ec update to go1.26.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-01 14:48:32 +02:00
Sebastiaan van Stijn
d0a29867e7 api/types/strslice: add //go:fix inline directives for deprecated type
This allows `go fix ./..` to automatically migrate legacy code.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-03-17 18:23:09 +01:00
Sebastiaan van Stijn
df294b20dd api: go.mod: remove patch version
drop the patch version, which is generally recommended, and prevents
enforcing a specific toolchain patch version for users of the module.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-03-14 17:21:10 +01:00
Sebastiaan van Stijn
a722b68f5c api/types/network: use blackbox testing for ports
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-03-14 00:52:01 +01:00
Sebastiaan van Stijn
91f3ec65e6 api/types/network: Port, PortRange: update godoc for "String()"
Call out that users should check if the port/port-range is valid
before consuming the value returned by String().

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-03-14 00:52:01 +01:00
Sebastiaan van Stijn
19ef53a52f api/types/network: add Port.Port()
This brings back the Port() method that was defined on the nat.Port type,
which was used in many places to (e.g.) do a network.JoinHostPort.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-03-14 00:52:00 +01:00
Sebastiaan van Stijn
4c24542e95 api/types/network: Port,PortRange: don't panic on zero values
- Prevent panic when calling .Proto() on zero values
- Don't iterate on zero-value port-ranges

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-03-14 00:51:53 +01:00
Sebastiaan van Stijn
c266b4fe9b update to go1.25.8
go1.25.8 (released 2026-03-05) includes security fixes to the html/template,
net/url, and os packages, as well as bug fixes to the go command, the compiler,
and the os package. See the Go 1.25.8 milestone on our issue tracker for details.

- 1.25.8 https://github.com/golang/go/issues?q=milestone%3AGo1.25.8+label%3ACherryPickApproved
- diff: https://github.com/golang/go/compare/go1.25.7...go1.25.8
- 1.26.1 https://github.com/golang/go/issues?q=milestone%3AGo1.26.1+label%3ACherryPickApproved
- diff: https://github.com/golang/go/compare/go1.26.0...go1.26.1

---

We have just released Go versions 1.26.1 and 1.25.8, minor point releases.

These releases include 5 security fixes following the security policy:

crypto/x509: incorrect enforcement of email constraints

- When verifying a certificate chain which contains a certificate containing
  multiple email address constraints (composed of the full email address) which
  share common local portions (the portion of the address before the '@'
  character) but different domain portions (the portion of the address after the
  '@' character), these constraints will not be properly applied, and only the
  last constraint will be considered.

  This can allow certificates in the chain containing email addresses which are
  either not permitted or excluded by the relevant constraints to be returned by
  calls to Certificate.Verify. Since the name constraint checks happen after chain
  building is complete, this only applies to certificate chains which chain to
  trusted roots (root certificates either in VerifyOptions.Roots or in the system
  root certificate pool), requiring a trusted CA to issue certificates containing
  either not permitted or excluded email addresses.

  This issue only affects Go 1.26.

  Thanks to Jakub Ciolek for reporting this issue.

  This is CVE-2026-27137 and Go issue https://go.dev/issue/77952.

- crypto/x509: panic in name constraint checking for malformed certificates

  Certificate verification can panic when a certificate in the chain has an empty
  DNS name and another certificate in the chain has excluded name constraints.
  This can crash programs that are either directly verifying X.509 certificate
  chains, or those that use TLS.

  Since the name constraint checks happen after chain building is complete, this
  only applies to certificate chains which chain to trusted roots (root
  certificates either in VerifyOptions.Roots or in the system root certificate
  pool), requiring a trusted CA to issue certificates containing malformed DNS
  names.

  This issue only affects Go 1.26.

  Thanks to Jakub Ciolek for reporting this issue.

  This is CVE-2026-27138 and Go issue https://go.dev/issue/77953.

- html/template: URLs in meta content attribute actions are not escaped

  Actions which insert URLs into the content attribute of HTML meta tags are not
  escaped. This can allow XSS if the meta tag also has an http-equiv attribute
  with the value "refresh".

  A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be
  used to disable escaping URLs in actions in the meta content attribute which
  follow "url=" by setting htmlmetacontenturlescape=0.

  This is CVE-2026-27142 and Go issue https://go.dev/issue/77954.

- net/url: reject IPv6 literal not at start of host

  The Go standard library function net/url.Parse insufficiently
  validated the host/authority component and accepted some invalid URLs
  by effectively treating garbage before an IP-literal as ignorable.
  The function should have rejected this as invalid.

  To prevent this behavior, net/url.Parse now rejects IPv6 literals
  that do not appear at the start of the host subcomponent of a URL.

  Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.

  This is CVE-2026-25679 and Go issue https://go.dev/issue/77578.

- os: FileInfo can escape from a Root

  On Unix platforms, when listing the contents of a directory using
  File.ReadDir or File.Readdir the returned FileInfo could reference
  a file outside of the Root in which the File was opened.

  The contents of the FileInfo were populated using the lstat system
  call, which takes the path to the file as a parameter. If a component
  of the full path of the file described by the FileInfo is replaced with
  a symbolic link, the target of the lstat can be directed to another
  location on the filesystem.

  The impact of this escape is limited to reading metadata provided by
  lstat from arbitrary locations on the filesystem. This could be used
  to probe for the presence or absence of files as well as gleaning
  metadata like file sizes, but does not permit reading or writing files
  outside the root.

  The FileInfo is now populated using fstatat.

  Thank you to Miloslav Trmač of Red Hat for reporting this issue.

  This is CVE-2026-27139 and Go issue https://go.dev/issue/77827.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-03-11 00:08:24 +01:00
Paweł Gronowski
2fa6029be4 network/connect: Support MacAddress
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2026-03-05 14:11:08 +01:00
chemodax
e04bd2649e Rename disk usage properties in v1.54.yamlBackport c07043e36f to api/docs/v1.54.yaml.
Signed-off-by: chemodax <53048645+chemodax@users.noreply.github.com>
2026-03-01 21:38:51 +01:00
chemodax
5272ef1422 Backport c07043e36f to api/docs/v1.53.yaml.
Signed-off-by: chemodax <53048645+chemodax@users.noreply.github.com>
2026-03-01 21:37:55 +01:00
chemodax
076100ddcc Backport c07043e36f to api/docs/v1.52.yaml.
Signed-off-by: chemodax <53048645+chemodax@users.noreply.github.com>
2026-03-01 21:36:56 +01:00
chemodax
c07043e36f Fix /system/df in swagger.yaml.
Fix return value definition for /system/df endpoint:
ImagesDiskUsage -> ImageUsage
ContainersDiskUsage -> ContainerUsage
VolumesDiskUsage -> VolumeUsage
BuildCacheDiskUsage -> BuildCacheUsage

These names match actual names returned from dockerd.

Signed-off-by: chemodax <53048645+chemodax@users.noreply.github.com>
2026-03-01 21:28:53 +01:00
Paweł Gronowski
74ad89c189 api: Cut v1.54
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2026-02-27 19:34:41 +01:00
Paweł Gronowski
11d1267e88 Merge pull request #52030 from crazy-max/image-list-identity
image: add opt-in identity field to image list API for containerd backend
2026-02-27 18:31:01 +00:00
Paweł Gronowski
7adeea2af9 Merge pull request #52047 from thaJeztah/swarm_portspec_sorting
api/types/swarm: PortConfig: add Compare method
2026-02-27 16:27:40 +00:00
CrazyMax
6d133c5ec6 image: add opt-in identity support to image list API
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2026-02-27 16:35:31 +01:00
Sebastiaan van Stijn
afdae6942a Merge pull request #52082 from thaJeztah/inspect_platform
api: swagger: document "platform" param for `GET /image/{name}/json`
2026-02-24 17:33:48 +01:00
Sebastiaan van Stijn
0e7c8176e8 api/types: add MediaType pseudo-type, and touch-up docs
Add a `MediaType` pseudo-type to help discoverability of mediatypes
we use, and slightly touch up the documentation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-24 14:23:34 +01:00
Sebastiaan van Stijn
320b010add api/docs: add "platform" param for GET /image/{name}/json (API v1.49-v1.53)
This parameter was added in 59169d0f97
(API v1.49, docker 28.5.1), but forgot to update the swagger definition.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-23 10:31:46 +01:00
Sebastiaan van Stijn
927d7d1045 api: swagger: document "platform" param for GET /image/{name}/json
This parameter was added in 59169d0f97
(API v1.49, docker 28.5.1), but forgot to update the swagger definition.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-23 10:27:54 +01:00
Sebastiaan van Stijn
bdede35717 api/types/jsonstream: add sanity-check for Message marshaling
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-18 23:44:29 +01:00
Sebastiaan van Stijn
d00882aff2 api/types/jsonstream: prevent panic on nil-Error
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-18 23:41:48 +01:00
Sebastiaan van Stijn
9a9106b71a api/types/swarm: PortConfig: add Compare method
Add a compare function that can be used for slices.SortFunc to have
a canonical definition of sorting.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-15 19:02:07 +01:00
Sebastiaan van Stijn
8f66e0c150 update to go1.25.7
go1.25.7 (released 2026-02-04) includes security fixes to the go command
and the crypto/tls package, as well as bug fixes to the compiler and the
crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for
details:
https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.25.6...go1.25.7

From the security mailing list:

> Hello gophers,
>
> We have just released Go versions 1.25.7 and 1.24.13, minor point releases.
>
> These releases include 2 security fixes following the security policy:
>
> - cmd/cgo: remove user-content from doc strings in cgo ASTs
>
>   A discrepancy between how Go and C/C++ comments
>   were parsed allowed for code smuggling into the
>   resulting cgo binary.
>
>   To prevent this behavior, the cgo compiler
>   will no longer parse user-provided doc
>   comments.
>
>   Thank you to RyotaK (https://ryotak.net) of
>   GMO Flatt Security Inc. for reporting this issue.
>
>   This is CVE-2025-61732 and https://go.dev/issue/76697.
>
> - crypto/tls: unexpected session resumption when using Config.GetConfigForClient
>
>   Config.GetConfigForClient is documented to use the original Config's session
>   ticket keys unless explicitly overridden. This can cause unexpected behavior if
>   the returned Config modifies authentication parameters, like ClientCAs: a
>   connection initially established with the parent (or a sibling) Config can be
>   resumed, bypassing the modified authentication requirements.
>
>   If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the
>   server) or InsecureSkipVerify is false (on the client), crypto/tls now checks
>   that the root of the previously-verified chain is still in ClientCAs/RootCAs
>   when resuming a connection.
>
>   Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue
>   related to session ticket keys being implicitly shared by Config.Clone. Since
>   this fix is broader, the Config.Clone behavior change has been reverted.
>
>   Note that VerifyPeerCertificate still behaves as documented: it does not apply
>   to resumed connections. Applications that use Config.GetConfigForClient or
>   Config.Clone and do not wish to blindly resume connections established with the
>   original Config must use VerifyConnection instead (or SetSessionTicketKeys or
>   SessionTicketsDisabled).
>
>   Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.
>
>   This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-05 10:31:32 +01:00
Paweł Gronowski
4fa326fa85 api: Cut v1.53
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2026-01-26 19:00:50 +01:00
Paweł Gronowski
2d8289cbf3 Merge pull request #51919 from htoyoda18/fix/decode
api/pkg/authconfig: reject multiple JSON documents in Decode
2026-01-26 17:47:20 +00:00
hiroto.toyoda
f6c0f41e6d api/pkg/authconfig: reject multiple JSON documents in Decode
Explicitly reject multiple JSON documents in authentication payloads
instead of silently ignoring them. This helps notify users when the
authentication payload is incorrectly formatted.

Signed-off-by: hiroto.toyoda <hiroto.toyoda@dena.com>
2026-01-27 00:30:51 +09:00
Sebastiaan van Stijn
62c1a719b3 api/types: use "omitzero" instead of "omitempty" for "netip" fields
Pull request 50956 (88adc28731) updated
various types in the API module from a string to a `netip.Prefix` or
`netip.Addr`. A side-effect of this was that zero values would no longer
be omitted, and instead marshaled as an empty string;

    package main

    import (
        "encoding/json"
        "fmt"
        "net/netip"
    )

    type Foo struct {
        OmitEmpty netip.Prefix `json:",omitempty"`
        OmitZero  netip.Prefix `json:",omitzero"`
    }

    func main() {
        out, _ := json.Marshal(Foo{})
        fmt.Println(string(out))
    }

The above produces `{"OmitEmpty":""}`, not omitting the empty address.

This patch;

- updates most types to use `omitzero` instead of `omitempty`.
- adds explicit `json` names to fields.

There's one type remaining that uses `omitzero`, but it's generated by
go-swagger, which currently doesn't support `omitzero`; the `PortSummary.IP`;
335f60509f/api/types/container/port_summary.go (L12-L20)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-01-26 15:57:18 +01:00