Update doguctl and fix CVE-2024-45337 #25
Labels
security
Vulnerabilities and security flaws exist
Comments
ppxl
added a commit
that referenced
this issue
Dec 27, 2024
This change moves the doguctl binary away from ${projectDir}/usr/bin to
`${projectDir}/packages` where git will ignore any tar.gz files. This is
done to avoid commits with doguctl binaries, knowingly that this will
increase the container image by ~15 MB.
This increase is accepted by gaining a similar container creation
process as well as similar directory layout compared to the alpine base
image repository.
ppxl
added a commit
that referenced
this issue
Jan 6, 2025
Co-authored-by: kahoona77 <[email protected]>
ppxl
added a commit
that referenced
this issue
Jan 6, 2025
Re-include doguctl version verification. The docker build stage `doguctlbinaryverifier` was previously ignored by docker with buildkit enabled because the stage is not referenced by the final build. This commit modifies the make target in such a way that the verification will be called nonetheless. As https://docs.docker.com/build/building/multi-stage/#differences-between-legacy-builder-and-buildkit describes: > > For example, given the following Dockerfile: > > ```dockerfile > # syntax=docker/dockerfile:1 > FROM ubuntu AS base > RUN echo "base" > > FROM base AS stage1 > RUN echo "stage1" > > FROM base AS stage2 > RUN echo "stage2" > ``` > > With BuildKit enabled, building the stage2 target in this Dockerfile > means only base and stage2 are processed. There is no dependency on > stage1, so it's skipped.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This CVE was introduced by the Golang core API and corresponds to misusing dual-key infrastructure. This was fixed with golang.org/x/[email protected]
See more in this advisory
The text was updated successfully, but these errors were encountered: