2016-07-05 00:30:32 +02:00
|
|
|
################################################################################
|
|
|
|
|
#
|
|
|
|
|
# docker-containerd
|
|
|
|
|
#
|
|
|
|
|
################################################################################
|
|
|
|
|
|
package/docker-containerd: security bump to 1.2.11
Fixes the following security vulnerabilities:
containerd 1.2.9/gRPC:
- CVE-2019-9512: Some HTTP/2 implementations are vulnerable to ping floods,
potentially leading to a denial of service. The attacker sends continual
pings to an HTTP/2 peer, causing the peer to build an internal queue of
responses. Depending on how efficiently this data is queued, this can
consume excess CPU, memory, or both
- CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset
flood, potentially leading to a denial of service. The attacker opens a
number of streams and sends an invalid request over each stream that
should solicit a stream of RST_STREAM frames from the peer. Depending on
how the peer queues the RST_STREAM frames, this can consume excess memory,
CPU, or both
- CVE-2019-9515: Some HTTP/2 implementations are vulnerable to a settings
flood, potentially leading to a denial of service. The attacker sends a
stream of SETTINGS frames to the peer. Since the RFC requires that the
peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory, or
both
containerd 1.2.10/runc:
- CVE-2019-16884: runc through 1.0.0-rc8, as used in Docker through
19.03.2-ce and other products, allows AppArmor restriction bypass because
libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a
malicious Docker image can mount over a /proc director
Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-12-03 05:50:01 +01:00
|
|
|
DOCKER_CONTAINERD_VERSION = 1.2.11
|
package: remove 'v' prefix from github-fetched packages
On Github, a large number of projects name their tag vXYZ (i.e v3.0,
v0.1, etc.). In some packages we do:
<pkg>_VERSION = v0.3
<pkg>_SITE = $(call github foo,bar,$(<pkg>_VERSION))
And in some other packages we do:
<pkg>_VERSION = 0.3
<pkg>_SITE = $(call github foo,bar,v$(<pkg>_VERSION))
I.e in one case we consider the version to be v0.3, in the other case
we consider 0.3 to be the version.
The problem with v0.3 is that when used in conjunction with
release-monitoring.org, it doesn't work very well, because
release-monitoring.org has the concept of "version prefix" and using
that they drop the "v" prefix for the version.
Therefore, a number of packages in Buildroot have a version that
doesn't match with release-monitoring.org because Buildroot has 'v0.3'
and release-monitoring.org has '0.3'.
Since really the version number of 0.3, is makes sense to update our
packages to drop this 'v'.
This commit only addresses the (common) case of github packages where
the prefix is simply 'v'. Other cases will be handled by separate
commits. Also, there are a few cases that couldn't be handled
mechanically that aren't covered by this commit.
Signed-off-by: Victor Huesca <victor.huesca@bootlin.com>
[Arnout: don't change flatbuffers, json-for-modern-cpp, libpagekite,
python-scapy3k, softether]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-06-12 08:42:06 +02:00
|
|
|
DOCKER_CONTAINERD_SITE = $(call github,containerd,containerd,v$(DOCKER_CONTAINERD_VERSION))
|
2016-07-05 00:30:32 +02:00
|
|
|
DOCKER_CONTAINERD_LICENSE = Apache-2.0
|
2018-09-13 07:22:24 +02:00
|
|
|
DOCKER_CONTAINERD_LICENSE_FILES = LICENSE
|
2016-07-05 00:30:32 +02:00
|
|
|
|
2018-03-31 15:27:34 +02:00
|
|
|
DOCKER_CONTAINERD_WORKSPACE = vendor
|
2016-07-05 00:30:32 +02:00
|
|
|
|
2018-03-31 15:27:34 +02:00
|
|
|
DOCKER_CONTAINERD_LDFLAGS = \
|
2016-07-24 16:43:45 +02:00
|
|
|
-X github.com/docker/containerd.GitCommit=$(DOCKER_CONTAINERD_VERSION)
|
|
|
|
|
|
2018-09-13 07:22:24 +02:00
|
|
|
DOCKER_CONTAINERD_BUILD_TARGETS = cmd/ctr cmd/containerd cmd/containerd-shim
|
2016-07-05 00:30:32 +02:00
|
|
|
|
2018-03-31 15:27:34 +02:00
|
|
|
DOCKER_CONTAINERD_INSTALL_BINS = containerd containerd-shim
|
2016-07-05 00:30:32 +02:00
|
|
|
|
2018-09-13 07:22:24 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_LIBSECCOMP),y)
|
2018-12-28 16:07:40 +01:00
|
|
|
DOCKER_CONTAINERD_DEPENDENCIES += libseccomp host-pkgconf
|
2018-09-13 07:22:24 +02:00
|
|
|
DOCKER_CONTAINERD_TAGS += seccomp
|
|
|
|
|
endif
|
|
|
|
|
|
|
|
|
|
ifeq ($(BR2_PACKAGE_DOCKER_CONTAINERD_DRIVER_BTRFS),y)
|
|
|
|
|
DOCKER_CONTAINERD_DEPENDENCIES += btrfs-progs
|
|
|
|
|
else
|
|
|
|
|
DOCKER_CONTAINERD_TAGS += no_btrfs
|
|
|
|
|
endif
|
|
|
|
|
|
2018-03-31 15:27:34 +02:00
|
|
|
define DOCKER_CONTAINERD_INSTALL_SYMLINKS
|
2016-07-05 00:30:32 +02:00
|
|
|
ln -fs runc $(TARGET_DIR)/usr/bin/docker-runc
|
|
|
|
|
ln -fs containerd-shim $(TARGET_DIR)/usr/bin/docker-containerd-shim
|
2018-06-07 09:51:07 +02:00
|
|
|
ln -fs containerd $(TARGET_DIR)/usr/bin/docker-containerd
|
2016-07-05 00:30:32 +02:00
|
|
|
endef
|
|
|
|
|
|
2018-03-31 15:27:34 +02:00
|
|
|
DOCKER_CONTAINERD_POST_INSTALL_TARGET_HOOKS += DOCKER_CONTAINERD_INSTALL_SYMLINKS
|
|
|
|
|
|
|
|
|
|
$(eval $(golang-package))
|
