Accepting request 973797 from home:cyphar:docker

- Add patch to update golang.org/x/crypto for CVE-2021-43565 and CVE-2022-27191. bsc#1193930 bsc#1197284 * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch OBS-URL: https://build.opensuse.org/request/show/973797 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=369
2022-04-29 03:40:42 +00:00 · 2022-04-29 03:40:42 +00:00 · 5fb98d193e
commit 5fb98d193e
parent 81366c6cd0
8 changed files with 41107 additions and 17 deletions
--- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
@ -1,7 +1,7 @@
-From f6170a9d05df85cc61f3e5373eceed61ef3d741e Mon Sep 17 00:00:00 2001
+From 63d19d6ef58457e8aba6346157c9601e38f60929 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
+Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets

 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@ -73,5 +73,5 @@ index 6a50b99bd29e..583db20aa459 100644
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 -- 
-2.33.1
+2.35.1

--- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -1,7 +1,7 @@
-From a28715c97b87152c41538b137f8ad49003db1756 Mon Sep 17 00:00:00 2001
+From a472a5da8d0aeb21b4cb6fbd2dc348a753c0a883 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets

 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497
 +	return nil
 +}
 -- 
-2.33.1
+2.35.1

--- a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+++ b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
@ -1,7 +1,7 @@
-From 4914111dcaf1257a9dd3f9f7a089de17c7dc6752 Mon Sep 17 00:00:00 2001
+From 098dd769a226407da7a695ae44cf2e41a5d13a4a Mon Sep 17 00:00:00 2001
 From: Valentin Rothberg <vrothberg@suse.com>
 Date: Mon, 2 Jul 2018 13:37:34 +0200
-Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support
+Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support

 NOTE: This is a backport/downstream patch of the upstream pull-request
      for Moby, which is still subject to changes.  Please visit
@ -444,10 +444,10 @@ index c8ddd4c5cfcd..b17e9d25d6c2 100644
 		return err
 	}
 diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go
-index 023ee2e71efd..e14cdd16b410 100644
+index 123abf6b497a..097ead45d0fd 100644
 --- a/distribution/pull_v2.go
 +++ b/distribution/pull_v2.go
-@@ -431,7 +431,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform
+@@ -432,7 +432,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform
 	// the other side speaks the v2 protocol.
 	p.confirmedV2 = true
 
@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
 
 	endpoints = []APIEndpoint{
 -- 
-2.33.1
+2.35.1

--- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
@ -1,7 +1,7 @@
-From 29779c3e010e387ef037e5ef9a33cf05a14c79ea Mon Sep 17 00:00:00 2001
+From 5e84bae968f7beadd92452795cfe2ce4f8995cef Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
 start

 In the process of making docker-default reloading far less expensive,
@ -85,5 +85,5 @@ index 2a2fbbd52e19..0999ac3186b7 100644
 	}
 
 -- 
-2.33.1
+2.35.1

--- a/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
+++ b/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
@ -1,7 +1,7 @@
-From a6aa2a591d31f43e01ba29abdf73658b34fded49 Mon Sep 17 00:00:00 2001
+From 98822d2010c709e64d5e86d7ec8e054861080a53 Mon Sep 17 00:00:00 2001
 From: Michal Rostecki <mrostecki@opensuse.org>
 Date: Thu, 8 Apr 2021 14:42:02 +0100
-Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup
+Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup

 Before this change, cleanup of the btrfs driver (occuring on each daemon
 shutdown) resulted in disabling quotas. It was done with an assumption
@ -140,5 +140,5 @@ index 8fd2854a2673..32c4f07c620d 100644
 			}
 			if err := subvolLimitQgroup(dir, size); err != nil {
 -- 
-2.33.1
+2.35.1

--- a/0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
+++ b/0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Apr 29 02:51:43 UTC 2022 - Aleksa Sarai <asarai@suse.com>
+
+- Add patch to update golang.org/x/crypto for CVE-2021-43565 and CVE-2022-27191.
+  bsc#1193930 bsc#1197284
+  * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
+- Rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
+
 -------------------------------------------------------------------
 Thu Apr 14 04:09:58 UTC 2022 - Aleksa Sarai <asarai@suse.com>

--- a/docker.spec
+++ b/docker.spec
@ -94,6 +94,9 @@ Patch200:       0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
 Patch300:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081
 Patch301:       0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
+# SUSE-BACKPORT: Backport of several golang.org/x/crypto updates.
+#                bsc#1193930 CVE-2021-43565 bsc#1197284 CVE-2022-27191
+Patch302:       0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@ -262,6 +265,8 @@ docker container runtime configuration for kubeadm
 %patch300 -p1
 # bsc#1183855 bsc#1175081
 %patch301 -p1
+# bsc#1193930 CVE-2021-43565 bsc#1197284 CVE-2022-27191
+%patch302 -p1

 # README_SUSE.md for documentation.
 cp %{SOURCE103} .