docker-credential-helpers

mirror of https://github.com/docker/docker-credential-helpers.git synced 2026-06-28 15:21:29 +05:30

Author	SHA1	Message	Date
CrazyMax	4e2b0ff14f	Merge pull request #408 from docker/dependabot/github_actions/actions/upload-artifact-7 build(deps): bump actions/upload-artifact from 6 to 7	2026-03-05 11:15:50 +01:00
CrazyMax	8fe8d458f7	Merge pull request #409 from docker/dependabot/github_actions/crazy-max/ghaction-import-gpg-7 build(deps): bump crazy-max/ghaction-import-gpg from 6 to 7	2026-03-05 11:15:27 +01:00
CrazyMax	af758c414c	Merge pull request #411 from docker/dependabot/github_actions/docker/setup-buildx-action-4 build(deps): bump docker/setup-buildx-action from 3 to 4	2026-03-05 11:15:06 +01:00
dependabot[bot]	dc6f4f5cb9	build(deps): bump docker/setup-buildx-action from 3 to 4 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-05 09:43:23 +00:00
CrazyMax	4e68cd824e	Merge pull request #410 from docker/dependabot/github_actions/docker/setup-qemu-action-4 build(deps): bump docker/setup-qemu-action from 3 to 4	2026-03-04 11:02:41 +01:00
dependabot[bot]	d520877610	build(deps): bump docker/setup-qemu-action from 3 to 4 Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](https://github.com/docker/setup-qemu-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-04 09:43:23 +00:00
dependabot[bot]	f0e4adbf36	build(deps): bump crazy-max/ghaction-import-gpg from 6 to 7 Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 6 to 7. - [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases) - [Commits](https://github.com/crazy-max/ghaction-import-gpg/compare/v6...v7) --- updated-dependencies: - dependency-name: crazy-max/ghaction-import-gpg dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-03 09:43:35 +00:00
dependabot[bot]	bf6137df6b	build(deps): bump actions/upload-artifact from 6 to 7 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-27 09:43:12 +00:00
Sebastiaan van Stijn	2b4e08bca3	Merge pull request #407 from thaJeztah/bump_go1.25.7 update to go1.25.7	2026-02-05 13:23:39 +01:00
Sebastiaan van Stijn	62deeb49c1	update to go1.25.7 go1.25.7 (released 2026-02-04) includes security fixes to the go command and the crypto/tls package, as well as bug fixes to the compiler and the crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.25.6...go1.25.7 From the security mailing list: > Hello gophers, > > We have just released Go versions 1.25.7 and 1.24.13, minor point releases. > > These releases include 2 security fixes following the security policy: > > - cmd/cgo: remove user-content from doc strings in cgo ASTs > > A discrepancy between how Go and C/C++ comments > were parsed allowed for code smuggling into the > resulting cgo binary. > > To prevent this behavior, the cgo compiler > will no longer parse user-provided doc > comments. > > Thank you to RyotaK (https://ryotak.net) of > GMO Flatt Security Inc. for reporting this issue. > > This is CVE-2025-61732 and https://go.dev/issue/76697. > > - crypto/tls: unexpected session resumption when using Config.GetConfigForClient > > Config.GetConfigForClient is documented to use the original Config's session > ticket keys unless explicitly overridden. This can cause unexpected behavior if > the returned Config modifies authentication parameters, like ClientCAs: a > connection initially established with the parent (or a sibling) Config can be > resumed, bypassing the modified authentication requirements. > > If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the > server) or InsecureSkipVerify is false (on the client), crypto/tls now checks > that the root of the previously-verified chain is still in ClientCAs/RootCAs > when resuming a connection. > > Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue > related to session ticket keys being implicitly shared by Config.Clone. Since > this fix is broader, the Config.Clone behavior change has been reverted. > > Note that VerifyPeerCertificate still behaves as documented: it does not apply > to resumed connections. Applications that use Config.GetConfigForClient or > Config.Clone and do not wish to blindly resume connections established with the > original Config must use VerifyConnection instead (or SetSessionTicketKeys or > SessionTicketsDisabled). > > Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. > > This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2026-02-05 13:13:02 +01:00
Paweł Gronowski	6ca9924445	Merge pull request #406 from thaJeztah/bump_go update to go1.25.6	2026-01-19 13:51:23 +00:00
Sebastiaan van Stijn	806dc5f678	update to go1.25.6 This releases includes 6 security fixes following the security policy: - archive/zip: denial of service when parsing arbitrary ZIP archives archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Thanks to Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61728 and Go issue https://go.dev/issue/77102. - net/http: memory exhaustion in Request.ParseForm When parsing a URL-encoded form net/http may allocate an unexpected amount of memory when provided a large number of key-value pairs. This can result in a denial of service due to memory exhaustion. Thanks to jub0bs for reporting this issue. This is CVE-2025-61726 and Go issue https://go.dev/issue/77101. - crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain The Config.Clone methods allows cloning a Config which has already been passed to a TLS function, allowing it to be mutated and reused. If Config.SessionTicketKey has not been set, and Config.SetSessionTicketKeys has not been called, crypto/tls will generate random session ticket keys and automatically rotate them. Config.Clone would copy these automatically generated keys into the returned Config, meaning that the two Configs would share session ticket keys, allowing sessions created using one Config could be used to resume sessions with the other Config. This can allow clients to resume sessions even though the Config may be configured such that they should not be able to do so. Config.Clone no longer copies the automatically generated session ticket keys. Config.Clone still copies keys which are explicitly provided, either by setting Config.SessionTicketKey or by calling Config.SetSessionTicketKeys. This issue was discoverd by the Go Security team while investigating another issue reported by Coia Prant (github.com/rbqvq). Additionally, on the server side only the expiration of the leaf certificate, if one was provided during the initial handshake, was checked when considering if a session could be resumed. This allowed sessions to be resumed if an intermediate or root certificate in the chain had expired. Session resumption now takes into account of the full chain when determining if the session can be resumed. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2025-68121 and Go issue https://go.dev/issue/77113. - cmd/go: bypass of flag sanitization can lead to arbitrary code execution Usage of 'CgoPkgConfig' allowed execution of the pkg-config binary with flags that are not explicitly safe-listed. To prevent this behavior, compiler flags resulting from usage of 'CgoPkgConfig' are sanitized prior to invoking pkg-config. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. This is CVE-2025-61731 and go.dev/issue/77100. - cmd/go: unexpected code execution when invoking toolchain The Go toolchain supports multiple VCS which are used retrieving modules and embedding build information into binaries. On systems with Mercurial installed (hg) downloading modules (e.g. via go get or go mod download) from non-standard sources (e.g. custom domains) can cause unexpected code execution due to how external VCS commands are constructed. On systems with Git installed, downloading and building modules with malicious version strings could allow an attacker to write to arbitrary files on the system the user has access to. This can only be triggered by explicitly providing the malicious version strings to the toolchain, and does not affect usage of @latest or bare module paths. The toolchain now uses safer VCS options to prevent misinterpretation of untrusted inputs. In addition, the toolchain now disallows module version strings prefixed with a "-" or "/" character. Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this issue. This is CVE-2025-68119 and Go issue https://go.dev/issue/77099. - crypto/tls: handshake messages may be processed at the incorrect encryption level During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2025-61730 and Go issue https://go.dev/issue/76443 View the release notes for more information: https://go.dev/doc/devel/release#go1.25.6 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2026-01-19 14:21:10 +01:00
Sebastiaan van Stijn	a7b23cd2b5	Merge pull request #405 from thaJeztah/gha_perms gha: set default permissions, add guardrail timeouts, and update branch name (master -> main)	2026-01-09 11:41:43 +01:00
Sebastiaan van Stijn	178a3a4e57	gha: update master branch to main Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2026-01-09 09:43:50 +01:00
Sebastiaan van Stijn	f5fd80af0f	gha: add guardrails timeouts to jobs Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2026-01-09 09:35:19 +01:00
Sebastiaan van Stijn	ae163ade7b	gha: set "read" permissions as default Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2026-01-09 09:28:23 +01:00

3 changed files with 27 additions and 10 deletions

									
										.github/workflows/build.yml
									
		+25
		-8
	
												View File
												
					@@ -1,5 +1,14 @@

					name: build

					name: build

					# Default to 'contents: read', which grants actions to read commits.

					#

					# If any permission is set, any permission not included in the list is

					# implicitly set to "none".

					#

					# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

					permissions:

					  contents: read

					concurrency:

					concurrency:

					  group: ${{ github.workflow }}-${{ github.ref }}

					  group: ${{ github.workflow }}-${{ github.ref }}

					  cancel-in-progress: true

					  cancel-in-progress: true

					@@ -8,18 +17,19 @@ on:

					  workflow_dispatch:

					  workflow_dispatch:

					  push:

					  push:

					    branches:

					    branches:

					      - 'master'

					      - 'main'

					    tags:

					    tags:

					      - 'v*'

					      - 'v*'

					  pull_request:

					  pull_request:

					env:

					env:

					  DESTDIR: ./bin

					  DESTDIR: ./bin

					  GO_VERSION: 1.25.5

					  GO_VERSION: 1.25.7

					jobs:

					jobs:

					  validate:

					  validate:

					    runs-on: ubuntu-24.04

					    runs-on: ubuntu-24.04

					    timeout-minutes: 30 # guardrails timeout for the whole job

					    strategy:

					    strategy:

					      fail-fast: false

					      fail-fast: false

					      matrix:

					      matrix:

					@@ -32,7 +42,7 @@ jobs:

					        uses: actions/checkout@v6

					        uses: actions/checkout@v6

					      -

					      -

					        name: Set up Docker Buildx

					        name: Set up Docker Buildx

					        uses: docker/setup-buildx-action@v3

					        uses: docker/setup-buildx-action@v4

					      -

					      -

					        name: Run

					        name: Run

					        run: |

					        run: |

					@@ -40,6 +50,7 @@ jobs:

					  test:

					  test:

					    runs-on: ${{ matrix.os }}

					    runs-on: ${{ matrix.os }}

					    timeout-minutes: 30 # guardrails timeout for the whole job

					    strategy:

					    strategy:

					      fail-fast: false

					      fail-fast: false

					      matrix:

					      matrix:

					@@ -90,7 +101,7 @@ jobs:

					      -

					      -

					        name: Import GPG key

					        name: Import GPG key

					        if: ${{ !startsWith(matrix.os, 'windows-') }}

					        if: ${{ !startsWith(matrix.os, 'windows-') }}

					        uses: crazy-max/ghaction-import-gpg@v6

					        uses: crazy-max/ghaction-import-gpg@v7

					        with:

					        with:

					          gpg_private_key: ${{ steps.gpg.outputs.key }}

					          gpg_private_key: ${{ steps.gpg.outputs.key }}

					          passphrase: ${{ steps.gpg.outputs.passphrase }}

					          passphrase: ${{ steps.gpg.outputs.passphrase }}

					@@ -115,10 +126,11 @@ jobs:

					  test-sandboxed:

					  test-sandboxed:

					    runs-on: ubuntu-24.04

					    runs-on: ubuntu-24.04

					    timeout-minutes: 30 # guardrails timeout for the whole job

					    steps:

					    steps:

					      -

					      -

					        name: Set up Docker Buildx

					        name: Set up Docker Buildx

					        uses: docker/setup-buildx-action@v3

					        uses: docker/setup-buildx-action@v4

					      -

					      -

					        name: Test

					        name: Test

					        uses: docker/bake-action@v6

					        uses: docker/bake-action@v6

					@@ -136,6 +148,10 @@ jobs:

					  build:

					  build:

					    runs-on: ubuntu-24.04

					    runs-on: ubuntu-24.04

					    timeout-minutes: 30 # guardrails timeout for the whole job

					    permissions:

					      # required to create GitHub release

					      contents: write

					    steps:

					    steps:

					      -

					      -

					        name: Checkout

					        name: Checkout

					@@ -144,10 +160,10 @@ jobs:

					          fetch-depth: 0

					          fetch-depth: 0

					      -

					      -

					        name: Set up QEMU

					        name: Set up QEMU

					        uses: docker/setup-qemu-action@v3

					        uses: docker/setup-qemu-action@v4

					      -

					      -

					        name: Set up Docker Buildx

					        name: Set up Docker Buildx

					        uses: docker/setup-buildx-action@v3

					        uses: docker/setup-buildx-action@v4

					      -

					      -

					        name: Build

					        name: Build

					        run: |

					        run: |

					@@ -165,7 +181,7 @@ jobs:

					          find ${{ env.DESTDIR }} -type f -exec file -e ascii -e text -- {} +

					          find ${{ env.DESTDIR }} -type f -exec file -e ascii -e text -- {} +

					      -

					      -

					        name: Upload artifacts

					        name: Upload artifacts

					        uses: actions/upload-artifact@v6

					        uses: actions/upload-artifact@v7

					        with:

					        with:

					          name: docker-credential-helpers

					          name: docker-credential-helpers

					          path: ${{ env.DESTDIR }}/*

					          path: ${{ env.DESTDIR }}/*

					@@ -182,6 +198,7 @@ jobs:

					  build-deb:

					  build-deb:

					    runs-on: ubuntu-24.04

					    runs-on: ubuntu-24.04

					    timeout-minutes: 30 # guardrails timeout for the whole job

					    steps:

					    steps:

					      -

					      -

					        name: Checkout

					        name: Checkout

									
										Dockerfile
									
		+1
		-1
	
												View File
												
					@@ -1,6 +1,6 @@

					# syntax=docker/dockerfile:1

					# syntax=docker/dockerfile:1

					ARG GO_VERSION=1.25.5

					ARG GO_VERSION=1.25.7

					ARG DEBIAN_VERSION=bookworm

					ARG DEBIAN_VERSION=bookworm

					ARG XX_VERSION=1.7.0

					ARG XX_VERSION=1.7.0

									
										deb/Dockerfile
									
		+1
		-1
	
												View File
												
					@@ -1,6 +1,6 @@

					# syntax=docker/dockerfile:1

					# syntax=docker/dockerfile:1

					ARG GO_VERSION=1.25.5

					ARG GO_VERSION=1.25.7

					ARG DISTRO=ubuntu

					ARG DISTRO=ubuntu

					ARG SUITE=jammy

					ARG SUITE=jammy

Compare commits

16 Commits

v0.9.5 ... 4e2b0ff14f

Compare commits

16 Commits v0.9.5 ... 4e2b0ff14f

16 Commits

v0.9.5 ... 4e2b0ff14f