From 6ffb3b1bd69351bdb53d3fd96e782cceb04dcf4c Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sun, 4 Feb 2024 07:53:53 +0100
Subject: [PATCH] fix(deps): update module github.com/moby/moby to
 v24.0.9+incompatible [security] (#3323)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/moby/moby](https://togithub.com/moby/moby) |
`v24.0.8+incompatible` -> `v24.0.9+incompatible` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fmoby%2fmoby/v24.0.9+incompatible?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fmoby%2fmoby/v24.0.9+incompatible?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fmoby%2fmoby/v24.0.8+incompatible/v24.0.9+incompatible?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fmoby%2fmoby/v24.0.8+incompatible/v24.0.9+incompatible?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-24557](https://togithub.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc)

The classic builder cache system is prone to cache poisoning if the
image is built `FROM scratch`.
Also, changes to some instructions (most important being `HEALTHCHECK`
and `ONBUILD`) would not cause a cache miss.

An attacker with the knowledge of the Dockerfile someone is using could
poison their cache by making them pull a specially crafted image that
would be considered as a valid cache candidate for some build steps.

For example, an attacker could create an image that is considered as a
valid cache candidate for:
```
FROM scratch
MAINTAINER Pawel
```

when in fact the malicious image used as a cache would be an image built
from a different Dockerfile.

In the second case, the attacker could for example substitute a
different `HEALTCHECK` command.

### Impact

23.0+ users are only affected if they explicitly opted out of Buildkit
(`DOCKER_BUILDKIT=0` environment variable) or are using the `/build` API
endpoint (which uses the classic builder by default).

All users on versions older than 23.0 could be impacted. An example
could be a CI with a shared cache, or just a regular Docker user pulling
a malicious image due to misspelling/typosquatting.

Image build API endpoint (`/build`) and `ImageBuild` function from
`github.com/docker/docker/client` is also affected as it the uses
classic builder by default.

### Patches

Patches are included in Moby releases:

- v25.0.2
- v24.0.9

### Workarounds

- Use `--no-cache` or use Buildkit if possible (`DOCKER_BUILDKIT=1`,
it's default on 23.0+ assuming that the buildx plugin is installed).
- Use `Version = types.BuilderBuildKit` or `NoCache = true` in
`ImageBuildOptions` for `ImageBuild` call.

---

### Release Notes

<details>
<summary>moby/moby (github.com/moby/moby)</summary>

###
[`v24.0.9+incompatible`](https://togithub.com/moby/moby/compare/v24.0.8...v24.0.9)

[Compare
Source](https://togithub.com/moby/moby/compare/v24.0.8...v24.0.9)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "before 4am"
(UTC).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/woodpecker-ci/woodpecker).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index cc3ad985f..aa99569ca 100644
--- a/go.mod
+++ b/go.mod
@@ -32,7 +32,7 @@ require (
 	github.com/kinbiko/jsonassert v1.1.1
 	github.com/lib/pq v1.10.9
 	github.com/mattn/go-sqlite3 v1.14.20
-	github.com/moby/moby v24.0.8+incompatible
+	github.com/moby/moby v24.0.9+incompatible
 	github.com/moby/term v0.5.0
 	github.com/muesli/termenv v0.15.2
 	github.com/oklog/ulid/v2 v2.1.0
diff --git a/go.sum b/go.sum
index f15800817..233b4031f 100644
--- a/go.sum
+++ b/go.sum
@@ -320,6 +320,8 @@ github.com/moby/moby v24.0.7+incompatible h1:RrVT5IXBn85mRtFKP+gFwVLCcnNPZIgN3NV
 github.com/moby/moby v24.0.7+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
 github.com/moby/moby v24.0.8+incompatible h1:lTOrmnT/ZwYrhTbcmkWMTd2Pk65vV+4YuEdIG04shac=
 github.com/moby/moby v24.0.8+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
+github.com/moby/moby v24.0.9+incompatible h1:Z/hFbZJqC5Fmuf6jesMLdHU71CMAgdiSJ1ZYey+bFmg=
+github.com/moby/moby v24.0.9+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=