The --all flag description was misleading by only mentioning
intermediate images, when it actually also controls the visibility of
dangling (untagged) images.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
This reverts part of the logic introduced in 207bf52c27 which
incorrectly gated untagged images behind the --all flag in non-expanded
view.
The original fix was addressing the wrong layer of the problem.
The actual issue was that dangling images were being incorrectly passed
to the tree code in the first place.
This was properly fixed in 67f5e3413 which corrected the dangling image
detection logic to properly filter them out before reaching the tree
display code.
Now that dangling images are correctly filtered upstream, untagged
images that reach the tree view should be displayed regardless of the
--all flag setting.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
When calculating column widths for the tree view, untagged images
weren't being properly accounted for in the width calculation.
This caused layout issues when there were tagged images were shorter
than the `<untagged>` string.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The isDangling function was incorrectly identifying images as dangling
when they had no RepoTags but had valid RepoDigests.
This can occur when the graphdrivers are used instead of the containerd
image store.
An image should only be considered dangling if it has no RepoTags,
regardless of whether it has RepoDigests.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Some validation steps done by `docker create` (and `docker run`) are platform-
specific, and need to know the daemon's OS.
To get this information, the CLI.ServerInfo() method was used, which
discards connection errors, resulting in an empty OS, which causes
validation to fail with an "unknown server OS" error message.
This patch changes it to use the Client.Ping so that we can error when
failing to connect.
We should look if we can reduce the platform-specific validation and parsing
on the client-side, but at least this change should produce a more useful
error.
Before this patch:
DOCKER_HOST=tcp://example.invalid docker run -it --rm --device=/dev/dri alpine
docker: unknown server OS:
Run 'docker run --help' for more information
With this patch:
DOCKER_HOST=tcp://example.invalid docker run -it --rm --device=/dev/dri alpine
failed to connect to the docker API at tcp://example.invalid:2375: lookup example.invalid on 192.168.65.7:53: no such host
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With this patch:
docker stack deploy -c<TAB>
.codecov.yml contrib/ e2e/ pkg/
.git/ build/ debian/ experimental/
...
docker stack deploy -c contrib/otel/<TAB>
compose.yaml otelcol.yaml prom.yaml
Note that filtering for the file-extension only appears to be functional
on bash, but not (currently) working on other shells (at least not on Fish).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These releases include 2 security fixes following the security policy:
- crypto/x509: excessive resource consumption in printing error string for host certificate validation
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.
Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime.
Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
HostnameError.Error() now limits the number of hosts and utilizes strings.Builder when constructing an error string.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2025-61729 and Go issue https://go.dev/issue/76445.
- crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
An excluded subdomain constraint in a certificate chain does not restrict the
usage of wildcard SANs in the leaf certificate. For example a constraint that
excludes the subdomain test.example.com does not prevent a leaf certificate from
claiming the SAN *.example.com.
This is CVE-2025-61727 and Go issue https://go.dev/issue/76442.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.5
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Hello gophers,
We have tagged version v0.45.0 of golang.org/x/crypto in order to address two
security issues.
This version fixes a vulnerability in the golang.org/x/crypto/ssh package and a
vulnerability in the golang.org/x/crypto/ssh/agent package which could cause
programs to consume unbounded memory or panic respectively.
SSH servers parsing GSSAPI authentication requests don't validate the number of
mechanisms specified in the request, allowing an attacker to cause unbounded
memory consumption.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58181 and Go issue https://go.dev/issue/76363.
SSH Agent servers do not validate the size of messages when processing new
identity requests, which may cause the program to panic if the message is
malformed due to an out of bounds read.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-47914 and Go issue https://go.dev/issue/76364.
Cheers, Go Security team
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
