You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add experimental dagger up to start module-defined services on the host, including @up annotations, workspace/module services() APIs, and configurable port mappings by Yves Brissaud in #11959
Add @cache directive for module function cache control by Alex Suraci in #12920
Add --failfast to dagger check and WithFailFast in SDKs by @kpenfound in #11956
Add support to set primitive values and secret arrays in user defaults by @marcosnils in #12898
Add Changeset.diffStats() and structured DiffStat entries for renames and line-count summaries by @grouville + @tiborvass in #12002
Add support for Directory.chown() with usernames and group names by @alexcb in #12128
Make dagger connect faster by reducing driver probing and setup work before command execution by @tiborvass in #11769
Expand workspace support with workspace-scoped checks() and generators() APIs, richer workspace metadata, and clearer path/boundary semantics by @shykes in #11995
dagger check and dagger generate now resolve against the current workspace rather than only the current module by @shykes in #11995
Stop expanding literal dotenv values and arguments so literal strings remain literal by @marcosnils in #11957
Go SDK: pin generated modules to the matching dagger-go-sdk commit by @TomChv in #11826
Deprecated
Set secrets via dotenv segments without a scheme is deprecated and will require an explicit scheme in a future release by @marcosnils in #11957
Fixed
Fix Dockerfile RUN heredoc failing with command not found (exit 127) by preserving /dev/pipes/ mounts in the OCI spec by @majiayu000 in #12020
Fix dagger init crashing when .env exists as a directory by @paikend in #12868
Fix WithExec with Expand=true so environment variables are also expanded in RedirectStdout, RedirectStderr, and RedirectStdin paths by @shykes in #12846
Fix Helm chart support for custom liveness/readiness probes by @shykes in #12859
Fix Helm chart envFrom.secretRef indentation in the engine StatefulSet by @fixeasy in #12906
Fix dagger shell object-argument errors to show a clear message when a string literal is passed instead of an object ID by @shykes in #12842
Fix lazy image blob handling so container results remain local after ContainerDagOp returns by @marcosnils in #12861
Fix .env user defaults being silently ignored when a constructor arg has a schema default value by @shykes in #12854
Dang SDK: fix workspace arguments and filesync support to match /dagger-sdk behavior by Alex Suraci in #12830
Python SDK: fix Config.log_output handling for in-memory streams such as StringIO by @paikend in #12867
Rust SDK: fix timeouts and default Config behavior, and improve GraphQL error parsing by @fdiakh in #12832
Contributors
Special thanks to our external contributors this release!
Authentication Bypass Using an Alternate Path or Channel
Affected range
<29.3.1
Fixed version
Not Fixed
CVSS Score
8.8
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.014%
EPSS Percentile
2nd percentile
Description
Summary
A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
If you don't use AuthZ plugins, you are not affected.
Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted.
Workarounds
If unable to update immediately:
Avoid using AuthZ plugins that rely on request body inspection for security decisions.
Restrict access to the Docker API to trusted parties, following the principle of least privilege.
A security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user.
Plugins that request exactly one privilege are also affected, because no comparison is performed at all.
Impact
If plugins are not in use, there is no impact.
When a plugin is installed, the daemon computes the privileges required by the plugin's configuration and compares them with the privileges approved during installation. A malicious plugin can exploit this bug so that the daemon accepts privileges that differ from what was intended to be approved.
Anyone who depends on the plugin installation approval flow as a meaningful security boundary is potentially impacted.
Depending on the privilege set involved, this may include highly sensitive plugin permissions such as broad device access.
For consideration: exploitation still requires a plugin to be installed from a malicious source, and Docker plugins are relatively uncommon. Docker Desktop also does not support plugins.
Workarounds
If unable to update immediately:
Do not install plugins from untrusted sources
Carefully review all privileges requested during docker plugin install
Restrict access to the Docker daemon to trusted parties, following the principle of least privilege
Avoid relying on plugin privilege approval as the only control boundary for sensitive environments
Credits
Reported by Cody (c@wormhole.guru, PGP 0x9FA5B73E)
stdlib1.26.1 (golang)
pkg:golang/stdlib@1.26.1
Affected range
>=1.26.0-0 <1.26.2
Fixed version
1.26.2
EPSS Score
0.007%
EPSS Percentile
0th percentile
Description
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Affected range
>=1.26.0-0 <1.26.2
Fixed version
1.26.2
EPSS Score
0.005%
EPSS Percentile
0th percentile
Description
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Affected range
>=1.26.0-0 <1.26.2
Fixed version
1.26.2
EPSS Score
0.011%
EPSS Percentile
1st percentile
Description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.
These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
Affected range
>=1.26.0-0 <1.26.2
Fixed version
1.26.2
EPSS Score
0.009%
EPSS Percentile
1st percentile
Description
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
Affected range
>=1.26.0-0 <1.26.2
Fixed version
1.26.2
EPSS Score
0.007%
EPSS Percentile
0th percentile
Description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.
This only affects TLS 1.3.
Affected range
>=1.26.0-0 <1.26.2
Fixed version
1.26.2
EPSS Score
0.010%
EPSS Percentile
1st percentile
Description
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.
The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
Affected range
>=1.26.0-0 <1.26.2
Fixed version
1.26.2
EPSS Score
0.007%
EPSS Percentile
0th percentile
Description
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.
The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.
Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.
The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.
Attack
Attacker has local access to a system running a Go application that imports go.opentelemetry.io/otel/sdk
Attacker places a malicious kenv binary earlier in $PATH
Application initializes OpenTelemetry resource detection at startup
hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary
Arbitrary code executes in the context of the application
Decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key.
This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.
This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common.
Panics can lead to denial of service.
Fixed In
4.1.4 and v3.0.5
Workarounds
If the list of keyAlgorithms passed to ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() does not include key wrapping algorithms (those ending in KW), your application is unaffected.
If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the encrypted_key field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second .).
Thanks
Thanks to Datadog's Security team for finding this issue.
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.
this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
severity
HIGH
not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.
root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.
impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.
this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
severity
HIGH
not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.
root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.
impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.
this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
severity
HIGH
not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.
root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.
impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.
this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
severity
HIGH
not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.
root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.
impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.
this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
severity
HIGH
not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.
root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.
impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap.
this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
severity
HIGH
not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.
root cause:
each exporter client reads resp.Body using io.Copy(&respData, resp.Body) into a bytes.Buffer on both success and error paths, with no upper bound.
impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
nicholasdille-bot
left a comment
This PR contains the following updates:
0.20.3→0.20.4Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
dagger/dagger (dagger)
v0.20.4Compare Source
Added
dagger upto start module-defined services on the host, including@upannotations, workspace/moduleservices()APIs, and configurable port mappings by Yves Brissaud in #11959@cachedirective for module function cache control by Alex Suraci in #12920--failfasttodagger checkandWithFailFastin SDKs by @kpenfound in #11956Changeset.diffStats()and structuredDiffStatentries for renames and line-count summaries by @grouville + @tiborvass in #12002Directory.chown()with usernames and group names by @alexcb in #12128ADD --unpacksupport by @tiborvass + @grouville in #12096COPY --excludeandCOPY --parentsby @alexcb in #12896@checkand@generatedirectives by Alex Suraci in #12830@upannotation support by Yves Brissaud in #12919Enumtypes by @Nero-F in #12862internal/dagger/<dep>.gen.gofiles by @TomChv in #11962Configby @fdiakh in #12832Changed
dagger connectfaster by reducing driver probing and setup work before command execution by @tiborvass in #11769checks()andgenerators()APIs, richer workspace metadata, and clearer path/boundary semantics by @shykes in #11995dagger checkanddagger generatenow resolve against the current workspace rather than only the current module by @shykes in #11995Deprecated
Fixed
RUNheredoc failing withcommand not found(exit 127) by preserving/dev/pipes/mounts in the OCI spec by @majiayu000 in #12020dagger initcrashing when.envexists as a directory by @paikend in #12868WithExecwithExpand=trueso environment variables are also expanded inRedirectStdout,RedirectStderr, andRedirectStdinpaths by @shykes in #12846envFrom.secretRefindentation in the engine StatefulSet by @fixeasy in #12906dagger shellobject-argument errors to show a clear message when a string literal is passed instead of an object ID by @shykes in #12842ContainerDagOpreturns by @marcosnils in #12861/dagger-sdkbehavior by Alex Suraci in #12830Config.log_outputhandling for in-memory streams such asStringIOby @paikend in #12867Configbehavior, and improve GraphQL error parsing by @fdiakh in #12832Contributors
Special thanks to our external contributors this release!
What to do next?
Configuration
📅 Schedule: (in timezone Europe/Berlin)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.