What's been fixed

• The issue where pulling images from custom registries that require authentication would fail if the image was specified in the form registry/image_name has been fixed.

  The logic used to determine which registry an image was being pulled from (and therefore which credentials to provide) would incorrectly fall back to the default registry (Docker Hub) and then the credentials for Docker Hub would have been provided to the Docker daemon to use, which would have then used them when connecting to the registry.

  ⚠️This means that if you have credentials stored for Docker Hub and you have been pulling images specified in this format from a non-default registry using batect (even one that does not require authentication), your Docker Hub credentials may have been sent to that registry. It is highly recommended that you reset your Docker Hub password immediately if you suspect that this has happened. There is a more detailed description of the issue below.

  To be clear, credentials for private registries have not been exposed, only those for Docker Hub.

  Due to the way registry credentials are communicated to the Docker daemon when building an image, if you have used an image from a non-default registry as the base image for a built image, your Docker Hub credentials would not have been exposed.

  Images specified in the form registry/repo/image_name are not affected by this issue.

• batect will now use less memory and perform faster when building or pulling an image for the first time.

Security issue details

Description
Your Docker Hub credentials may have been sent to a third-party registry if:

• you have your Docker Hub credentials stored locally
• the Docker image you are using is not stored on Docker Hub (eg. it’s on a private or third party registry)
• you are using the image directly and not as the base image for a image being built
• the image you are using had not already pulled and batect pulled it for you, and
• the image is specified in the format registry/image_name in your batect configuration file (other formats such as registry/repo/image_name are not affected)

Impact
If all of the criteria above are fulfilled, your Docker Hub credentials have been sent to the third-party registry.

To be clear, credentials for private registries have not been exposed, only those for Docker Hub.

How to check for exposure
You can check if your Docker Hub credentials are stored locally by running docker logout:

If Docker responds with Removing login credentials for https://index.docker.io/v1/, then your credentials were stored locally and may have been exposed.

If Docker responds with Not logged in to https://index.docker.io/v1/, then your credentials were not stored locally and were not exposed.

Remedy
The issue is fixed in batect version 0.35.1. Teams can update to the latest version by running ./batect --upgrade. It is highly recommend anyone affected by this reset their Docker Hub password.

Getting started

First time using batect? Take a look at the getting started guide, or the many sample projects.

How to upgrade from previous versions

If you're already using batect, run ./batect --upgrade to upgrade automatically.

Special note about Windows wrapper script

If you are currently running v0.33.2 or newer, the Windows wrapper script (batect.cmd) will automatically be downloaded and copied into place alongside the Linux and OS X wrapper script (batect).

If you're running an older version of batect, you'll need to manually download the Windows wrapper script below, or it will be automatically installed next time you upgrade to a newer version of batect. This only needs to be done once - after that, it will be automatically updated.