Welcome to the v0.31.2 release of buildkit!
This is a security patch release with four moderate and one low severity security fixes.
Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.
Contributors
- Tõnis Tiigi
- CrazyMax
- Dawei Wei
Notable Changes
- Git source checkout from a bundle file could lead to command injection. GHSA-hw3h-2gp9-cxpv
- Possible panic when incorrect parameters sent from frontend. GHSA-qx3x-mv6r-52p6
- LLB file operation can be tricked to remove
/tmpdirectory contents. GHSA-32pv-7hq5-qhwq - Malicious client can bypass destination directory validation on local sources upload. GHSA-g2h8-426c-7976
- WCOW cache mount source selector resolves NTFS junctions outside of cache root. GHSA-388v-wmr2-g2v2
- Fix possible buildctl failures after successful builds over slow connhelper transports. #6940
- Fix possible daemon crash during concurrent builds. #6916
Dependency Changes
- github.com/tonistiigi/fsutil 0257b3308df4 -> 30cd4fc5d911
Previous release can be found at v0.31.1