gentoo auto-resync : 21:07:2023 - 10:04:00

3 files changed, 622 insertions, 0 deletions

diff --git a/app-containers/docker/Manifest b/app-containers/docker/Manifest
index 2423c697f426..6c4166366fe4 100644
--- a/app-containers/docker/Manifest
+++ b/app-containers/docker/Manifest
@@ -1,8 +1,10 @@
 AUX 0001-Openrc-Depend-on-containerd-init-script.patch 774 BLAKE2B a7ac6f6a1e9ee88751e8e0471cd33429b8141cbea07a3a56c61eccd63c796c9135edafaf5977571a4413e5d71931aac44b5313110af94c3206e286b15394f637 SHA512 bc709b6f0dd8685fbf2404be589743f32a5f4deb24dec8ed6aeec18f0fcd1db4c5d59587209c28f62d964d78ec9ab3a3fdbb795dc4b7e3fabd00a06a002af34e
+AUX docker-24.0.4-client-define-a-dummy-hostname-for-local-connections.patch 11883 BLAKE2B e5c57a6d01fe97d2e5e9015a01b92c8fcba7d537e1c451503ddbed0489bac90cf2e2424a95e093aba83aec008a88c717a5b9c85937208a41658255fffd40e5fd SHA512 0ea1d9578a9ee37fe2e4891557c16f00211a4ea1873f9cbc97090c9310fca4d3f741bef4d443b0b1d4d1b692420f745a5ecfe3606ab018b7e15b7d5629759ebe
 DIST docker-23.0.3.tar.gz 13621933 BLAKE2B fd548b6083df495c35cc4d27374afdbc37e3678454b33477e9e88ba7c1564901d91a87eb0b87da2cfeab6a7c120bec95cad3a94db15a49719713a3660fae9958 SHA512 1f47a0c669c07ad1e628c99d153623076cd5c8e65e82fa54f7dd0d32579fae803ec9bee748e4ba1a6dc8fe37654602aaf005e58e09f00d8ff4f32e6047240caa
 DIST docker-23.0.4.tar.gz 13625597 BLAKE2B ab4d50e9b334f18e620979bc13a7b146f8e0381d52aca0e45785108f1d53743e0157eb1e5bda76bc1300df1aa7825ca1ca141a21aeea39e81bc626ad1ea77775 SHA512 94d2c748541cf402197e98f93f574daf72bd84fc7603bf30e23674be36862ddbff5f37ad667455a710d730b9c5bc11962c287d6fd60a20320e0e0a41e3329c44
 DIST docker-24.0.4.tar.gz 14453359 BLAKE2B d089721469857eee87fd63b04c43cfde97ab9a38b5017c52c859b9b291574be4055b25585304434e070a7b74f90fa2582bb4fd8cddeae795637aaa23242fe8cb SHA512 5d749764a3541104d13ebe42e7b4225f66a98f9cc81f6406790be8a534f6c0d5ec13b145212bf75899e489feddf7679add6f43c6f9dd76b704291ed0e638eb6e
 EBUILD docker-23.0.3.ebuild 8284 BLAKE2B 21e8c4a8cd80f4a6a79d0bd5514da2d653fd163a58589b67e32b4c71176be7f8656df1bcef872f8a5b22e9780d514ce5cca76c1c4db79ce6ce1a58c7e5e460fe SHA512 9a3f51cfa4059d0271baff5413bbe3ae29795f9d912ac912d045359ff1846408c7ad011a08102d3c6a7a560159180acf809d6fa2e7b3751cea6e78d00f209385
 EBUILD docker-23.0.4.ebuild 8287 BLAKE2B ff38c5c75e8bfdde6b0a3f2927090aa41c3cb28509333c254368d9b42a2c4583fd8784d47cb092f1bf91b170a2aea7de3c18b3aff915d5d21a7769cec496b328 SHA512 d471fae81b86e66d34e5d4373f739bc5d15d99abe1e7eca0199d12453e44e7f147813c14b64ab1a595083a731d74b69a9379e39b864cf19996d1bd33e6f90a58
+EBUILD docker-24.0.4-r1.ebuild 7722 BLAKE2B dd243c127c3952bd305172ce7106afbe82eca0607f2f4eaa487b1ff0ee6beb7793fe9d34398ccb299cb70e703215dd2c058ae8953007ee009842fba3d0865a78 SHA512 4ef43f88026881a3a84ca7d466d60783f66104f30aa414d2ff81186fb69ff098dad7e0acfcdfe5c13cfd249d5c6dd69ece6e8cfd3da99a239d26cb37923dc34d
 EBUILD docker-24.0.4.ebuild 7643 BLAKE2B dc1a56c643a76f020a61d96fdc4f65820f0cac9170d7e53d3eafc5f04a658ca388a84d2421e799e24766fc58a1d7a066328c701020ef9dfb57a41aec698315ec SHA512 5c6d1d28d2887d5dbbda72fe3d1b4dc86d0708f3180f3b4f7568806b526a7232b8c1a82f3c2524f216df845a7962ce2f46edaf97942b88dc70bb43729e2f2622
 MISC metadata.xml 1414 BLAKE2B fa9d3dd12a13f980523afebd1eee07a8746c55b7f89e6b1f0d42dc9f64649acc835904ee1dfe09bb4319cd7589dd6e19feb6d646a7ae1b41fb90e54d1f0d0cf0 SHA512 1175abde53b8d4690ffb2586734dd6fab94b3725c83a59f61d4abf53b04bfa8e5128b5cb914a9fd1eb142f77881ad503a40b14b6f5a994d19ca00aabc1b4db3e
diff --git a/app-containers/docker/docker-24.0.4-r1.ebuild b/app-containers/docker/docker-24.0.4-r1.ebuild
new file mode 100644
index 000000000000..72c039ef97b9
--- /dev/null
+++ b/app-containers/docker/docker-24.0.4-r1.ebuild
@@ -0,0 +1,330 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+EGO_PN=github.com/docker/docker
+MY_PV=${PV/_/-}
+inherit linux-info systemd udev golang-vcs-snapshot
+GIT_COMMIT=4ffc61430bbe6d3d405bdf357b766bf303ff3cc5
+
+DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
+HOMEPAGE="https://www.docker.com/"
+SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux"
+
+DEPEND="
+	acct-group/docker
+	>=dev-db/sqlite-3.7.9:3
+	apparmor? ( sys-libs/libapparmor )
+	btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
+	device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] )
+	seccomp? ( >=sys-libs/libseccomp-2.2.1 )
+"
+
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
+RDEPEND="
+	${DEPEND}
+	>=net-firewall/iptables-1.4
+	sys-process/procps
+	>=dev-vcs/git-1.7
+	>=app-arch/xz-utils-4.9
+	dev-libs/libltdl
+	>=app-containers/containerd-1.7.1[apparmor?,btrfs?,device-mapper?,seccomp?]
+	!app-containers/docker-proxy
+	container-init? ( >=sys-process/tini-0.19.0[static] )
+	selinux? ( sec-policy/selinux-docker )
+"
+
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
+BDEPEND="
+	>=dev-lang/go-1.16.12
+	dev-go/go-md2man
+	virtual/pkgconfig
+"
+# tests require running dockerd as root and downloading containers
+RESTRICT="installsources strip test"
+
+S="${WORKDIR}/${P}/src/${EGO_PN}"
+
+# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
+PATCHES=(
+	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
+	"${FILESDIR}/${P}-client-define-a-dummy-hostname-for-local-connections.patch"
+)
+
+pkg_setup() {
+	# this is based on "contrib/check-config.sh" from upstream's sources
+	# required features.
+	CONFIG_CHECK="
+		~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
+		~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
+		~KEYS
+		~VETH ~BRIDGE ~BRIDGE_NETFILTER
+		~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~NETFILTER_XT_MARK
+		~IP_NF_NAT ~NF_NAT
+		~POSIX_MQUEUE
+	"
+	WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
+
+	if kernel_is lt 4 8; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
+
+	if kernel_is le 5 1; then
+		CONFIG_CHECK+="
+			~NF_NAT_IPV4
+		"
+	fi
+
+	if kernel_is le 5 2; then
+		CONFIG_CHECK+="
+			~NF_NAT_NEEDED
+		"
+	fi
+
+	if kernel_is ge 4 15; then
+		CONFIG_CHECK+="
+			~CGROUP_BPF
+		"
+	fi
+
+	# optional features
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	if use seccomp; then
+		CONFIG_CHECK+="
+			~SECCOMP ~SECCOMP_FILTER
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+			"
+	fi
+
+	if kernel_is le 5 8; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP_ENABLED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NATIVE
+		"
+	if kernel_is lt 5 19; then
+		CONFIG_CHECK+="
+			~LEGACY_VSYSCALL_EMULATE
+			"
+	fi
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NONE
+		"
+	WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
+		Containers with <=glibc-2.13 will not work"
+
+	if kernel_is le 4 5; then
+		CONFIG_CHECK+="
+			~MEMCG_KMEM
+		"
+	fi
+
+	if kernel_is lt 5; then
+		CONFIG_CHECK+="
+			~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~BLK_CGROUP ~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP ~CGROUP_NET_PRIO
+		~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		"
+
+	if use selinux; then
+		CONFIG_CHECK+="
+			~SECURITY_SELINUX
+			"
+	fi
+
+	if use apparmor; then
+		CONFIG_CHECK+="
+			~SECURITY_APPARMOR
+			"
+	fi
+
+	# if ! is_set EXT4_USE_FOR_EXT2; then
+	#	check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
+	#	if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
+	#		echo "    $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
+	#	fi
+	# fi
+
+	CONFIG_CHECK+="
+		~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+	"
+
+	# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
+	#	if is_set EXT4_USE_FOR_EXT2; then
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
+	#	else
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
+	#	fi
+	# fi
+
+	# network drivers
+	CONFIG_CHECK+="
+		~VXLAN ~BRIDGE_VLAN_FILTERING
+		~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
+		~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
+	"
+	if kernel_is le 5 3; then
+		CONFIG_CHECK+="
+			~INET_XFRM_MODE_TRANSPORT
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~IPVLAN
+		"
+	CONFIG_CHECK+="
+		~MACVLAN ~DUMMY
+		"
+	CONFIG_CHECK+="
+		~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
+	"
+
+	# storage drivers
+	if use btrfs; then
+		CONFIG_CHECK+="
+			~BTRFS_FS
+			~BTRFS_FS_POSIX_ACL
+		"
+	fi
+
+	if use device-mapper; then
+		CONFIG_CHECK+="
+			~BLK_DEV_DM ~DM_THIN_PROVISIONING
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~OVERLAY_FS
+	"
+
+	linux-info_pkg_setup
+}
+
+src_compile() {
+	export DOCKER_GITCOMMIT="${GIT_COMMIT}"
+	export GOPATH="${WORKDIR}/${P}"
+	export VERSION=${PV}
+
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
+	export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
+
+	# let's set up some optional features :)
+	export DOCKER_BUILDTAGS=''
+	for gd in btrfs device-mapper overlay; do
+		if ! use $gd; then
+			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
+		fi
+	done
+
+	for tag in apparmor seccomp; do
+		if use $tag; then
+			DOCKER_BUILDTAGS+=" $tag"
+		fi
+	done
+
+	# build daemon
+	./hack/make.sh dynbinary || die 'dynbinary failed'
+}
+
+src_install() {
+	dosym containerd /usr/bin/docker-containerd
+	dosym containerd-shim /usr/bin/docker-containerd-shim
+	dosym runc /usr/bin/docker-runc
+	use container-init && dosym tini /usr/bin/docker-init
+	newbin bundles/dynbinary-daemon/dockerd dockerd
+
+	newinitd contrib/init/openrc/docker.initd docker
+	newconfd contrib/init/openrc/docker.confd docker
+
+	systemd_dounit contrib/init/systemd/docker.{service,socket}
+
+	udev_dorules contrib/udev/*.rules
+
+	dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
+	dodoc -r docs/*
+
+	# note: intentionally not using "doins" so that we preserve +x bits
+	dodir /usr/share/${PN}/contrib
+	cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
+}
+
+pkg_postinst() {
+	udev_reload
+
+	elog
+	elog "To use Docker, the Docker daemon must be running as root. To automatically"
+	elog "start the Docker daemon at boot:"
+	if systemd_is_booted || has_version sys-apps/systemd; then
+		elog "  systemctl enable docker.service"
+	else
+		elog "  rc-update add docker default"
+	fi
+	elog
+	elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
+	elog '  usermod -aG docker <youruser>'
+	elog
+
+	if use device-mapper; then
+		elog " Devicemapper storage driver has been deprecated"
+		elog " It will be removed in a future release"
+		elog
+	fi
+
+	if use overlay; then
+		elog " Overlay storage driver/USEflag has been deprecated"
+		elog " in favor of overlay2 (enabled unconditionally)"
+		elog
+	fi
+
+	if has_version sys-fs/zfs; then
+		elog " ZFS storage driver is available"
+		elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
+		elog
+	fi
+}
+
+pkg_postrm() {
+	udev_reload
+}
diff --git a/app-containers/docker/files/docker-24.0.4-client-define-a-dummy-hostname-for-local-connections.patch b/app-containers/docker/files/docker-24.0.4-client-define-a-dummy-hostname-for-local-connections.patch
new file mode 100644
index 000000000000..91c0f12daae0
--- /dev/null
+++ b/app-containers/docker/files/docker-24.0.4-client-define-a-dummy-hostname-for-local-connections.patch
@@ -0,0 +1,290 @@
+From 18b6066f21dd24671c96c3d9f1b3a7e39da1dabf Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Wed, 12 Jul 2023 14:15:38 +0200
+Subject: [PATCH 1/3] client: define a "dummy" hostname to use for local
+ connections
+
+For local communications (npipe://, unix://), the hostname is not used,
+but we need valid and meaningful hostname.
+
+The current code used the client's `addr` as hostname in some cases, which
+could contain the path for the unix-socket (`/var/run/docker.sock`), which
+gets rejected by go1.20.6 and go1.19.11 because of a security fix for
+[CVE-2023-29406 ][1], which was implemented in  https://go.dev/issue/60374.
+
+Prior versions go Go would clean the host header, and strip slashes in the
+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
+header.
+
+This patch introduces a `DummyHost` const, and uses this dummy host for
+cases where we don't need an actual hostname.
+
+Before this patch (using go1.20.6):
+
+    make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
+    === RUN   TestAttachWithTTY
+        attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
+    --- FAIL: TestAttachWithTTY (0.11s)
+    === RUN   TestAttachWithoutTTy
+        attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
+    --- FAIL: TestAttachWithoutTTy (0.02s)
+    FAIL
+
+With this patch applied:
+
+    make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
+    INFO: Testing against a local daemon
+    === RUN   TestAttachWithTTY
+    --- PASS: TestAttachWithTTY (0.12s)
+    === RUN   TestAttachWithoutTTy
+    --- PASS: TestAttachWithoutTTy (0.02s)
+    PASS
+
+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+(cherry picked from commit 5119e8c98f31f36a9e73884d4132c326cd931c34)
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+---
+ client/client.go       | 30 ++++++++++++++++++++++++++++++
+ client/hijack.go       |  5 ++++-
+ client/request.go      |  8 ++++----
+ client/request_test.go | 20 ++++++++------------
+ 4 files changed, 46 insertions(+), 17 deletions(-)
+
+diff --git a/client/client.go b/client/client.go
+index 1c081a51ae69..54fa36cca88e 100644
+--- a/client/client.go
++++ b/moby-24.0.4/client/client.go
+@@ -56,6 +56,36 @@ import (
+ 	"github.com/pkg/errors"
+ )
+ 
++// DummyHost is a hostname used for local communication.
++//
++// It acts as a valid formatted hostname for local connections (such as "unix://"
++// or "npipe://") which do not require a hostname. It should never be resolved,
++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
++// and [RFC 6761, Section 6.3]).
++//
++// [RFC 7230, Section 5.4] defines that an empty header must be used for such
++// cases:
++//
++//	If the authority component is missing or undefined for the target URI,
++//	then a client MUST send a Host header field with an empty field-value.
++//
++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
++// allow an empty header to be used, and requires req.URL.Scheme to be either
++// "http" or "https".
++//
++// For further details, refer to:
++//
++//   - https://github.com/docker/engine-api/issues/189
++//   - https://github.com/golang/go/issues/13624
++//   - https://github.com/golang/go/issues/61076
++//   - https://github.com/moby/moby/issues/45935
++//
++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
++const DummyHost = "api.moby.localhost"
++
+ // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
+ var ErrRedirect = errors.New("unexpected redirect in response")
+ 
+diff --git a/client/hijack.go b/client/hijack.go
+index 6bdacab10adb..db9b02e1601f 100644
+--- a/client/hijack.go
++++ b/moby-24.0.4/client/hijack.go
+@@ -64,7 +64,10 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
+ }
+ 
+ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
+-	req.Host = cli.addr
++	if cli.proto == "unix" || cli.proto == "npipe" {
++		// For local communications, it doesn't matter what the host is.
++		req.URL.Host = DummyHost
++	}
+ 	req.Header.Set("Connection", "Upgrade")
+ 	req.Header.Set("Upgrade", proto)
+ 
+diff --git a/client/request.go b/client/request.go
+index c799095c1227..8f43553fb7c5 100644
+--- a/client/request.go
++++ b/moby-24.0.4/client/request.go
+@@ -98,12 +98,12 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
+ 	req = cli.addHeaders(req, headers)
+ 
+ 	if cli.proto == "unix" || cli.proto == "npipe" {
+-		// For local communications, it doesn't matter what the host is. We just
+-		// need a valid and meaningful host name. (See #189)
+-		req.Host = "docker"
++		// For local communications, it doesn't matter what the host is.
++		req.URL.Host = DummyHost
++	} else {
++		req.URL.Host = cli.addr
+ 	}
+ 
+-	req.URL.Host = cli.addr
+ 	req.URL.Scheme = cli.scheme
+ 
+ 	if expectedPayload && req.Header.Get("Content-Type") == "" {
+diff --git a/client/request_test.go b/client/request_test.go
+index 6e5a6e81f21c..1a99197ca231 100644
+--- a/client/request_test.go
++++ b/moby-24.0.4/client/request_test.go
+@@ -28,24 +28,20 @@ func TestSetHostHeader(t *testing.T) {
+ 		expectedURLHost string
+ 	}{
+ 		{
+-			"unix:///var/run/docker.sock",
+-			"docker",
+-			"/var/run/docker.sock",
++			host:            "unix:///var/run/docker.sock",
++			expectedURLHost: DummyHost,
+ 		},
+ 		{
+-			"npipe:////./pipe/docker_engine",
+-			"docker",
+-			"//./pipe/docker_engine",
++			host:            "npipe:////./pipe/docker_engine",
++			expectedURLHost: DummyHost,
+ 		},
+ 		{
+-			"tcp://0.0.0.0:4243",
+-			"",
+-			"0.0.0.0:4243",
++			host:            "tcp://0.0.0.0:4243",
++			expectedURLHost: "0.0.0.0:4243",
+ 		},
+ 		{
+-			"tcp://localhost:4243",
+-			"",
+-			"localhost:4243",
++			host:            "tcp://localhost:4243",
++			expectedURLHost: "localhost:4243",
+ 		},
+ 	}
+ 
+
+From d22fa2bb92fd1ea37071487465f58c8bcb58badd Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Wed, 12 Jul 2023 15:07:59 +0200
+Subject: [PATCH 2/3] pkg/plugins: use a dummy hostname for local connections
+
+For local communications (npipe://, unix://), the hostname is not used,
+but we need valid and meaningful hostname.
+
+The current code used the socket path as hostname, which gets rejected by
+go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
+which was implemented in  https://go.dev/issue/60374.
+
+Prior versions go Go would clean the host header, and strip slashes in the
+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
+header.
+
+Before this patch, tests would fail on go1.20.6:
+
+    === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
+    time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
+    time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
+    time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
+    time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
+        authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header
+
+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+(cherry picked from commit a4a861f9fbdd6293f95ef8d6d35241c6f6c29853)
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+---
+ pkg/plugins/client.go | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go
+index 752fecd0ae47..a740a8c3dac1 100644
+--- a/pkg/plugins/client.go
++++ b/moby-24.0.4/pkg/plugins/client.go
+@@ -18,6 +18,12 @@ import (
+ 
+ const (
+ 	defaultTimeOut = 30
++
++	// dummyHost is a hostname used for local communication.
++	//
++	// For local communications (npipe://, unix://), the hostname is not used,
++	// but we need valid and meaningful hostname.
++	dummyHost = "plugin.moby.localhost"
+ )
+ 
+ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) {
+@@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor
+ 		return nil, err
+ 	}
+ 	scheme := httpScheme(u)
+-
+-	return transport.NewHTTPTransport(tr, scheme, socket), nil
++	hostName := u.Host
++	if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" {
++		// For local communications, it doesn't matter what the host is.
++		hostName = dummyHost
++	}
++	return transport.NewHTTPTransport(tr, scheme, hostName), nil
+ }
+ 
+ // NewClient creates a new plugin client (http).
+
+From af1c09666a5c7ea12685fb8b482e64433a58f820 Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Wed, 12 Jul 2023 17:37:01 +0200
+Subject: [PATCH 3/3] testutil: use dummyhost for non-tcp connections
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+(cherry picked from commit 524506a452dab8f67cb2c287c8acacdbe2599906)
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+---
+ integration-cli/docker_api_attach_test.go | 9 ++++++++-
+ testutil/request/request.go               | 9 +++++++--
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/integration-cli/docker_api_attach_test.go b/integration-cli/docker_api_attach_test.go
+index 6d31c51ec344..0064b48bdf7b 100644
+--- a/integration-cli/docker_api_attach_test.go
++++ b/moby-24.0.4/integration-cli/docker_api_attach_test.go
+@@ -234,7 +234,14 @@ func requestHijack(method, endpoint string, data io.Reader, ct, daemon string, m
+ 		return nil, nil, errors.Wrap(err, "could not create new request")
+ 	}
+ 	req.URL.Scheme = "http"
+-	req.URL.Host = hostURL.Host
++
++	// FIXME(thaJeztah): this should really be done by client.ParseHostURL
++	if hostURL.Scheme == "unix" || hostURL.Scheme == "npipe" {
++		// For local communications, it doesn't matter what the host is.
++		req.URL.Host = client.DummyHost
++	} else {
++		req.URL.Host = hostURL.Host
++	}
+ 
+ 	for _, opt := range modifiers {
+ 		opt(req)
+diff --git a/testutil/request/request.go b/testutil/request/request.go
+index d5f559c66637..239e27a8fc1d 100644
+--- a/testutil/request/request.go
++++ b/moby-24.0.4/testutil/request/request.go
+@@ -123,8 +123,13 @@ func newRequest(endpoint string, opts *Options) (*http.Request, error) {
+ 	} else {
+ 		req.URL.Scheme = "http"
+ 	}
+-	req.URL.Host = hostURL.Host
+-
++	// FIXME(thaJeztah): this should really be done by client.ParseHostURL
++	if hostURL.Scheme == "unix" || hostURL.Scheme == "npipe" {
++		// For local communications, it doesn't matter what the host is.
++		req.URL.Host = client.DummyHost
++	} else {
++		req.URL.Host = hostURL.Host
++	}
+ 	for _, config := range opts.requestModifiers {
+ 		if err := config(req); err != nil {
+ 			return nil, err