Skip to content

build(deps): bump github.com/moby/sys/user from 0.4.0 to 0.4.1#5346

Merged
rata merged 1 commit into
mainfrom
dependabot/go_modules/github.com/moby/sys/user-0.4.1
Jun 29, 2026
Merged

build(deps): bump github.com/moby/sys/user from 0.4.0 to 0.4.1#5346
rata merged 1 commit into
mainfrom
dependabot/go_modules/github.com/moby/sys/user-0.4.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/moby/sys/user from 0.4.0 to 0.4.1.

Release notes

Sourced from github.com/moby/sys/user's releases.

mountinfo v0.4.1

Fixes and improvements:

  • Fix PrefixFilter() being too greedy (#61)
  • TestMountedBy*: add missing pre-checks (ce8f425e79a74602c4055fb1776f38043d56827b)
  • Documentation improvements (#52)

user/v0.4.1

What's Changed

  • user: prevent possible DoS via unbounded parsing of user and group database files in GHSA-mjcv-p78q-w5fw. This fixes a similar issue as CVE-2026-47262 in containerd.
  • user: prevent falling back to looking up numeric usernames and improve handling of numeric user/group to prevent looking up numeric values as usernames. This fixes a similar issue as CVE-2026-46680 in containerd. moby/sys#221
  • user: prevent falling back to looking up numeric usernames
  • user: bump Go to 1.18, modernize moby/sys#198
  • user: make code a bit more DRY moby/sys#225
  • user: test cleanups moby/sys#226

Full Changelog: moby/sys@user/v0.4.0...user/v0.4.1

Commits
  • 85a71bb Merge commit from fork
  • 2c56c3d user: limit line length in ParseGroupFilter
  • bba2f13 user: limit reads from user database files
  • ee79b0e Merge pull request #221 from thaJeztah/limit_uidgid
  • 6eb9f15 user: GetAdditionalGroups: treat numeric group arguments as GIDs only
  • c66bd2d user: prevent falling back to looking up numeric usernames
  • c873359 Merge pull request #226 from thaJeztah/user_test_cleanups
  • f41a5ef Merge pull request #225 from thaJeztah/user_dry
  • 5c2e8a0 user: add test-cases for maxID (math.MaxInt32)
  • e001aea user: use sub-tests
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 26, 2026
@cyphar

cyphar commented Jun 28, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps [github.com/moby/sys/user](https://github.com/moby/sys) from 0.4.0 to 0.4.1.
- [Release notes](https://github.com/moby/sys/releases)
- [Commits](moby/sys@user/v0.4.0...user/v0.4.1)

---
updated-dependencies:
- dependency-name: github.com/moby/sys/user
  dependency-version: 0.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/moby/sys/user-0.4.1 branch from 50416dd to 74b3c7c Compare June 28, 2026 18:22
@rata rata merged commit 30d7618 into main Jun 29, 2026
55 checks passed
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/moby/sys/user-0.4.1 branch June 29, 2026 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants