docker-29.2.1_ce-37.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10261-1 Final 1 1 2026-02-26T00:00:00Z current 2026-02-26T00:00:00Z 2026-02-26T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z docker-29.2.1_ce-37.1 on GA media These are all security issues fixed in the docker-29.2.1_ce-37.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10261 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-67499/ SUSE CVE CVE-2025-67499 page openSUSE Tumbleweed docker-29.2.1_ce-37.1 docker-bash-completion-29.2.1_ce-37.1 docker-buildx-0.31.1-37.1 docker-fish-completion-29.2.1_ce-37.1 docker-rootless-extras-29.2.1_ce-37.1 docker-zsh-completion-29.2.1_ce-37.1 docker-29.2.1_ce-37.1 as a component of openSUSE Tumbleweed docker-bash-completion-29.2.1_ce-37.1 as a component of openSUSE Tumbleweed docker-buildx-0.31.1-37.1 as a component of openSUSE Tumbleweed docker-fish-completion-29.2.1_ce-37.1 as a component of openSUSE Tumbleweed docker-rootless-extras-29.2.1_ce-37.1 as a component of openSUSE Tumbleweed docker-zsh-completion-29.2.1_ce-37.1 as a component of openSUSE Tumbleweed The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability. CVE-2025-67499 openSUSE Tumbleweed:docker-29.2.1_ce-37.1 openSUSE Tumbleweed:docker-bash-completion-29.2.1_ce-37.1 openSUSE Tumbleweed:docker-buildx-0.31.1-37.1 openSUSE Tumbleweed:docker-fish-completion-29.2.1_ce-37.1 openSUSE Tumbleweed:docker-rootless-extras-29.2.1_ce-37.1 openSUSE Tumbleweed:docker-zsh-completion-29.2.1_ce-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-67499.html CVE-2025-67499 https://bugzilla.suse.com/1255499 SUSE Bug 1255499