Security update for docker SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1469-1 Final 1 1 2024-04-29T15:59:43Z current 2024-04-29T15:59:43Z 2024-04-29T15:59:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for docker This update for docker fixes the following issues: - CVE-2024-23651: Fixed arbitrary files write due to race condition on mounts (bsc#1219267) - CVE-2024-23652: Fixed insufficient validation of parent directory on mount (bsc#1219268) - CVE-2024-23653: Fixed insufficient validation on entitlement on container creation via buildkit (bsc#1219438) Other fixes: - Update to Docker 25.0.5-ce (bsc#1223409) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-Azure-Basic-On-Demand-2024-1469,Image SLES12-SP5-Azure-Standard-On-Demand-2024-1469,Image SLES12-SP5-EC2-ECS-On-Demand-2024-1469,Image SLES12-SP5-EC2-On-Demand-2024-1469,Image SLES12-SP5-GCE-On-Demand-2024-1469,SUSE-2024-1469,SUSE-SLE-Module-Containers-12-2024-1469 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241469-1/ Link for SUSE-SU-2024:1469-1 https://lists.suse.com/pipermail/sle-updates/2024-April/035123.html E-Mail link for SUSE-SU-2024:1469-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219267 SUSE Bug 1219267 https://bugzilla.suse.com/1219268 SUSE Bug 1219268 https://bugzilla.suse.com/1219438 SUSE Bug 1219438 https://bugzilla.suse.com/1223409 SUSE Bug 1223409 https://www.suse.com/security/cve/CVE-2024-23651/ SUSE CVE CVE-2024-23651 page https://www.suse.com/security/cve/CVE-2024-23652/ SUSE CVE CVE-2024-23652 page https://www.suse.com/security/cve/CVE-2024-23653/ SUSE CVE CVE-2024-23653 page Image SLES12-SP5-Azure-Basic-On-Demand Image SLES12-SP5-Azure-Standard-On-Demand Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-On-Demand SUSE Linux Enterprise Module for Containers 12 docker-25.0.5_ce-98.112.1 docker-bash-completion-25.0.5_ce-98.112.1 docker-fish-completion-25.0.5_ce-98.112.1 docker-rootless-extras-25.0.5_ce-98.112.1 docker-zsh-completion-25.0.5_ce-98.112.1 docker-25.0.5_ce-98.112.1 as a component of Image SLES12-SP5-Azure-Basic-On-Demand docker-25.0.5_ce-98.112.1 as a component of Image SLES12-SP5-Azure-Standard-On-Demand docker-25.0.5_ce-98.112.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand docker-25.0.5_ce-98.112.1 as a component of Image SLES12-SP5-EC2-On-Demand docker-25.0.5_ce-98.112.1 as a component of Image SLES12-SP5-GCE-On-Demand docker-25.0.5_ce-98.112.1 as a component of SUSE Linux Enterprise Module for Containers 12 BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options. CVE-2024-23651 Image SLES12-SP5-Azure-Basic-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-EC2-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-GCE-On-Demand:docker-25.0.5_ce-98.112.1 SUSE Linux Enterprise Module for Containers 12:docker-25.0.5_ce-98.112.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241469-1/ https://www.suse.com/security/cve/CVE-2024-23651.html CVE-2024-23651 https://bugzilla.suse.com/1219267 SUSE Bug 1219267 BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature. CVE-2024-23652 Image SLES12-SP5-Azure-Basic-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-EC2-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-GCE-On-Demand:docker-25.0.5_ce-98.112.1 SUSE Linux Enterprise Module for Containers 12:docker-25.0.5_ce-98.112.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241469-1/ https://www.suse.com/security/cve/CVE-2024-23652.html CVE-2024-23652 https://bugzilla.suse.com/1219268 SUSE Bug 1219268 BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources. CVE-2024-23653 Image SLES12-SP5-Azure-Basic-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-EC2-On-Demand:docker-25.0.5_ce-98.112.1 Image SLES12-SP5-GCE-On-Demand:docker-25.0.5_ce-98.112.1 SUSE Linux Enterprise Module for Containers 12:docker-25.0.5_ce-98.112.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241469-1/ https://www.suse.com/security/cve/CVE-2024-23653.html CVE-2024-23653 https://bugzilla.suse.com/1219438 SUSE Bug 1219438