Security update for docker SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02289-1 Final 1 1 2025-07-11T11:12:49Z current 2025-07-11T11:12:49Z 2025-07-11T11:12:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for docker This update for docker fixes the following issues: Update to Docker 28.2.2-ce (bsc#1243833, bsc#1242114): - CVE-2025-0495: Fixed credential leakage to telemetry endpoints when credentials allowed to be set as attribute values in cache-to/cache-from configuration.(bsc#1239765) - CVE-2025-22872: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241830). Other fixes: - Update to docker-buildx v0.22.0. - Always clear SUSEConnect suse_* secrets when starting containers (bsc#1244035). - Disable transparent SUSEConnect support for SLE-16. (jsc#PED-12534) - Now that the only blocker for docker-buildx support was removed for SLE-16, enable docker-buildx for SLE-16 as well. (jsc#PED-8905) - SUSEConnect secrets fails in SLES rootless docker containers (bsc#1240150). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP4-HPC-BYOS-2025-2289,Image SLES15-SP4-HPC-BYOS-EC2-2025-2289,Image SLES15-SP4-HPC-EC2-2025-2289,Image SLES15-SP4-Hardened-BYOS-2025-2289,Image SLES15-SP4-Hardened-BYOS-EC2-2025-2289,Image SLES15-SP5-EC2-2025-2289,Image SLES15-SP5-Hardened-BYOS-EC2-2025-2289,Image SLES15-SP6-2025-2289,Image SLES15-SP6-Azure-Basic-2025-2289,Image SLES15-SP6-CHOST-BYOS-2025-2289,Image SLES15-SP6-CHOST-BYOS-Aliyun-2025-2289,Image SLES15-SP6-CHOST-BYOS-Azure-2025-2289,Image SLES15-SP6-CHOST-BYOS-EC2-2025-2289,Image SLES15-SP6-CHOST-BYOS-GCE-2025-2289,Image SLES15-SP6-CHOST-BYOS-GDC-2025-2289,Image SLES15-SP6-CHOST-BYOS-SAP-CCloud-2025-2289,SUSE-2025-2289,SUSE-SLE-Micro-5.3-2025-2289,SUSE-SLE-Micro-5.4-2025-2289,SUSE-SLE-Micro-5.5-2025-2289,SUSE-SLE-Module-Basesystem-15-SP7-2025-2289,SUSE-SLE-Module-Containers-15-SP6-2025-2289,SUSE-SLE-Module-Containers-15-SP7-2025-2289,SUSE-SUSE-MicroOS-5.1-2025-2289,SUSE-SUSE-MicroOS-5.2-2025-2289,openSUSE-SLE-15.6-2025-2289 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502289-1/ Link for SUSE-SU-2025:02289-1 https://lists.suse.com/pipermail/sle-updates/2025-July/040684.html E-Mail link for SUSE-SU-2025:02289-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1239765 SUSE Bug 1239765 https://bugzilla.suse.com/1240150 SUSE Bug 1240150 https://bugzilla.suse.com/1241830 SUSE Bug 1241830 https://bugzilla.suse.com/1242114 SUSE Bug 1242114 https://bugzilla.suse.com/1243833 SUSE Bug 1243833 https://bugzilla.suse.com/1244035 SUSE Bug 1244035 https://www.suse.com/security/cve/CVE-2025-0495/ SUSE CVE CVE-2025-0495 page https://www.suse.com/security/cve/CVE-2025-22872/ SUSE CVE CVE-2025-22872 page Image SLES15-SP4-HPC-BYOS Image SLES15-SP4-HPC-BYOS-EC2 Image SLES15-SP4-HPC-EC2 Image SLES15-SP4-Hardened-BYOS Image SLES15-SP4-Hardened-BYOS-EC2 Image SLES15-SP5-EC2 Image SLES15-SP5-Hardened-BYOS-EC2 Image SLES15-SP6 Image SLES15-SP6-Azure-Basic Image SLES15-SP6-CHOST-BYOS Image SLES15-SP6-CHOST-BYOS-Aliyun Image SLES15-SP6-CHOST-BYOS-Azure Image SLES15-SP6-CHOST-BYOS-EC2 Image SLES15-SP6-CHOST-BYOS-GCE Image SLES15-SP6-CHOST-BYOS-GDC Image SLES15-SP6-CHOST-BYOS-SAP-CCloud SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Module for Containers 15 SP6 SUSE Linux Enterprise Module for Containers 15 SP7 openSUSE Leap 15.6 docker-28.2.2_ce-150000.227.1 docker-bash-completion-28.2.2_ce-150000.227.1 docker-fish-completion-28.2.2_ce-150000.227.1 docker-rootless-extras-28.2.2_ce-150000.227.1 docker-stable-24.0.9_ce-150000.1.22.1 docker-stable-bash-completion-24.0.9_ce-150000.1.22.1 docker-stable-fish-completion-24.0.9_ce-150000.1.22.1 docker-stable-rootless-extras-24.0.9_ce-150000.1.22.1 docker-stable-zsh-completion-24.0.9_ce-150000.1.22.1 docker-zsh-completion-28.2.2_ce-150000.227.1 docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP4-HPC-BYOS docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP4-HPC-BYOS-EC2 docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP4-HPC-EC2 docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP4-Hardened-BYOS docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP4-Hardened-BYOS-EC2 docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP5-EC2 docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP5-Hardened-BYOS-EC2 docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP6 docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP6-Azure-Basic docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP6-CHOST-BYOS docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP6-CHOST-BYOS-Aliyun docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP6-CHOST-BYOS-Azure docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP6-CHOST-BYOS-EC2 docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP6-CHOST-BYOS-GCE docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP6-CHOST-BYOS-GDC docker-28.2.2_ce-150000.227.1 as a component of Image SLES15-SP6-CHOST-BYOS-SAP-CCloud docker-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Micro 5.1 docker-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Micro 5.2 docker-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Micro 5.3 docker-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Micro 5.4 docker-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Micro 5.5 docker-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 docker-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP6 docker-bash-completion-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP6 docker-rootless-extras-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP6 docker-stable-24.0.9_ce-150000.1.22.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP6 docker-stable-bash-completion-24.0.9_ce-150000.1.22.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP6 docker-bash-completion-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP7 docker-rootless-extras-28.2.2_ce-150000.227.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP7 docker-stable-24.0.9_ce-150000.1.22.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP7 docker-stable-bash-completion-24.0.9_ce-150000.1.22.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP7 docker-28.2.2_ce-150000.227.1 as a component of openSUSE Leap 15.6 docker-bash-completion-28.2.2_ce-150000.227.1 as a component of openSUSE Leap 15.6 docker-fish-completion-28.2.2_ce-150000.227.1 as a component of openSUSE Leap 15.6 docker-rootless-extras-28.2.2_ce-150000.227.1 as a component of openSUSE Leap 15.6 docker-stable-24.0.9_ce-150000.1.22.1 as a component of openSUSE Leap 15.6 docker-stable-bash-completion-24.0.9_ce-150000.1.22.1 as a component of openSUSE Leap 15.6 docker-stable-fish-completion-24.0.9_ce-150000.1.22.1 as a component of openSUSE Leap 15.6 docker-stable-rootless-extras-24.0.9_ce-150000.1.22.1 as a component of openSUSE Leap 15.6 docker-stable-zsh-completion-24.0.9_ce-150000.1.22.1 as a component of openSUSE Leap 15.6 docker-zsh-completion-28.2.2_ce-150000.227.1 as a component of openSUSE Leap 15.6 Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records. This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication. CVE-2025-0495 Image SLES15-SP4-HPC-BYOS-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP4-HPC-BYOS:docker-28.2.2_ce-150000.227.1 Image SLES15-SP4-HPC-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP4-Hardened-BYOS-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP4-Hardened-BYOS:docker-28.2.2_ce-150000.227.1 Image SLES15-SP5-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP5-Hardened-BYOS-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-Azure-Basic:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-Aliyun:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-Azure:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-GCE:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-GDC:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-SAP-CCloud:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Micro 5.1:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Micro 5.2:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Micro 5.3:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Micro 5.4:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Micro 5.5:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP6:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP6:docker-bash-completion-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP6:docker-rootless-extras-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP6:docker-stable-24.0.9_ce-150000.1.22.1 SUSE Linux Enterprise Module for Containers 15 SP6:docker-stable-bash-completion-24.0.9_ce-150000.1.22.1 SUSE Linux Enterprise Module for Containers 15 SP7:docker-bash-completion-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP7:docker-rootless-extras-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP7:docker-stable-24.0.9_ce-150000.1.22.1 SUSE Linux Enterprise Module for Containers 15 SP7:docker-stable-bash-completion-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-28.2.2_ce-150000.227.1 openSUSE Leap 15.6:docker-bash-completion-28.2.2_ce-150000.227.1 openSUSE Leap 15.6:docker-fish-completion-28.2.2_ce-150000.227.1 openSUSE Leap 15.6:docker-rootless-extras-28.2.2_ce-150000.227.1 openSUSE Leap 15.6:docker-stable-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-stable-bash-completion-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-stable-fish-completion-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-stable-rootless-extras-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-stable-zsh-completion-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-zsh-completion-28.2.2_ce-150000.227.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502289-1/ https://www.suse.com/security/cve/CVE-2025-0495.html CVE-2025-0495 https://bugzilla.suse.com/1239765 SUSE Bug 1239765 The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). CVE-2025-22872 Image SLES15-SP4-HPC-BYOS-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP4-HPC-BYOS:docker-28.2.2_ce-150000.227.1 Image SLES15-SP4-HPC-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP4-Hardened-BYOS-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP4-Hardened-BYOS:docker-28.2.2_ce-150000.227.1 Image SLES15-SP5-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP5-Hardened-BYOS-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-Azure-Basic:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-Aliyun:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-Azure:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-EC2:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-GCE:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-GDC:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS-SAP-CCloud:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6-CHOST-BYOS:docker-28.2.2_ce-150000.227.1 Image SLES15-SP6:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Micro 5.1:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Micro 5.2:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Micro 5.3:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Micro 5.4:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Micro 5.5:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP6:docker-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP6:docker-bash-completion-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP6:docker-rootless-extras-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP6:docker-stable-24.0.9_ce-150000.1.22.1 SUSE Linux Enterprise Module for Containers 15 SP6:docker-stable-bash-completion-24.0.9_ce-150000.1.22.1 SUSE Linux Enterprise Module for Containers 15 SP7:docker-bash-completion-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP7:docker-rootless-extras-28.2.2_ce-150000.227.1 SUSE Linux Enterprise Module for Containers 15 SP7:docker-stable-24.0.9_ce-150000.1.22.1 SUSE Linux Enterprise Module for Containers 15 SP7:docker-stable-bash-completion-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-28.2.2_ce-150000.227.1 openSUSE Leap 15.6:docker-bash-completion-28.2.2_ce-150000.227.1 openSUSE Leap 15.6:docker-fish-completion-28.2.2_ce-150000.227.1 openSUSE Leap 15.6:docker-rootless-extras-28.2.2_ce-150000.227.1 openSUSE Leap 15.6:docker-stable-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-stable-bash-completion-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-stable-fish-completion-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-stable-rootless-extras-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-stable-zsh-completion-24.0.9_ce-150000.1.22.1 openSUSE Leap 15.6:docker-zsh-completion-28.2.2_ce-150000.227.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502289-1/ https://www.suse.com/security/cve/CVE-2025-22872.html CVE-2025-22872 https://bugzilla.suse.com/1241710 SUSE Bug 1241710