Security update for docker SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20110-1 Final 1 1 2025-02-03T09:19:38Z current 2025-02-03T09:19:38Z 2025-02-03T09:19:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for docker This update for docker fixes the following issues: - Update docker-buildx to v0.19.2. See upstream changelog online at <https://github.com/docker/buildx/releases/tag/v0.19.2>. Some notable changelogs from the last update: * <https://github.com/docker/buildx/releases/tag/v0.19.0> * <https://github.com/docker/buildx/releases/tag/v0.18.0> - Add a new toggle file /etc/docker/suse-secrets-enable which allows users to disable the SUSEConnect integration with Docker (which creates special mounts in /run/secrets to allow container-suseconnect to authenticate containers with registries on registered hosts). bsc#1231348 bsc#1232999 In order to disable these mounts, just do echo 0 > /etc/docker/suse-secrets-enable and restart Docker. In order to re-enable them, just do echo 1 > /etc/docker/suse-secrets-enable and restart Docker. Docker will output information on startup to tell you whether the SUSE secrets feature is enabled or not. - Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from sysconfig a long time ago, and apparently this causes issues with systemd in some cases. - Update to docker-buildx v0.17.1 to match standalone docker-buildx package we are replacing. See upstream changelog online at <https://github.com/docker/buildx/releases/tag/v0.17.1> - Add %{_sysconfdir}/audit/rules.d to filelist. - Update to Docker 26.1.5-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/26.1/#2615> bsc#1230294 - This update includes fixes for: * CVE-2024-41110. bsc#1228324 * CVE-2023-47108. bsc#1217070 * CVE-2023-45142. bsc#1228553 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-169 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520110-1/ Link for SUSE-SU-2025:20110-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021212.html E-Mail link for SUSE-SU-2025:20110-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1217070 SUSE Bug 1217070 https://bugzilla.suse.com/1228324 SUSE Bug 1228324 https://bugzilla.suse.com/1228553 SUSE Bug 1228553 https://bugzilla.suse.com/1229806 SUSE Bug 1229806 https://bugzilla.suse.com/1230294 SUSE Bug 1230294 https://bugzilla.suse.com/1230331 SUSE Bug 1230331 https://bugzilla.suse.com/1230333 SUSE Bug 1230333 https://bugzilla.suse.com/1231348 SUSE Bug 1231348 https://bugzilla.suse.com/1232999 SUSE Bug 1232999 https://bugzilla.suse.com/1233819 SUSE Bug 1233819 https://www.suse.com/security/cve/CVE-2023-45142/ SUSE CVE CVE-2023-45142 page https://www.suse.com/security/cve/CVE-2023-47108/ SUSE CVE CVE-2023-47108 page https://www.suse.com/security/cve/CVE-2024-41110/ SUSE CVE CVE-2024-41110 page SUSE Linux Micro 6.0 docker-26.1.5_ce-1.1 docker-26.1.5_ce-1.1 as a component of SUSE Linux Micro 6.0 OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it. CVE-2023-45142 SUSE Linux Micro 6.0:docker-26.1.5_ce-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520110-1/ https://www.suse.com/security/cve/CVE-2023-45142.html CVE-2023-45142 https://bugzilla.suse.com/1228553 SUSE Bug 1228553 OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. CVE-2023-47108 SUSE Linux Micro 6.0:docker-26.1.5_ce-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520110-1/ https://www.suse.com/security/cve/CVE-2023-47108.html CVE-2023-47108 https://bugzilla.suse.com/1217070 SUSE Bug 1217070 Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege. CVE-2024-41110 SUSE Linux Micro 6.0:docker-26.1.5_ce-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520110-1/ https://www.suse.com/security/cve/CVE-2024-41110.html CVE-2024-41110 https://bugzilla.suse.com/1228324 SUSE Bug 1228324