Security update for docker SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20360-1 Final 1 1 2025-05-27T08:58:34Z current 2025-05-27T08:58:34Z 2025-05-27T08:58:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for docker This update for docker fixes the following issues: Update to docker-buildx v0.22.0: - CVE-2025-0495: buildx: credential leakage to telemetry endpoints when credentials allowed to be set as attribute values in cache-to/cache-from configuration (bsc#1239765). - CVE-2025-22868: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239185). - CVE-2025-22869: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239322). Bug fixes: - Fix unconditional container-selinux pull (bsc#1237367). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-121 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520360-1/ Link for SUSE-SU-2025:20360-1 https://lists.suse.com/pipermail/sle-updates/2025-June/039499.html E-Mail link for SUSE-SU-2025:20360-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1237367 SUSE Bug 1237367 https://bugzilla.suse.com/1239185 SUSE Bug 1239185 https://bugzilla.suse.com/1239322 SUSE Bug 1239322 https://bugzilla.suse.com/1239765 SUSE Bug 1239765 https://www.suse.com/security/cve/CVE-2025-0495/ SUSE CVE CVE-2025-0495 page https://www.suse.com/security/cve/CVE-2025-22868/ SUSE CVE CVE-2025-22868 page https://www.suse.com/security/cve/CVE-2025-22869/ SUSE CVE CVE-2025-22869 page SUSE Linux Micro 6.1 docker-27.5.1_ce-slfo.1.1_2.1 docker-buildx-0.22.0-slfo.1.1_2.1 docker-27.5.1_ce-slfo.1.1_2.1 as a component of SUSE Linux Micro 6.1 docker-buildx-0.22.0-slfo.1.1_2.1 as a component of SUSE Linux Micro 6.1 Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records. This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication. CVE-2025-0495 SUSE Linux Micro 6.1:docker-27.5.1_ce-slfo.1.1_2.1 SUSE Linux Micro 6.1:docker-buildx-0.22.0-slfo.1.1_2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520360-1/ https://www.suse.com/security/cve/CVE-2025-0495.html CVE-2025-0495 https://bugzilla.suse.com/1239765 SUSE Bug 1239765 An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CVE-2025-22868 SUSE Linux Micro 6.1:docker-27.5.1_ce-slfo.1.1_2.1 SUSE Linux Micro 6.1:docker-buildx-0.22.0-slfo.1.1_2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520360-1/ https://www.suse.com/security/cve/CVE-2025-22868.html CVE-2025-22868 https://bugzilla.suse.com/1239186 SUSE Bug 1239186 SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. CVE-2025-22869 SUSE Linux Micro 6.1:docker-27.5.1_ce-slfo.1.1_2.1 SUSE Linux Micro 6.1:docker-buildx-0.22.0-slfo.1.1_2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520360-1/ https://www.suse.com/security/cve/CVE-2025-22869.html CVE-2025-22869 https://bugzilla.suse.com/1239322 SUSE Bug 1239322