Security update for docker SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20510-1 Final 1 1 2025-07-28T14:33:11Z current 2025-07-28T14:33:11Z 2025-07-28T14:33:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for docker This update for docker fixes the following issues: - Update to Go 1.24 for builds, to match upstream. - Update to Docker 28.3.2-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/28/#2832> - Update to Docker 28.3.1-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/28/#2831> - Update to Docker 28.3.0-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/28/#2830> bsc#1246556 - Update to docker-buildx v0.25.0. Upstream changelog: <https://github.com/docker/buildx/releases/tag/v0.25.0> - CVE-2025-22872: golang.org/x/net/html: Fixed incorrectly interpreted tags causing content to be placed wrong scope during DOM construction (bsc#1241830) - Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as Docker does not have permission to access the host zypper credentials in this mode (and unprivileged users cannot disable the feature using /etc/docker/suse-secrets-enable.) bsc#1240150 - Always clear SUSEConnect suse_* secrets when starting containers regardless of whether the daemon was built with SUSEConnect support. Not doing this causes containers from SUSEConnect-enabled daemons to fail to start when running with SUSEConnect-disabled (i.e. upstream) daemons. This was a long-standing issue with our secrets support but until recently this would've required migrating from SLE packages to openSUSE packages (which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move away from in-built SUSEConnect support, this is now a practical issue users will run into. bsc#1244035 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-398 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520510-1/ Link for SUSE-SU-2025:20510-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041041.html E-Mail link for SUSE-SU-2025:20510-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1240150 SUSE Bug 1240150 https://bugzilla.suse.com/1241830 SUSE Bug 1241830 https://bugzilla.suse.com/1242114 SUSE Bug 1242114 https://bugzilla.suse.com/1243833 SUSE Bug 1243833 https://bugzilla.suse.com/1244035 SUSE Bug 1244035 https://bugzilla.suse.com/1246556 SUSE Bug 1246556 https://www.suse.com/security/cve/CVE-2025-22872/ SUSE CVE CVE-2025-22872 page SUSE Linux Micro 6.0 docker-28.3.2_ce-5.1 docker-buildx-0.25.0-5.1 docker-28.3.2_ce-5.1 as a component of SUSE Linux Micro 6.0 docker-buildx-0.25.0-5.1 as a component of SUSE Linux Micro 6.0 The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). CVE-2025-22872 SUSE Linux Micro 6.0:docker-28.3.2_ce-5.1 SUSE Linux Micro 6.0:docker-buildx-0.25.0-5.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520510-1/ https://www.suse.com/security/cve/CVE-2025-22872.html CVE-2025-22872 https://bugzilla.suse.com/1241710 SUSE Bug 1241710