Security update for docker

Announcement ID:	SUSE-SU-2025:20259-1
Release Date:	2025-03-31T16:54:11Z
Rating:	critical
References:	bsc#1217070 bsc#1223409 bsc#1228324 bsc#1228553 bsc#1229806 bsc#1230294 bsc#1230331 bsc#1230333 bsc#1231348 bsc#1232999 bsc#1233819 bsc#1234089 bsc#1237335
Cross-References:	CVE-2023-45142 CVE-2023-47108 CVE-2024-29018 CVE-2024-41110
CVSS scores:	CVE-2023-45142 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-45142 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-47108 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-47108 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-29018 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2024-29018 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-29018 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-29018 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-41110 ( SUSE ): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Products:	SUSE Linux Micro 6.1

An update that solves four vulnerabilities and has nine fixes can now be installed.

Description:

This update for docker fixes the following issues:

• This update includes fixes for:

• CVE-2024-41110: Fixed Authz zero length regression (bsc#1228324)

• CVE-2023-47108: Fixed otelgrpc: DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality (bsc#1217070 bsc#1229806)

• CVE-2023-45142: Fixed otelhttp,otelhttptrace,otelrestful: DoS vulnerability (bsc#1228553 bsc#1229806)

• Update to Docker 27.5.1-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/27/#2741> bsc#1237335

• Update to docker-buildx 0.20.1. See upstream changelog online at <https://github.com/docker/buildx/releases/tag/v0.20.1>

• Update to Docker 27.4.1-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/27/#2741>

• Update to docker-buildx 0.19.3. See upstream changelog online at <https://github.com/docker/buildx/releases/tag/v0.19.3>

• Update to Docker 27.4.0-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/27/#274>

<https://github.com/docker/buildx/releases/tag/v0.19.2>.

Some notable changelogs from the last update: * <https://github.com/docker/buildx/releases/tag/v0.19.0> * <https://github.com/docker/buildx/releases/tag/v0.18.0>

• Update to Go 1.22.

• Add a new toggle file /etc/docker/suse-secrets-enable which allows users to disable the SUSEConnect integration with Docker (which creates special mounts in /run/secrets to allow container-suseconnect to authenticate containers with registries on registered hosts). bsc#1231348 bsc#1232999

In order to disable these mounts, just do

echo 0 > /etc/docker/suse-secrets-enable

and restart Docker. In order to re-enable them, just do

echo 1 > /etc/docker/suse-secrets-enable

and restart Docker. Docker will output information on startup to tell you whether the SUSE secrets feature is enabled or not.

• Disable docker-buildx builds for SLES. It turns out that build containers with docker-buildx don't currently get the SUSE secrets mounts applied, meaning that container-suseconnect doesn't work when building images. bsc#1233819

• Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from sysconfig a long time ago, and apparently this causes issues with systemd in some cases.

• Update to docker-buildx v0.17.1 to match standalone docker-buildx package we are replacing. See upstream changelog online at <https://github.com/docker/buildx/releases/tag/v0.17.1>

• Mark docker-buildx as required since classic "docker build" has been deprecated since Docker 23.0. bsc#1230331

• Import docker-buildx v0.16.2 as a subpackage. Previously this was a separate package, but with docker-stable it will be necessary to maintain the packages together and it makes more sense to have them live in the same OBS package. bsc#1230333

• Update to Docker 26.1.5-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/26.1/#2615> bsc#1230294

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.1
  zypper in -t patch SUSE-SLE-Micro-6.1-37=1

Package List:

• SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
  • docker-debuginfo-27.5.1_ce-slfo.1.1_1.1
  • docker-27.5.1_ce-slfo.1.1_1.1

References:

• https://www.suse.com/security/cve/CVE-2023-45142.html
• https://www.suse.com/security/cve/CVE-2023-47108.html
• https://www.suse.com/security/cve/CVE-2024-29018.html
• https://www.suse.com/security/cve/CVE-2024-41110.html
• https://bugzilla.suse.com/show_bug.cgi?id=1217070
• https://bugzilla.suse.com/show_bug.cgi?id=1223409
• https://bugzilla.suse.com/show_bug.cgi?id=1228324
• https://bugzilla.suse.com/show_bug.cgi?id=1228553
• https://bugzilla.suse.com/show_bug.cgi?id=1229806
• https://bugzilla.suse.com/show_bug.cgi?id=1230294
• https://bugzilla.suse.com/show_bug.cgi?id=1230331
• https://bugzilla.suse.com/show_bug.cgi?id=1230333
• https://bugzilla.suse.com/show_bug.cgi?id=1231348
• https://bugzilla.suse.com/show_bug.cgi?id=1232999
• https://bugzilla.suse.com/show_bug.cgi?id=1233819
• https://bugzilla.suse.com/show_bug.cgi?id=1234089
• https://bugzilla.suse.com/show_bug.cgi?id=1237335