Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package docker-stable for openSUSE:Factory checked in at 2026-02-25 21:07:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker-stable (Old) and /work/SRC/openSUSE:Factory/.docker-stable.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker-stable" Wed Feb 25 21:07:41 2026 rev:17 rq:1334906 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/docker-stable/docker-stable.changes 2025-10-29 21:08:25.275075640 +0100 +++ /work/SRC/openSUSE:Factory/.docker-stable.new.1977/docker-stable.changes 2026-02-25 21:10:41.982488460 +0100 @@ -1,0 +2,55 @@ +Thu Feb 19 14:16:13 UTC 2026 - Valentin Lefebvre <[email protected]> + +- Places a hard cap on the amount of mechanisms that can be specified and + encoded in the payload. (bsc#1253904, CVE-2025-58181) + * 0018-CVE-2025-58181-fix-vendor-crypto-ssh-3.patch +- Rebase patches: + * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch + * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch + * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch + * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch + * 0007-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch + * 0008-bsc1221916-update-to-patched-buildkit-version-to-fix.patch + * 0009-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch + * 0010-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch + * 0011-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch + * 0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch + * 0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch + * 0014-TESTS-backport-fixes-for-integration-tests.patch + * 0015-bsc1247362-release-container-layer-on-export.patch + * 0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch + * 0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch + +------------------------------------------------------------------- +Wed Feb 11 08:04:37 UTC 2026 - Madhankumar Chellamuthu <[email protected]> + +- Backport <https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3> + to remove strings.Split and add parseToken function, bsc#1240513 + fixes CVE-2025-30204 + + 0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch + +------------------------------------------------------------------- +Mon Feb 2 10:44:22 UTC 2026 - Thomas Blume <[email protected]> + +- Fix package from immutable mode (jsc#PED-14749) + * Migrate /var/lib/docker creation to docker.tmpfiles +- Replace obsolete packageand syntax with newer syntax + +------------------------------------------------------------------- +Fri Nov 28 08:17:00 UTC 2025 - Aleksa Sarai <[email protected]> + +- Add Requires containers-selinux on systems with selinux-policy installed. + bsc#1252672 + +------------------------------------------------------------------- +Wed Nov 26 13:25:34 UTC 2025 - Aleksa Sarai <[email protected]> + +- Backport <https://github.com/moby/moby/pull/47498> to fix incorrect + permissions for overlayfs lowerdir. In practice the permissions of this + directory are immaterial but some security scanners falsely flag this as an + issue. bsc#1254206 + + 0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch + +------------------------------------------------------------------- New: ---- 0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch 0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch 0018-CVE-2025-58181-fix-vendor-crypto-ssh-3.patch docker.tmpfiles ----------(New B)---------- New: * 0015-bsc1247362-release-container-layer-on-export.patch * 0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch * 0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch New: * 0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch * 0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch New: encoded in the payload. (bsc#1253904, CVE-2025-58181) * 0018-CVE-2025-58181-fix-vendor-crypto-ssh-3.patch - Rebase patches: ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker-stable.spec ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:44.774603620 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:44.778603785 +0100 @@ -1,7 +1,7 @@ # # spec file for package docker-stable # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -97,6 +97,9 @@ Source140: docker-audit.rules Source150: docker-daemon.json Source160: docker.sysusers +%if 0%{?suse_version} >= 1500 +Source170: docker.tmpfiles +%endif # docker-integration-tests-devel Source900: docker-integration.sh # NOTE: All of these patches are maintained in <https://github.com/suse/docker> @@ -135,6 +138,12 @@ Patch209: 0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch # UPSTREAM: Backport of <https://github.com/moby/moby/pull/48517>. bsc#1247362 Patch210: 0015-bsc1247362-release-container-layer-on-export.patch +# UPSTREAM: Backport of <https://github.com/moby/moby/pull/47498>. bsc#1254206 +Patch211: 0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch +# UPSTREAM: Backport of <https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3>. bsc#1240513 +Patch212: 0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch +# UPSTREAM: Backport of <https://go-review.googlesource.com/c/crypto/+/721961> bsc#1253904 +Patch213: 0018-CVE-2025-58181-fix-vendor-crypto-ssh-3.patch # UPSTREAM: Backport of <https://github.com/moby/moby/pull/46307> and # <https://github.com/moby/moby/pull/49061>. Patch299: 0014-TESTS-backport-fixes-for-integration-tests.patch @@ -164,6 +173,7 @@ %if 0%{?suse_version} >= 1500 # This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we # don't need to support Docker+selinux for SLE 12 anyway. +Requires: (container-selinux if selinux-policy) Requires: (apparmor-parser or container-selinux) # This recommends is added to make sure that even if you have container-selinux # installed you will still be prompted to install apparmor-parser which Docker @@ -317,7 +327,12 @@ Group: System/Shells Requires: %{name} = %{docker_version} Requires: bash-completion +#obsolete packageand (see https://en.opensuse.org/RPM_Boolean_Dependencies) +%if 0%{?suse_version} && 0%{?suse_version} < 1500 Supplements: packageand(%{name}:bash-completion) +%else +Supplements: (%{name} and bash-completion) +%endif BuildArch: noarch # docker-stable cannot be used alongside docker. %if "%{name}" == "docker-stable" @@ -336,7 +351,12 @@ Group: System/Shells Requires: %{name} = %{docker_version} Requires: zsh +#obsolete packageand (see https://en.opensuse.org/RPM_Boolean_Dependencies) +%if 0%{?suse_version} && 0%{?suse_version} < 1500 Supplements: packageand(%{name}:zsh) +%else +Supplements: (%{name} and zsh) +%endif BuildArch: noarch # docker-stable cannot be used alongside docker. %if "%{name}" == "docker-stable" @@ -355,7 +375,12 @@ Group: System/Shells Requires: %{name} = %{docker_version} Requires: fish +#obsolete packageand (see https://en.opensuse.org/RPM_Boolean_Dependencies) +%if 0%{?suse_version} && 0%{?suse_version} < 1500 Supplements: packageand(%{name}:fish) +%else +Supplements: (%{name} and fish) +%endif BuildArch: noarch # docker-stable cannot be used alongside docker. %if "%{name}" == "docker-stable" @@ -422,6 +447,12 @@ %patch -P209 -p1 # bsc#1247362 %patch -P210 -p1 +# bsc#1254206 +%patch -P211 -p1 +# bsc#1240513 +%patch -P212 -p1 +# bsc#1253904 +%patch -P213 -p1 %if %{with integration_tests} # integration-tests patches %patch -P299 -p1 @@ -521,8 +552,14 @@ install -D -m0755 %{buildx_builddir}/bin/build/docker-buildx %{buildroot}/usr/lib/docker/cli-plugins/docker-buildx %endif +%if 0%{?suse_version} && 0%{?suse_version} < 1500 # /var/lib/docker install -d %{buildroot}/%{_localstatedir}/lib/docker +%else +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 0644 %{SOURCE170} %{buildroot}%{_tmpfilesdir}/docker.conf +%endif + # daemon.json config file install -D -m0644 %{SOURCE150} %{buildroot}%{_sysconfdir}/docker/daemon.json %if %{with suseconnect} @@ -614,7 +651,12 @@ %{_bindir}/dockerd %{_bindir}/docker-proxy %{_sbindir}/rcdocker +%if 0%{?suse_version} && 0%{?suse_version} < 1500 %dir %{_localstatedir}/lib/docker/ +%else +%ghost %attr(0750,root,root) %{_localstatedir}/lib/docker +%{_tmpfilesdir}/docker.conf +%endif %dir /usr/lib/docker %dir /usr/lib/docker/cli-plugins ++++++ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:44.814605270 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:44.818605435 +0100 @@ -1,7 +1,7 @@ From b72bd92cc6e44b8ee6cfe21ae85d8deecececdd3 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Wed, 4 Jun 2025 15:01:37 +1000 -Subject: [PATCH 01/14] SECRETS: SUSE: always clear our internal secrets +Subject: [PATCH 01/18] SECRETS: SUSE: always clear our internal secrets In the future SUSEConnect support patch, we will add swarm secrets with the ID suse_* containing credentials pertinent to SUSEConnect. @@ -31,7 +31,7 @@ create mode 100644 daemon/suse_secrets.go diff --git a/daemon/start.go b/daemon/start.go -index 2e0b9e6be847..9fb77b5cfe17 100644 +index 2e0b9e6be8..9fb77b5cfe 100644 --- a/daemon/start.go +++ b/daemon/start.go @@ -151,6 +151,16 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C @@ -53,7 +53,7 @@ return errdefs.System(err) diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go new file mode 100644 -index 000000000000..b8f3d9f9c094 +index 0000000000..b8f3d9f9c0 --- /dev/null +++ b/daemon/suse_secrets.go @@ -0,0 +1,44 @@ @@ -102,6 +102,6 @@ + c.SecretReferences = without +} -- -2.49.0 +2.52.0 ++++++ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:44.834606095 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:44.838606260 +0100 @@ -1,7 +1,7 @@ From 18acd6381a22adba9dfeb41053c21ce08d5994d4 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 02/14] SECRETS: daemon: allow directory creation in +Subject: [PATCH 02/18] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore @@ -15,7 +15,7 @@ 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go -index 290ec59a34a7..b7013fb89c83 100644 +index 290ec59a34..b7013fb89c 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go @@ -4,6 +4,7 @@ @@ -70,6 +70,6 @@ return errors.Wrap(err, "error setting ownership for secret") } -- -2.49.0 +2.52.0 ++++++ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:44.858607085 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:44.862607250 +0100 @@ -1,7 +1,7 @@ From a102adce24c2b15ad3db0fa39cff2a336781923e Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 03/14] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 03/18] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. @@ -22,7 +22,7 @@ 2 files changed, 443 insertions(+) diff --git a/daemon/start.go b/daemon/start.go -index 9fb77b5cfe17..90557aeee15a 100644 +index 9fb77b5cfe..90557aeee1 100644 --- a/daemon/start.go +++ b/daemon/start.go @@ -161,6 +161,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C @@ -38,7 +38,7 @@ if err != nil { return errdefs.System(err) diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go -index b8f3d9f9c094..9ff3fa6d31e4 100644 +index b8f3d9f9c0..9ff3fa6d31 100644 --- a/daemon/suse_secrets.go +++ b/daemon/suse_secrets.go @@ -18,15 +18,379 @@ @@ -500,6 +500,6 @@ + return nil +} -- -2.49.0 +2.52.0 ++++++ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:44.878607910 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:44.882608075 +0100 @@ -1,7 +1,7 @@ From ba2fbfac1b3001d2e4e874b30456546f07039f2b Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Mon, 22 May 2023 15:44:54 +1000 -Subject: [PATCH 04/14] BUILD: SLE12: revert "graphdriver/btrfs: use kernel +Subject: [PATCH 04/18] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI headers" This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d. @@ -16,7 +16,7 @@ 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go -index d88efc4be2bb..4e976aa689cd 100644 +index d88efc4be2..4e976aa689 100644 --- a/daemon/graphdriver/btrfs/btrfs.go +++ b/daemon/graphdriver/btrfs/btrfs.go @@ -5,17 +5,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs" @@ -42,6 +42,6 @@ static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) { snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value); -- -2.49.0 +2.52.0 ++++++ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:44.898608735 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:44.906609065 +0100 @@ -1,7 +1,7 @@ From d89fec1bef20bcc76c07ef886e033bb69fdd6f32 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 05/14] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 05/18] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, @@ -22,7 +22,7 @@ 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go -index 6376001613f7..5fde21a4af8a 100644 +index 6376001613..5fde21a4af 100644 --- a/daemon/apparmor_default.go +++ b/daemon/apparmor_default.go @@ -24,6 +24,15 @@ func DefaultApparmorProfile() string { @@ -54,7 +54,7 @@ return nil } diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go -index e3dc18b32b5e..9c7723056268 100644 +index e3dc18b32b..9c77230562 100644 --- a/daemon/apparmor_default_unsupported.go +++ b/daemon/apparmor_default_unsupported.go @@ -3,6 +3,10 @@ @@ -69,7 +69,7 @@ return nil } diff --git a/daemon/daemon.go b/daemon/daemon.go -index 585d85086f8d..6e4c6ad1ac01 100644 +index 585d85086f..6e4c6ad1ac 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -845,8 +845,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S @@ -85,6 +85,6 @@ } -- -2.49.0 +2.52.0 ++++++ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:44.922609725 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:44.926609890 +0100 @@ -1,7 +1,7 @@ From 35f1693d5585b742a6749964c9bd05859c33f64b Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Wed, 11 Oct 2023 21:19:12 +1100 -Subject: [PATCH 06/14] SLE12: revert "apparmor: remove version-conditionals +Subject: [PATCH 06/18] SLE12: revert "apparmor: remove version-conditionals from template" This reverts the following commits: @@ -25,7 +25,7 @@ 5 files changed, 46 insertions(+), 6 deletions(-) diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go -index d67890d265de..f4a2978b86cb 100644 +index d67890d265..f4a2978b86 100644 --- a/contrib/apparmor/main.go +++ b/contrib/apparmor/main.go @@ -6,9 +6,13 @@ import ( @@ -68,7 +68,7 @@ log.Fatalf("executing template failed: %v", err) } diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go -index 58afcbe845ee..e6d0b6d37c58 100644 +index 58afcbe845..e6d0b6d37c 100644 --- a/contrib/apparmor/template.go +++ b/contrib/apparmor/template.go @@ -20,9 +20,11 @@ profile /usr/bin/docker (attach_disconnected, complain) { @@ -156,7 +156,7 @@ /lib/** rm, /usr/bin/xz rm, diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go -index 3d7c2c5a97b3..2b5a2605f9c1 100644 +index 3d7c2c5a97..2b5a2605f9 100644 --- a/pkg/aaparser/aaparser.go +++ b/pkg/aaparser/aaparser.go @@ -13,8 +13,6 @@ const ( @@ -169,7 +169,7 @@ output, err := cmd("", "--version") if err != nil { diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go -index d0f236160506..b3566b2f7354 100644 +index d0f2361605..b3566b2f73 100644 --- a/profiles/apparmor/apparmor.go +++ b/profiles/apparmor/apparmor.go @@ -14,8 +14,10 @@ import ( @@ -208,7 +208,7 @@ } diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go -index 9f207e2014a8..626e5f6789a3 100644 +index 9f207e2014..626e5f6789 100644 --- a/profiles/apparmor/template.go +++ b/profiles/apparmor/template.go @@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { @@ -237,6 +237,6 @@ } ` -- -2.49.0 +2.52.0 ++++++ 0007-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:44.942610550 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:44.946610715 +0100 @@ -1,7 +1,7 @@ From e7445110df38791ba94bb4e47c80a22607b3dd9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <[email protected]> Date: Tue, 13 Feb 2024 16:57:32 +0100 -Subject: [PATCH 07/14] CVE-2024-2365x: update buildkit to include CVE patches +Subject: [PATCH 07/18] CVE-2024-2365x: update buildkit to include CVE patches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -57,7 +57,7 @@ create mode 100644 vendor/github.com/moby/buildkit/executor/oci/spec_non_linux.go diff --git a/builder/builder-next/controller.go b/builder/builder-next/controller.go -index 46fc83eb7402..2693b8fab180 100644 +index 46fc83eb74..2693b8fab1 100644 --- a/builder/builder-next/controller.go +++ b/builder/builder-next/controller.go @@ -116,8 +116,8 @@ func newSnapshotterController(ctx context.Context, rt http.RoundTripper, opt Opt @@ -83,7 +83,7 @@ return control.NewController(control.Opt{ diff --git a/builder/builder-next/worker/worker.go b/builder/builder-next/worker/worker.go -index 3773b95c949a..64d7b9131b16 100644 +index 3773b95c94..64d7b9131b 100644 --- a/builder/builder-next/worker/worker.go +++ b/builder/builder-next/worker/worker.go @@ -50,7 +50,7 @@ import ( @@ -96,7 +96,7 @@ const labelCreatedAt = "buildkit/createdat" diff --git a/vendor.mod b/vendor.mod -index a1f8664e7d75..2eb13746cacd 100644 +index a1f8664e7d..2eb13746ca 100644 --- a/vendor.mod +++ b/vendor.mod @@ -98,6 +98,9 @@ require ( @@ -110,7 +110,7 @@ cloud.google.com/go v0.102.1 // indirect github.com/agext/levenshtein v1.2.3 // indirect diff --git a/vendor.sum b/vendor.sum -index 11d3aa6860f2..716245c80413 100644 +index 11d3aa6860..716245c804 100644 --- a/vendor.sum +++ b/vendor.sum @@ -1,19 +1,13 @@ @@ -2258,7 +2258,7 @@ -sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0= -sourcegraph.com/sqs/pbtypes v1.0.0/go.mod h1:3AciMUv4qUuRHRHhOG4TZOB+72GdPVz5k+c648qsFS4= diff --git a/vendor/github.com/moby/buildkit/control/control.go b/vendor/github.com/moby/buildkit/control/control.go -index 2bd06db2576b..f81b176d11be 100644 +index 2bd06db257..f81b176d11 100644 --- a/vendor/github.com/moby/buildkit/control/control.go +++ b/vendor/github.com/moby/buildkit/control/control.go @@ -394,6 +394,9 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (* @@ -2272,7 +2272,7 @@ Type: im.Type, Attrs: im.Attrs, diff --git a/vendor/github.com/moby/buildkit/executor/executor.go b/vendor/github.com/moby/buildkit/executor/executor.go -index a323bcc9cc94..61da4c9dd7c3 100644 +index a323bcc9cc..61da4c9dd7 100644 --- a/vendor/github.com/moby/buildkit/executor/executor.go +++ b/vendor/github.com/moby/buildkit/executor/executor.go @@ -6,7 +6,8 @@ import ( @@ -2301,7 +2301,7 @@ type Mount struct { diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec.go b/vendor/github.com/moby/buildkit/executor/oci/spec.go -index f825b1dce7ef..d8bdf898953b 100644 +index f825b1dce7..d8bdf89895 100644 --- a/vendor/github.com/moby/buildkit/executor/oci/spec.go +++ b/vendor/github.com/moby/buildkit/executor/oci/spec.go @@ -12,7 +12,6 @@ import ( @@ -2390,7 +2390,7 @@ for _, item := range s { diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec_linux.go b/vendor/github.com/moby/buildkit/executor/oci/spec_linux.go new file mode 100644 -index 000000000000..abbf0879d87a +index 0000000000..abbf0879d8 --- /dev/null +++ b/vendor/github.com/moby/buildkit/executor/oci/spec_linux.go @@ -0,0 +1,57 @@ @@ -2453,7 +2453,7 @@ +} diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec_non_linux.go b/vendor/github.com/moby/buildkit/executor/oci/spec_non_linux.go new file mode 100644 -index 000000000000..3442f594dbe6 +index 0000000000..3442f594db --- /dev/null +++ b/vendor/github.com/moby/buildkit/executor/oci/spec_non_linux.go @@ -0,0 +1,18 @@ @@ -2476,7 +2476,7 @@ + return m, func() error { return nil }, nil +} diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go b/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go -index 48b0969e3922..757bd397dec4 100644 +index 48b0969e39..757bd397de 100644 --- a/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go +++ b/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go @@ -4,7 +4,9 @@ @@ -2503,7 +2503,7 @@ + return m, func() error { return nil }, nil +} diff --git a/vendor/github.com/moby/buildkit/executor/stubs.go b/vendor/github.com/moby/buildkit/executor/stubs.go -index 22a8ac1310c4..09e26581a68c 100644 +index 22a8ac1310..09e26581a6 100644 --- a/vendor/github.com/moby/buildkit/executor/stubs.go +++ b/vendor/github.com/moby/buildkit/executor/stubs.go @@ -4,6 +4,7 @@ import ( @@ -2560,7 +2560,7 @@ } } diff --git a/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go b/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go -index f77cd3f52565..6d01dc0f6e33 100644 +index f77cd3f525..6d01dc0f6e 100644 --- a/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go +++ b/vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/parse.go @@ -17,6 +17,18 @@ func ParsePlatforms(meta map[string][]byte) (Platforms, error) { @@ -2592,7 +2592,7 @@ } p = platforms.Normalize(p) diff --git a/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go b/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go -index 4cccd9db5128..cf61e0c8e6f4 100644 +index 4cccd9db51..cf61e0c8e6 100644 --- a/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go +++ b/vendor/github.com/moby/buildkit/exporter/containerimage/writer.go @@ -611,11 +611,27 @@ func parseHistoryFromConfig(dt []byte) ([]ocispecs.History, error) { @@ -2624,7 +2624,7 @@ rootFS.Type = "layers" for _, desc := range descs { diff --git a/vendor/github.com/moby/buildkit/frontend/frontend.go b/vendor/github.com/moby/buildkit/frontend/frontend.go -index 024ac802045c..4a068d17d41f 100644 +index 024ac80204..4a068d17d4 100644 --- a/vendor/github.com/moby/buildkit/frontend/frontend.go +++ b/vendor/github.com/moby/buildkit/frontend/frontend.go @@ -4,6 +4,7 @@ import ( @@ -2645,7 +2645,7 @@ type FrontendLLBBridge interface { diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go b/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go -index 5ffe67233c50..c5112db9db64 100644 +index 5ffe67233c..c5112db9db 100644 --- a/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go +++ b/vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go @@ -30,8 +30,14 @@ func AttestationToPB[T any](a *result.Attestation[T]) (*pb.Attestation, error) { @@ -2664,7 +2664,7 @@ Kind: subject.Kind, Name: subject.Name, diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/container.go b/vendor/github.com/moby/buildkit/frontend/gateway/container.go -index d6161d1def93..9fb4d928d66d 100644 +index d6161d1def..9fb4d928d6 100644 --- a/vendor/github.com/moby/buildkit/frontend/gateway/container.go +++ b/vendor/github.com/moby/buildkit/frontend/gateway/container.go @@ -43,7 +43,7 @@ type Mount struct { @@ -2698,7 +2698,7 @@ cm = refs[m.Input].Worker.CacheManager() } diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/forward.go b/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/forward.go -index e13894ba37ed..4c374e781de9 100644 +index e13894ba37..4c374e781d 100644 --- a/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/forward.go +++ b/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/forward.go @@ -6,6 +6,7 @@ import ( @@ -2751,7 +2751,7 @@ return nil, err } diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/frontend.go b/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/frontend.go -index 7cd25a0e8ea0..331559a39057 100644 +index 7cd25a0e8e..331559a390 100644 --- a/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/frontend.go +++ b/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/frontend.go @@ -3,6 +3,7 @@ package forwarder @@ -2774,7 +2774,7 @@ return nil, err } diff --git a/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go b/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go -index 79825d0b651a..32971aabab57 100644 +index 79825d0b65..32971aabab 100644 --- a/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go +++ b/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go @@ -82,7 +82,7 @@ func filterPrefix(opts map[string]string, pfx string) map[string]string { @@ -2910,7 +2910,7 @@ Level: int(in.Level), SourceInfo: in.Info, diff --git a/vendor/github.com/moby/buildkit/snapshot/localmounter.go b/vendor/github.com/moby/buildkit/snapshot/localmounter.go -index 9ddb7c1af642..304eebc9e02d 100644 +index 9ddb7c1af6..304eebc9e0 100644 --- a/vendor/github.com/moby/buildkit/snapshot/localmounter.go +++ b/vendor/github.com/moby/buildkit/snapshot/localmounter.go @@ -11,22 +11,39 @@ type Mounter interface { @@ -2963,7 +2963,7 @@ + } } diff --git a/vendor/github.com/moby/buildkit/snapshot/localmounter_unix.go b/vendor/github.com/moby/buildkit/snapshot/localmounter_unix.go -index a4b7b1a9e409..0e1f40f298c4 100644 +index a4b7b1a9e4..0e1f40f298 100644 --- a/vendor/github.com/moby/buildkit/snapshot/localmounter_unix.go +++ b/vendor/github.com/moby/buildkit/snapshot/localmounter_unix.go @@ -5,6 +5,7 @@ package snapshot @@ -3037,7 +3037,7 @@ func (lm *localMounter) Unmount() error { diff --git a/vendor/github.com/moby/buildkit/snapshot/snapshotter.go b/vendor/github.com/moby/buildkit/snapshot/snapshotter.go -index edf95cee70cd..3150815bb3bc 100644 +index edf95cee70..3150815bb3 100644 --- a/vendor/github.com/moby/buildkit/snapshot/snapshotter.go +++ b/vendor/github.com/moby/buildkit/snapshot/snapshotter.go @@ -10,14 +10,11 @@ import ( @@ -3058,7 +3058,7 @@ // Snapshotter defines interface that any snapshot implementation should satisfy type Snapshotter interface { diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go b/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go -index 185fe81f0649..64cdf4cc916c 100644 +index 185fe81f06..64cdf4cc91 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go @@ -11,6 +11,7 @@ import ( @@ -3157,7 +3157,7 @@ id string b *provenanceBridge diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance.go b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance.go -index b30581c852d9..8b60f5e885fb 100644 +index b30581c852..8b60f5e885 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance.go @@ -161,7 +161,7 @@ func (b *provenanceBridge) Solve(ctx context.Context, req frontend.SolveRequest, @@ -3170,7 +3170,7 @@ return nil, err } diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go b/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go -index 94d25ce5b7b2..16015244aa4b 100644 +index 94d25ce5b7..16015244aa 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go @@ -432,6 +432,9 @@ func (s *Solver) Solve(ctx context.Context, id string, sessionID string, req fro @@ -3227,7 +3227,7 @@ srcPol.Rules = append(srcPol.Rules, &r) } diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go b/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go -index 41a31bb9bbba..d57f2a053db1 100644 +index 41a31bb9bb..d57f2a053d 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go @@ -101,16 +101,12 @@ func ValidateEntitlements(ent entitlements.Set) LoadOpt { @@ -3253,7 +3253,7 @@ } return nil diff --git a/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go b/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go -index 79ab4032a5ae..2abe1039071f 100644 +index 79ab4032a5..2abe103907 100644 --- a/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go +++ b/vendor/github.com/moby/buildkit/sourcepolicy/matcher.go @@ -10,6 +10,9 @@ import ( @@ -3267,7 +3267,7 @@ case spb.AttrMatch_EQUAL: if attrs[c.Key] != c.Value { diff --git a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go b/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go -index f65b426bb201..328580c326df 100644 +index f65b426bb2..328580c326 100644 --- a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go +++ b/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go @@ -58,3 +58,23 @@ func (s Set) Allowed(e Entitlement) bool { @@ -3295,7 +3295,7 @@ + SecurityInsecure bool +} diff --git a/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go b/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go -index 2debe8835924..bc0df048d0a2 100644 +index 2debe88359..bc0df048d0 100644 --- a/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go +++ b/vendor/github.com/moby/buildkit/util/tracing/transform/attribute.go @@ -13,6 +13,9 @@ func Attributes(attrs []*commonpb.KeyValue) []attribute.KeyValue { @@ -3360,7 +3360,7 @@ } diff --git a/vendor/github.com/moby/buildkit/util/tracing/transform/span.go b/vendor/github.com/moby/buildkit/util/tracing/transform/span.go -index f07d0c98e974..21137e704139 100644 +index f07d0c98e9..21137e7041 100644 --- a/vendor/github.com/moby/buildkit/util/tracing/transform/span.go +++ b/vendor/github.com/moby/buildkit/util/tracing/transform/span.go @@ -32,14 +32,20 @@ func Spans(sdl []*tracepb.ResourceSpans) []tracesdk.ReadOnlySpan { @@ -3419,7 +3419,7 @@ events = append(events, tracesdk.Event{ diff --git a/vendor/github.com/moby/buildkit/worker/worker.go b/vendor/github.com/moby/buildkit/worker/worker.go -index 2f426e9ead40..0a708227204b 100644 +index 2f426e9ead..0a70822720 100644 --- a/vendor/github.com/moby/buildkit/worker/worker.go +++ b/vendor/github.com/moby/buildkit/worker/worker.go @@ -43,6 +43,6 @@ type Worker interface { @@ -3431,7 +3431,7 @@ WorkerInfos() []client.WorkerInfo } diff --git a/vendor/github.com/moby/buildkit/worker/workercontroller.go b/vendor/github.com/moby/buildkit/worker/workercontroller.go -index e175b4002b4a..150eed352a3a 100644 +index e175b4002b..150eed352a 100644 --- a/vendor/github.com/moby/buildkit/worker/workercontroller.go +++ b/vendor/github.com/moby/buildkit/worker/workercontroller.go @@ -3,6 +3,7 @@ package worker @@ -3469,7 +3469,7 @@ + return c.c.WorkerInfos() +} diff --git a/vendor/modules.txt b/vendor/modules.txt -index dd3fb54fefd2..9adbc22b99fc 100644 +index dd3fb54fef..9adbc22b99 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -577,7 +577,7 @@ github.com/mistifyio/go-zfs/v3 @@ -3487,6 +3487,6 @@ resenje.org/singleflight +# github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 -- -2.49.0 +2.52.0 ++++++ 0008-bsc1221916-update-to-patched-buildkit-version-to-fix.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:44.962611375 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:44.970611705 +0100 @@ -1,7 +1,7 @@ From d5e7d0a4de49083955ecfcb26ddc62e2ba15abb8 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Thu, 2 May 2024 22:50:23 +1000 -Subject: [PATCH 08/14] bsc1221916: update to patched buildkit version to fix +Subject: [PATCH 08/18] bsc1221916: update to patched buildkit version to fix symlink resolution SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1221916 @@ -16,7 +16,7 @@ 6 files changed, 314 insertions(+), 252 deletions(-) diff --git a/builder/builder-next/worker/worker.go b/builder/builder-next/worker/worker.go -index 64d7b9131b16..7b40ac63ce7f 100644 +index 64d7b9131b..7b40ac63ce 100644 --- a/builder/builder-next/worker/worker.go +++ b/builder/builder-next/worker/worker.go @@ -50,7 +50,7 @@ import ( @@ -29,7 +29,7 @@ const labelCreatedAt = "buildkit/createdat" diff --git a/vendor.mod b/vendor.mod -index 2eb13746cacd..021d62b21d19 100644 +index 2eb13746ca..021d62b21d 100644 --- a/vendor.mod +++ b/vendor.mod @@ -99,7 +99,7 @@ require ( @@ -42,7 +42,7 @@ require ( cloud.google.com/go v0.102.1 // indirect diff --git a/vendor.sum b/vendor.sum -index 716245c80413..4bdbbeb3f073 100644 +index 716245c804..4bdbbeb3f0 100644 --- a/vendor.sum +++ b/vendor.sum @@ -141,8 +141,8 @@ github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdko @@ -57,7 +57,7 @@ github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= diff --git a/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go b/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go -index dcf424a6b4fc..13a74be24c4e 100644 +index dcf424a6b4..13a74be24c 100644 --- a/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go +++ b/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go @@ -10,6 +10,7 @@ import ( @@ -680,7 +680,7 @@ + return string(bytes.Replace(p, []byte{0}, []byte("/"), -1)) } diff --git a/vendor/github.com/moby/buildkit/cache/contenthash/path.go b/vendor/github.com/moby/buildkit/cache/contenthash/path.go -index 42b7fd8349c7..ae950f713241 100644 +index 42b7fd8349..ae950f7132 100644 --- a/vendor/github.com/moby/buildkit/cache/contenthash/path.go +++ b/vendor/github.com/moby/buildkit/cache/contenthash/path.go @@ -1,108 +1,111 @@ @@ -875,7 +875,7 @@ + return filepath.Join(root, finalPath), nil } diff --git a/vendor/modules.txt b/vendor/modules.txt -index 9adbc22b99fc..27bc31dfd397 100644 +index 9adbc22b99..27bc31dfd3 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -577,7 +577,7 @@ github.com/mistifyio/go-zfs/v3 @@ -894,6 +894,6 @@ -# github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053907-cd804dd86389 +# github.com/moby/buildkit => github.com/SUSE/buildkit v0.0.0-20241218053911-6b814972ef19 -- -2.49.0 +2.52.0 ++++++ 0009-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:44.982612200 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:44.986612365 +0100 @@ -1,7 +1,7 @@ From 5ada2078fb4c4a0433578fdff1ccff028293117a Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Wed, 19 Jun 2024 16:30:49 +1000 -Subject: [PATCH 09/14] bsc1214855: volume: use AtomicWriteFile to save volume +Subject: [PATCH 09/18] bsc1214855: volume: use AtomicWriteFile to save volume options If the system (or Docker) crashes while saivng the volume options, on @@ -29,7 +29,7 @@ 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/volume/local/local.go b/volume/local/local.go -index b4f3a3669a84..077b26f1b813 100644 +index b4f3a3669a..077b26f1b8 100644 --- a/volume/local/local.go +++ b/volume/local/local.go @@ -16,6 +16,7 @@ import ( @@ -50,6 +50,6 @@ return errdefs.System(errors.Wrap(err, "error while persisting volume options")) } -- -2.49.0 +2.52.0 ++++++ 0010-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:45.010613355 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:45.014613520 +0100 @@ -1,7 +1,7 @@ From 1957d4002bf0cc4854d12e4fd1e0a324b973ae18 Mon Sep 17 00:00:00 2001 From: Jameson Hyde <[email protected]> Date: Mon, 26 Nov 2018 14:15:22 -0500 -Subject: [PATCH 10/14] CVE-2024-41110: AuthZ plugin securty fixes +Subject: [PATCH 10/18] CVE-2024-41110: AuthZ plugin securty fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -20,7 +20,7 @@ 2 files changed, 115 insertions(+), 7 deletions(-) diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go -index 590ac8dddd88..68ed8bbdaf97 100644 +index 590ac8dddd..68ed8bbdaf 100644 --- a/pkg/authorization/authz.go +++ b/pkg/authorization/authz.go @@ -7,6 +7,8 @@ import ( @@ -95,7 +95,7 @@ } diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go -index 835cb703839b..8bfe44e1a840 100644 +index 835cb70383..8bfe44e1a8 100644 --- a/pkg/authorization/authz_unix_test.go +++ b/pkg/authorization/authz_unix_test.go @@ -175,8 +175,8 @@ func TestDrainBody(t *testing.T) { @@ -205,6 +205,6 @@ } } -- -2.49.0 +2.52.0 ++++++ 0011-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:45.030614180 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:45.034614345 +0100 @@ -1,7 +1,7 @@ From 46690092b2a9ae46cc25ef04d3f5417fb8f715dc Mon Sep 17 00:00:00 2001 From: Albin Kerouanton <[email protected]> Date: Tue, 10 Oct 2023 01:13:25 +0200 -Subject: [PATCH 11/14] CVE-2024-29018: libnet: Don't forward to upstream +Subject: [PATCH 11/18] CVE-2024-29018: libnet: Don't forward to upstream resolvers on internal nw Commit cbc2a71c2 makes `connect` syscall fail fast when a container is @@ -24,7 +24,7 @@ 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go -index b9903bb90188..b90500ce97a1 100644 +index b9903bb901..b90500ce97 100644 --- a/libnetwork/endpoint.go +++ b/libnetwork/endpoint.go @@ -520,8 +520,13 @@ func (ep *Endpoint) sbJoin(sb *Sandbox, options ...EndpointOption) (err error) { @@ -55,7 +55,7 @@ logrus.Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) extN, err := extEp.getNetworkFromStore() diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go -index ab19b7b08fc0..70ca33b53590 100644 +index ab19b7b08f..70ca33b535 100644 --- a/libnetwork/resolver.go +++ b/libnetwork/resolver.go @@ -7,6 +7,7 @@ import ( @@ -118,7 +118,7 @@ // in the root domain don't forward it out. We will return // failure and let the client retry with the search domain diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go -index 2218c6960e45..e3bb9abce93b 100644 +index 2218c6960e..e3bb9abce9 100644 --- a/libnetwork/sandbox_dns_unix.go +++ b/libnetwork/sandbox_dns_unix.go @@ -28,7 +28,11 @@ const ( @@ -135,6 +135,6 @@ if err != nil { sb.resolver = nil -- -2.49.0 +2.52.0 ++++++ 0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:45.046614840 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:45.054615170 +0100 @@ -1,7 +1,7 @@ From 4b86dca1e44964483c4587dbca1aa1fac42571d9 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Tue, 25 Mar 2025 12:02:42 +1100 -Subject: [PATCH 12/14] CVE-2025-22868: vendor: jws: split token into fixed +Subject: [PATCH 12/18] CVE-2025-22868: vendor: jws: split token into fixed number of parts Thanks to 'jub0bs' for reporting this issue. @@ -18,7 +18,7 @@ 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go -index 95015648b43f..6f03a49d3120 100644 +index 95015648b4..6f03a49d31 100644 --- a/vendor/golang.org/x/oauth2/jws/jws.go +++ b/vendor/golang.org/x/oauth2/jws/jws.go @@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { @@ -36,6 +36,6 @@ signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) if err != nil { -- -2.49.0 +2.52.0 ++++++ 0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:45.066615665 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:45.070615830 +0100 @@ -1,7 +1,7 @@ From 0f1bec6ecc1b769c80d02a59f683c4cd634cc5f0 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Tue, 25 Mar 2025 12:05:38 +1100 -Subject: [PATCH 13/14] CVE-2025-22869: vendor: ssh: limit the size of the +Subject: [PATCH 13/18] CVE-2025-22869: vendor: ssh: limit the size of the internal packet queue while waiting for KEX In the SSH protocol, clients and servers execute the key exchange to @@ -33,7 +33,7 @@ 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go -index 70a7369ff913..e14eb6cba077 100644 +index 70a7369ff9..e14eb6cba0 100644 --- a/vendor/golang.org/x/crypto/ssh/handshake.go +++ b/vendor/golang.org/x/crypto/ssh/handshake.go @@ -24,6 +24,11 @@ const debugHandshake = false @@ -133,6 +133,6 @@ return nil -- -2.49.0 +2.52.0 ++++++ 0014-TESTS-backport-fixes-for-integration-tests.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:45.098616985 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:45.102617150 +0100 @@ -1,7 +1,7 @@ -From 7ba7a35a844985c3599e18bfc4e2ede8f1087bc2 Mon Sep 17 00:00:00 2001 +From a60d1a4c8e27baabba8da82cf8a9045242e3930f Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Thu, 21 Nov 2024 20:00:07 +1100 -Subject: [PATCH 14/14] TESTS: backport fixes for integration tests +Subject: [PATCH 14/18] TESTS: backport fixes for integration tests We need a couple of patches to make the tests work on SLES: @@ -16,7 +16,7 @@ 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile -index 463d5cfc1a86..7a23962af09b 100644 +index 463d5cfc1a..7a23962af0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -59,7 +59,7 @@ WORKDIR /go/src/github.com/docker/distribution @@ -29,7 +29,7 @@ # install from the https://github.com/docker/distribution repository. This is # an older (pre v2.3.0) version of the registry that only supports schema1 diff --git a/integration-cli/requirements_test.go b/integration-cli/requirements_test.go -index 2313272d7704..e5f72397e1bc 100644 +index 2313272d77..e5f72397e1 100644 --- a/integration-cli/requirements_test.go +++ b/integration-cli/requirements_test.go @@ -85,9 +85,6 @@ func Network() bool { @@ -43,7 +43,7 @@ return err == nil && len(buf) > 1 && buf[0] == 'Y' } diff --git a/testutil/registry/registry.go b/testutil/registry/registry.go -index 9213db2ba21a..d8bfe17678a4 100644 +index 9213db2ba2..d8bfe17678 100644 --- a/testutil/registry/registry.go +++ b/testutil/registry/registry.go @@ -107,10 +107,12 @@ http: @@ -61,6 +61,6 @@ cmd.Stderr = c.stderr if err := cmd.Start(); err != nil { -- -2.49.0 +2.52.0 ++++++ 0015-bsc1247362-release-container-layer-on-export.patch ++++++ --- /var/tmp/diff_new_pack.yH1iDr/_old 2026-02-25 21:10:45.118617810 +0100 +++ /var/tmp/diff_new_pack.yH1iDr/_new 2026-02-25 21:10:45.118617810 +0100 @@ -1,7 +1,7 @@ From 8e736eda0c047c572564e95d97da19fd372f4d33 Mon Sep 17 00:00:00 2001 From: Joan Grau <[email protected]> Date: Tue, 17 Sep 2024 12:49:02 +0200 -Subject: [PATCH 15/15] bsc1247362: release container layer on export +Subject: [PATCH 15/18] bsc1247362: release container layer on export When running docker export command the container layer is only released in case there is an error. @@ -22,7 +22,7 @@ 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/daemon/images/image_exporter.go b/daemon/images/image_exporter.go -index 88877b01c6b2..ac93b00174c5 100644 +index 88877b01c6..ac93b00174 100644 --- a/daemon/images/image_exporter.go +++ b/daemon/images/image_exporter.go @@ -24,12 +24,11 @@ func (i *ImageService) PerformWithBaseFS(ctx context.Context, c *container.Conta @@ -51,6 +51,6 @@ } -- -2.50.1 +2.52.0 ++++++ 0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch ++++++ >From 446bfce439f9df2bd068c37bf6203a8fd3c9e2fa Mon Sep 17 00:00:00 2001 From: Jaroslav Jindrak <[email protected]> Date: Tue, 5 Mar 2024 14:25:50 +0100 Subject: [PATCH 16/18] bsc1254206: daemon: overlay2: remove world writable permission from the lower file In de2447c, the creation of the 'lower' file was changed from using os.Create to using ioutils.AtomicWriteFile, which ignores the system's umask. This means that even though the requested permission in the source code was always 0666, it was 0644 on systems with default umask of 0022 prior to de2447c, so the move to AtomicFile potentially increased the file's permissions. This is not a security issue because the parent directory does not allow writes into the file, but it can confuse security scanners on Linux-based systems into giving false positives. Signed-off-by: Jaroslav Jindrak <[email protected]> (cherry picked from commit cadb124ab679f7e48c917473e28ff7f270d27dd9) SUSE-Bugs: bsc#1220339 bsc#1254206 Signed-off-by: Aleksa Sarai <[email protected]> --- daemon/graphdriver/overlay2/overlay.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go index 3f06a837c8..e29417c479 100644 --- a/daemon/graphdriver/overlay2/overlay.go +++ b/daemon/graphdriver/overlay2/overlay.go @@ -409,7 +409,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr return err } if lower != "" { - if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o666); err != nil { + if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o644); err != nil { return err } } -- 2.52.0 ++++++ 0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch ++++++ >From fd9e9c4ed1fb52dc66c342366c1e6ebfab9fb671 Mon Sep 17 00:00:00 2001 From: rcmadhankumar <[email protected]> Date: Thu, 5 Feb 2026 13:33:44 +0530 Subject: [PATCH 17/18] CVE-2025-30204 fix: Remove strings.Split and add parseToken function -- CVE-2025-30204 golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2. reference commit: https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 Fixes bsc#1240513 Fixes CVE-2025-30204 --- vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++-- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go index 2f61a69d7f..9484f285f7 100644 --- a/vendor/github.com/golang-jwt/jwt/v4/parser.go +++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go @@ -7,6 +7,8 @@ import ( "strings" ) +const tokenDelimiter = "." + type Parser struct { // If populated, only these methods will be considered valid. // @@ -116,9 +118,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf // It's only ever useful in cases where you know the signature is valid (because it has // been checked previously in the stack) and you want to extract values from it. func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { - parts = strings.Split(tokenString, ".") - if len(parts) != 3 { - return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) + var ok bool + parts, ok = splitToken(tokenString) + if !ok { + return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) } token = &Token{Raw: tokenString} @@ -168,3 +171,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke return token, parts, nil } + +// splitToken splits a token string into three parts: header, claims, and signature. It will only +// return true if the token contains exactly two delimiters and three parts. In all other cases, it +// will return nil parts and false. +func splitToken(token string) ([]string, bool) { + parts := make([]string, 3) + header, remain, ok := strings.Cut(token, tokenDelimiter) + if !ok { + return nil, false + } + parts[0] = header + claims, remain, ok := strings.Cut(remain, tokenDelimiter) + if !ok { + return nil, false + } + parts[1] = claims + // One more cut to ensure the signature is the last part of the token and there are no more + // delimiters. This avoids an issue where malicious input could contain additional delimiters + // causing unecessary overhead parsing tokens. + signature, _, unexpected := strings.Cut(remain, tokenDelimiter) + if unexpected { + return nil, false + } + parts[2] = signature + + return parts, true +} -- 2.52.0 ++++++ 0018-CVE-2025-58181-fix-vendor-crypto-ssh-3.patch ++++++ >From df8c92d0412c56f802e46c847cbcecf5b12e37e3 Mon Sep 17 00:00:00 2001 From: Valentin LEFEBVRE <[email protected]> Date: Wed, 18 Feb 2026 16:22:29 +0100 Subject: [PATCH 18/18] CVE-2025-58181: fix vendor crypto/ssh (#3) curb GSSAPI DoS risk by limiting number of specified OIDS Previously, an attacker could specify an integer up to 0xFFFFFFFF that would directly allocate memory despite the observability of the rest of the payload. This change places a hard cap on the amount of mechanisms that can be specified and encoded in the payload. Additionally, it performs a small sanity check to deny payloads whose stated size is contradictory to the observed payload. Thank you to Jakub Ciolek for reporting this issue. Fixes CVE-2025-58181 Fixes golang/go#76363 Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961 Auto-Submit: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> [vlefebvre: Adapt for SUSE-v28.5.1] Signed-off-by: vlefebvre <[email protected]> --- vendor/golang.org/x/crypto/ssh/ssh_gss.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go index 24bd7c8e83..a6249a1227 100644 --- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go +++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go @@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { if !ok { return nil, errors.New("parse uint32 failed") } + // Each ASN.1 encoded OID must have a minimum + // of 2 bytes; 64 maximum mechanisms is an + // arbitrary, but reasonable ceiling. + const maxMechs = 64 + if n > maxMechs || int(n)*2 > len(rest) { + return nil, errors.New("invalid mechanism count") + } s := &userAuthRequestGSSAPI{ N: n, OIDS: make([]asn1.ObjectIdentifier, n), @@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil { return nil, err } - } return s, nil } -- 2.52.0 ++++++ docker.tmpfiles ++++++ d /var/lib/docker 0750 root root -
