Your message dated Fri, 11 Apr 2025 23:06:03 +0000
with message-id <[email protected]>
and subject line Bug#1100991: fixed in docker-buildx 0.13.1+ds1-3
has caused the Debian Bug report #1100991,
regarding docker-buildx: CVE-2025-0495
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1100991: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100991
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: docker-buildx
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for docker-buildx.
CVE-2025-0495[0]:
| Buildx is a Docker CLI plugin that extends build capabilities using
| BuildKit. Cache backends support credentials by setting secrets
| directly as attribute values in cache-to/cache-from configuration.
| When supplied as user input, these secure values may be
| inadvertently captured in OpenTelemetry traces as part of the
| arguments and flags for the traced CLI command. OpenTelemetry traces
| are also saved in BuildKit daemon's history records. This
| vulnerability does not impact secrets passed to the Github cache
| backend via environment variables or registry authentication.
https://github.com/docker/buildx/security/advisories/GHSA-m4gq-fm9h-8q75
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-0495
https://www.cve.org/CVERecord?id=CVE-2025-0495
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: docker-buildx
Source-Version: 0.13.1+ds1-3
Done: Nicolas Peugnet <[email protected]>
We believe that the bug you reported is fixed in the latest version of
docker-buildx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicolas Peugnet <[email protected]> (supplier of updated docker-buildx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Apr 2025 11:35:58 +0200
Source: docker-buildx
Architecture: source
Version: 0.13.1+ds1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Nicolas Peugnet <[email protected]>
Closes: 1100991
Changes:
docker-buildx (0.13.1+ds1-3) unstable; urgency=medium
.
* Fix CVE-2025-0495: possible credential leakage to telemetry endpoint
(Closes: #1100991)
Checksums-Sha1:
c88c0472d7d49854e726fc06421e3e0956e56132 3800 docker-buildx_0.13.1+ds1-3.dsc
60ff73a12839b6545c4598a16521def578850abb 6836
docker-buildx_0.13.1+ds1-3.debian.tar.xz
Checksums-Sha256:
ce0d94fd314ed42815663241e88675fd1ea5fbc173d3e106d03b6caa6eab933f 3800
docker-buildx_0.13.1+ds1-3.dsc
0c5bf45de695e6dbbddb65275f9c3c50c4284fa833e9902dad1bd7942eddad41 6836
docker-buildx_0.13.1+ds1-3.debian.tar.xz
Files:
6a311cafd3765c97d4f308fed23b95c5 3800 golang optional
docker-buildx_0.13.1+ds1-3.dsc
4a9e4481f74c1acbd23076c0f8a250d3 6836 golang optional
docker-buildx_0.13.1+ds1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmf5mCMUHHNpcmV0YXJ0
QGRlYmlhbi5vcmcACgkQSadpd5QoJsuCFhAAmtFnVUBx9Hvgbd7pf2bTLwyPSvjh
Imq3jgPeYMyyDms7KI9SQFwFnvcx8RS/a1JeQ0HjfvPm+Y65qAa8c723eVlHT2mV
V8S/KYpd++9GyhUxs3NRBsCfvXfxIpwR2e+kRe1svddNhDkAIy4dKifq5TWgnLuq
2eZVL7sPvrWaGJ3RYgGh7jAtBY8U925CHUC1DPduvz/Ne7R+tLr0ouwnlNCQd702
PrsTssd+UpvAxEs19BRfPFY7tHC3AAJ/W0iyuHAbNCyKfQ8LgnhvzpYwp15JauvE
P1h4farLrbr/COafC/v8ooh14KKPEKIP7z8orGpFJ7AbZv9dF/C008FG7N23xKc/
8DaIEnnHStdrc2NQmC1Dxlyfsxa3fhq+EsiHC6d4jsF4kDJqxAYBHJbGHWcq4G/5
taFZVkA5ghYxMGuOutKs36AFj6+Lk2q23lKsYMEL6aihOG4gE2gf+wQMouCMHF01
9AdOo4HbKjZP1XxhplqY0Mqs+0OCe6SQVlW2YZf32wN/R1+kDR7S4WifFUQ9Jfv4
7aSN7jK9MUYLUoOBTblnRqww9vEqXfep7ejRShe22z0lJoewUDIQHt+umV19PHL4
0OYJfI52ThZvlgxH+yW92Sfzpdo/bqc478LfDWhoC1dVUiHCXKJnl0ChqWecGP9q
Tj/Qi1GIhMWhglI=
=7z1H
-----END PGP SIGNATURE-----
pgpMDQs3Q9N4P.pgp
Description: PGP signature
--- End Message ---
