Your message dated Mon, 25 May 2026 00:34:06 +0000
with message-id <[email protected]>
and subject line Bug#1136031: fixed in docker.io 28.5.2+dfsg4-2
has caused the Debian Bug report #1136031,
regarding docker.io: CVE-2026-33997 CVE-2026-34040
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136031: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136031
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: docker.io
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for docker.io.
CVE-2026-33997[0]:
| Moby is an open source container framework. Prior to version 29.3.1,
| a security vulnerability has been detected that allows plugins
| privilege validation to be bypassed during docker plugin install.
| Due to an error in the daemon's privilege comparison logic, the
| daemon may incorrectly accept a privilege set that differs from the
| one approved by the user. Plugins that request exactly one privilege
| are also affected, because no comparison is performed at all. This
| issue has been patched in version 29.3.1.
https://github.com/moby/moby/security/advisories/GHSA-pxq6-2prw-chj9
https://github.com/moby/moby/commit/0afb41ce194ca8f83436b332c18105279923ba14
(28.x)
CVE-2026-34040[1]:
| Moby is an open source container framework. Prior to version 29.3.1,
| a security vulnerability has been detected that allows attackers to
| bypass authorization plugins (AuthZ). This issue has been patched in
| version 29.3.1.
https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2
https://github.com/moby/moby/commit/6d311e0d8d4174a6347942db78c553fb7dc3762e
(28.x)
https://github.com/moby/moby/commit/db7dadaca041953430d1e2144088c311b78b96d7
(28.x)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33997
https://www.cve.org/CVERecord?id=CVE-2026-33997
[1] https://security-tracker.debian.org/tracker/CVE-2026-34040
https://www.cve.org/CVERecord?id=CVE-2026-34040
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: docker.io
Source-Version: 28.5.2+dfsg4-2
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated docker.io package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 May 2026 20:07:24 -0400
Source: docker.io
Architecture: source
Version: 28.5.2+dfsg4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 923577 1021914 1136031
Changes:
docker.io (28.5.2+dfsg4-2) unstable; urgency=medium
.
* Add debconf prompt to confirm removal of /var/lib/docker on purge
(Closes: #1021914)
* Ensure /var/lib/docker directory is removed on purge (Closes: #923577)
* Backport upstream patches for engine/docker.io:
- Fixes: CVE-2026-33997 CVE-2026-34040, (Closes: #1136031)
Checksums-Sha1:
5bfd65e5866d3c14f3efd391a711f9efdbfb544f 9418 docker.io_28.5.2+dfsg4-2.dsc
9d268b4f6a24fb613a0ddbbfb9f384e5e12dd226 64172
docker.io_28.5.2+dfsg4-2.debian.tar.xz
Checksums-Sha256:
362868873972af7cd4e4fb0a8608364d5302c5f19549efe509bce0bce9cb09ba 9418
docker.io_28.5.2+dfsg4-2.dsc
03da521e66564137a3ed8aa83b9648849f4a690b3d30472669b00a25aff6d8b5 64172
docker.io_28.5.2+dfsg4-2.debian.tar.xz
Files:
620501fe941ebcf7ad7a3fd42e9c1150 9418 admin optional
docker.io_28.5.2+dfsg4-2.dsc
dd6859d4e1113d99a4f5a62f06bff732 64172 admin optional
docker.io_28.5.2+dfsg4-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmoTlWcUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsutnA//XP8pkvTkX8Cxskiw3k+vC+0i0Uy2
QTzz11CraHDZNWz9p22+/gjYdzvl13o0yjjaivkSK1b1eEL2+HsIdw0eCQ2KitDq
23put1AWfZ0RK68gWQW4pF41W4vFtnzuQA71STq4RWYOlRqrel4ZRrSLK1Vx7l9d
7D9ww0QZ3ouDq++eMIBndvjT0XN7N0W4O4KSa1qlj27+0ECD1FJFwDMyMEwbEKyv
R6jk9m35GfyL7tYr8PYv6NgNBhiHKpQdU5rXLyrU9pC67F/A5yKtZ6DpbEj9Fv9N
WQGq6cNaE46m+4mN5Qd6yLZP8sjVNWksQjruP8Ly4kFp/U27MHBOdflQ4rNNE3pM
/K/uUwz/0+xRjer/5QQdxTujnztL8TgMIv/GtscX0nlXsCqJ3+w7E0h0QA1TBfFj
Ozn95st2RB4x1tv8dVEuxkVjk/GUC0h11Cg98pD5J7/TDf9UrSbBMUJp8Mo8IcyH
d7jFTHc4Nl1cdF+swWAVV5+IZasVhqR+rfZSJ6lPuIXxI1+hlU4DXgnit195tzgC
pOLjrcNswhvDsPE69ymlEA6R9u5VsYywvGPPHA6/3uaU9LHjkug4RkLtFRmuxhuR
+lQYtRFSRSJGvRyiHlWRsLes0n5dnicTe547pkSFJNgIVfZK3cgcy0OU3UQTKzJC
pafoxHFc1fvJxQA=
=ixa0
-----END PGP SIGNATURE-----
pgpoMxQVIuMCN.pgp
Description: PGP signature
--- End Message ---
