Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for docker.io. CVE-2024-24557[0]: | Moby is an open-source project created by Docker to enable software | containerization. The classic builder cache system is prone to cache | poisoning if the image is built FROM scratch. Also, changes to some | instructions (most important being HEALTHCHECK and ONBUILD) would | not cause a cache miss. An attacker with the knowledge of the | Dockerfile someone is using could poison their cache by making them | pull a specially crafted image that would be considered as a valid | cache candidate for some build steps. 23.0+ users are only affected | if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 | environment variable) or are using the /build API endpoint. All | users on versions older than 23.0 could be impacted. Image build API | endpoint (/build) and ImageBuild function from | github.com/docker/docker/client is also affected as it the uses | classic builder by default. Patches are included in 24.0.9 and | 25.0.2 releases. https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24557 https://www.cve.org/CVERecord?id=CVE-2024-24557 Please adjust the affected versions in the BTS as needed.