# Security update for buildah, docker Announcement ID: SUSE-SU-2024:3120-1 Rating: critical References: * bsc#1214855 * bsc#1219267 * bsc#1219268 * bsc#1219438 * bsc#1221243 * bsc#1221677 * bsc#1221916 * bsc#1223409 * bsc#1224117 * bsc#1228324 Cross-References: * CVE-2024-1753 * CVE-2024-23651 * CVE-2024-23652 * CVE-2024-23653 * CVE-2024-24786 * CVE-2024-28180 * CVE-2024-3727 * CVE-2024-41110 CVSS scores: * CVE-2024-1753 ( SUSE ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H * CVE-2024-23651 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2024-23651 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2024-23652 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H * CVE-2024-23652 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H * CVE-2024-23653 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2024-23653 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2024-24786 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-3727 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H * CVE-2024-41110 ( SUSE ): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Affected Products: * Containers Module 15-SP5 * Containers Module 15-SP6 * openSUSE Leap 15.3 * openSUSE Leap 15.5 * openSUSE Leap 15.6 * openSUSE Leap Micro 5.5 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise Micro 5.1 * SUSE Linux Enterprise Micro 5.2 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Micro for Rancher 5.2 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves eight vulnerabilities and has two security fixes can now be installed. ## Description: This update for buildah, docker fixes the following issues: Changes in docker: \- CVE-2024-23651: Fixed arbitrary files write due to race condition on mounts (bsc#1219267) \- CVE-2024-23652: Fixed insufficient validation of parent directory on mount (bsc#1219268) \- CVE-2024-23653: Fixed insufficient validation on entitlement on container creation via buildkit (bsc#1219438) \- CVE-2024-41110: A Authz zero length regression that could lead to authentication bypass was fixed (bsc#1228324) Other fixes: * Update to Docker 25.0.6-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/25.0/#2506> * Update to Docker 25.0.5-ce (bsc#1223409) * Fix BuildKit's symlink resolution logic to correctly handle non-lexical symlinks. (bsc#1221916) * Write volume options atomically so sudden system crashes won't result in future Docker starts failing due to empty files. (bsc#1214855) Changes in buildah: \- Update to version 1.35.4: * [release-1.35] Bump to Buildah v1.35.4 * [release-1.35] CVE-2024-3727 updates (bsc#1224117) * integration test: handle new labels in "bud and test --unsetlabel" * [release-1.35] Bump go-jose CVE-2024-28180 * [release-1.35] Bump ocicrypt and go-jose CVE-2024-28180 * Update to version 1.35.3: * [release-1.35] Bump to Buildah v1.35.3 * [release-1.35] correctly configure /etc/hosts and resolv.conf * [release-1.35] buildah: refactor resolv/hosts setup. * [release-1.35] rename the hostFile var to reflect * [release-1.35] Bump c/common to v0.58.1 * [release-1.35] Bump Buildah to v1.35.2 * [release-1.35] CVE-2024-24786 protobuf to 1.33 * [release-1.35] Bump to v1.35.2-dev * Update to version 1.35.1: * [release-1.35] Bump to v1.35.1 * [release-1.35] CVE-2024-1753 container escape fix (bsc#1221677) * Buildah dropped cni support, require netavark instead (bsc#1221243) * Remove obsolete requires libcontainers-image & libcontainers-storage * Require passt for rootless networking (poo#156955) Buildah moved to passt/pasta for rootless networking from slirp4netns (https://github.com/containers/common/pull/1846) * Update to version 1.35.0: * Bump v1.35.0 * Bump c/common v0.58.0, c/image v5.30.0, c/storage v1.53.0 * conformance tests: don't break on trailing zeroes in layer blobs * Add a conformance test for copying to a mounted prior stage * fix(deps): update module github.com/stretchr/testify to v1.9.0 * cgroups: reuse version check from c/common * Update vendor of containers/(common,image) * fix(deps): update github.com/containers/storage digest to eadc620 * fix(deps): update github.com/containers/luksy digest to ceb12d4 * fix(deps): update github.com/containers/image/v5 digest to cdc6802 * manifest add: complain if we get artifact flags without --artifact * Use retry logic from containers/common * Vendor in containers/(storage,image,common) * Update module golang.org/x/crypto to v0.20.0 * Add comment re: Total Success task name * tests: skip_if_no_unshare(): check for --setuid * Properly handle build --pull=false * [skip-ci] Update tim-actions/get-pr-commits action to v1.3.1 * Update module go.etcd.io/bbolt to v1.3.9 * Revert "Reduce official image size" * Update module github.com/opencontainers/image-spec to v1.1.0 * Reduce official image size * Build with CNI support on FreeBSD * build --all-platforms: skip some base "image" platforms * Bump main to v1.35.0-dev * Vendor in latest containers/(storage,image,common) * Split up error messages for missing --sbom related flags * `buildah manifest`: add artifact-related options * cmd/buildah/manifest.go: lock lists before adding/annotating/pushing * cmd/buildah/manifest.go: don't make struct declarations aliases * Use golang.org/x/exp/slices.Contains * Disable loong64 again * Fix a couple of typos in one-line comments * egrep is obsolescent; use grep -E * Try Cirrus with a newer VM version * Set CONTAINERS_CONF in the chroot-mount-flags integration test * Update to match dependency API update * Update github.com/openshift/imagebuilder and containers/common * docs: correct default authfile path * fix(deps): update module github.com/containerd/containerd to v1.7.13 * tests: retrofit test for heredoc summary * build, heredoc: show heredoc summary in build output * manifest, push: add support for --retry and --retry-delay * fix(deps): update github.com/openshift/imagebuilder digest to b767bc3 * imagebuildah: fix crash with empty RUN * fix(deps): update github.com/containers/luksy digest to b62d551 * fix(deps): update module github.com/opencontainers/runc to v1.1.12 [security] * fix(deps): update module github.com/moby/buildkit to v0.12.5 [security] * Make buildah match podman for handling of ulimits * docs: move footnotes to where they're applicable * Allow users to specify no-dereference * Run codespell on code * Fix FreeBSD version parsing * Fix a build break on FreeBSD * Remove a bad FROM line * fix(deps): update module github.com/onsi/gomega to v1.31.1 * fix(deps): update module github.com/opencontainers/image-spec to v1.1.0-rc6 * docs: use reversed logo for dark theme in README * build,commit: add --sbom to scan and produce SBOMs when committing * commit: force omitHistory if the parent has layers but no history * docs: fix a couple of typos * internal/mkcw.Archive(): handle extra image content * stage_executor,heredoc: honor interpreter in heredoc * stage_executor,layers: burst cache if heredoc content is changed * fix(deps): update module golang.org/x/crypto to v0.18.0 * Replace map[K]bool with map[K]struct{} where it makes sense * fix(deps): update module golang.org/x/sync to v0.6.0 * fix(deps): update module golang.org/x/term to v0.16.0 * Bump CI VMs * Replace strings.SplitN with strings.Cut * fix(deps): update github.com/containers/storage digest to ef81e9b * fix(deps): update github.com/containers/image/v5 digest to 1b221d4 * fix(deps): update module github.com/fsouza/go-dockerclient to v1.10.1 * Document use of containers-transports values in buildah * fix(deps): update module golang.org/x/crypto to v0.17.0 [security] * chore(deps): update dependency containers/automation_images to v20231208 * manifest: addCompression use default from containers.conf * commit: add a --add-file flag * mkcw: populate the rootfs using an overlay * chore(deps): update dependency containers/automation_images to v20230517 * [skip-ci] Update actions/stale action to v9 * fix(deps): update module github.com/containernetworking/plugins to v1.4.0 * fix(deps): update github.com/containers/image/v5 digest to 7a40fee * Bump to v1.34.1-dev * Ignore errors if label.Relabel returns ENOSUP ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.3 zypper in -t patch SUSE-2024-3120=1 * openSUSE Leap Micro 5.5 zypper in -t patch openSUSE-Leap-Micro-5.5-2024-3120=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-3120=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2024-3120=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2024-3120=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2024-3120=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2024-3120=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2024-3120=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2024-3120=1 * Containers Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Containers-15-SP5-2024-3120=1 * Containers Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Containers-15-SP6-2024-3120=1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-3120=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-3120=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-3120=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-3120=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-3120=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-3120=1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-3120=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-3120=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-3120=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-3120=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2024-3120=1 * SUSE Linux Enterprise Micro 5.1 zypper in -t patch SUSE-SUSE-MicroOS-5.1-2024-3120=1 * SUSE Linux Enterprise Micro 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-3120=1 * SUSE Linux Enterprise Micro for Rancher 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-3120=1 ## Package List: * openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586) * buildah-1.35.4-150300.8.25.1 * openSUSE Leap Micro 5.5 (aarch64 s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * openSUSE Leap 15.5 (noarch) * docker-rootless-extras-25.0.6_ce-150000.207.1 * docker-zsh-completion-25.0.6_ce-150000.207.1 * docker-bash-completion-25.0.6_ce-150000.207.1 * docker-fish-completion-25.0.6_ce-150000.207.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * openSUSE Leap 15.6 (noarch) * docker-rootless-extras-25.0.6_ce-150000.207.1 * docker-zsh-completion-25.0.6_ce-150000.207.1 * docker-bash-completion-25.0.6_ce-150000.207.1 * docker-fish-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * Containers Module 15-SP5 (aarch64 ppc64le s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * Containers Module 15-SP5 (noarch) * docker-rootless-extras-25.0.6_ce-150000.207.1 * docker-bash-completion-25.0.6_ce-150000.207.1 * Containers Module 15-SP6 (aarch64 ppc64le s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * Containers Module 15-SP6 (noarch) * docker-rootless-extras-25.0.6_ce-150000.207.1 * docker-bash-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch) * docker-bash-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * docker-25.0.6_ce-150000.207.1 * buildah-1.35.4-150300.8.25.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * docker-bash-completion-25.0.6_ce-150000.207.1 * docker-fish-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch) * docker-rootless-extras-25.0.6_ce-150000.207.1 * docker-bash-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch) * docker-rootless-extras-25.0.6_ce-150000.207.1 * docker-bash-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch) * docker-bash-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) * docker-25.0.6_ce-150000.207.1 * buildah-1.35.4-150300.8.25.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * docker-bash-completion-25.0.6_ce-150000.207.1 * docker-fish-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch) * docker-rootless-extras-25.0.6_ce-150000.207.1 * docker-bash-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch) * docker-bash-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) * docker-25.0.6_ce-150000.207.1 * buildah-1.35.4-150300.8.25.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * docker-bash-completion-25.0.6_ce-150000.207.1 * docker-fish-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch) * docker-rootless-extras-25.0.6_ce-150000.207.1 * docker-bash-completion-25.0.6_ce-150000.207.1 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * docker-25.0.6_ce-150000.207.1 * buildah-1.35.4-150300.8.25.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Enterprise Storage 7.1 (noarch) * docker-bash-completion-25.0.6_ce-150000.207.1 * docker-fish-completion-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64) * docker-25.0.6_ce-150000.207.1 * docker-debuginfo-25.0.6_ce-150000.207.1 ## References: * https://www.suse.com/security/cve/CVE-2024-1753.html * https://www.suse.com/security/cve/CVE-2024-23651.html * https://www.suse.com/security/cve/CVE-2024-23652.html * https://www.suse.com/security/cve/CVE-2024-23653.html * https://www.suse.com/security/cve/CVE-2024-24786.html * https://www.suse.com/security/cve/CVE-2024-28180.html * https://www.suse.com/security/cve/CVE-2024-3727.html * https://www.suse.com/security/cve/CVE-2024-41110.html * https://bugzilla.suse.com/show_bug.cgi?id=1214855 * https://bugzilla.suse.com/show_bug.cgi?id=1219267 * https://bugzilla.suse.com/show_bug.cgi?id=1219268 * https://bugzilla.suse.com/show_bug.cgi?id=1219438 * https://bugzilla.suse.com/show_bug.cgi?id=1221243 * https://bugzilla.suse.com/show_bug.cgi?id=1221677 * https://bugzilla.suse.com/show_bug.cgi?id=1221916 * https://bugzilla.suse.com/show_bug.cgi?id=1223409 * https://bugzilla.suse.com/show_bug.cgi?id=1224117 * https://bugzilla.suse.com/show_bug.cgi?id=1228324