SUSE-SU-2025:20510-1: moderate: Security update for docker
SLE-SECURITY-UPDATES
null at suse.de
Mon Aug 4 08:33:49 UTC 2025
# Security update for docker
Announcement ID: SUSE-SU-2025:20510-1
Release Date: 2025-07-28T14:32:31Z
Rating: moderate
References:
* bsc#1240150
* bsc#1241830
* bsc#1242114
* bsc#1243833
* bsc#1244035
* bsc#1246556
Cross-References:
* CVE-2025-22872
CVSS scores:
* CVE-2025-22872 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
* CVE-2025-22872 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
* CVE-2025-22872 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Affected Products:
* SUSE Linux Micro 6.0
An update that solves one vulnerability and has five fixes can now be installed.
## Description:
This update for docker fixes the following issues:
* Update to Go 1.24 for builds, to match upstream.
* Update to Docker 28.3.2-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2832>
* Update to Docker 28.3.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2831>
* Update to Docker 28.3.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2830> bsc#1246556
* Update to docker-buildx v0.25.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.25.0>
* CVE-2025-22872: golang.org/x/net/html: Fixed incorrectly interpreted tags
causing content to be placed wrong scope during DOM construction
(bsc#1241830)
* Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
Docker does not have permission to access the host zypper credentials in
this mode (and unprivileged users cannot disable the feature using
/etc/docker/suse-secrets-enable.) bsc#1240150
* Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently this
would've required migrating from SLE packages to openSUSE packages (which wasn't
supported). However, as SLE Micro 6.x and SLES 16 will move away from in-built
SUSEConnect support, this is now a practical issue users will run into.
bsc#1244035
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-398=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* docker-debuginfo-28.3.2_ce-5.1
* docker-buildx-debuginfo-0.25.0-5.1
* docker-28.3.2_ce-5.1
* docker-buildx-0.25.0-5.1
## References:
* https://www.suse.com/security/cve/CVE-2025-22872.html
* https://bugzilla.suse.com/show_bug.cgi?id=1240150
* https://bugzilla.suse.com/show_bug.cgi?id=1241830
* https://bugzilla.suse.com/show_bug.cgi?id=1242114
* https://bugzilla.suse.com/show_bug.cgi?id=1243833
* https://bugzilla.suse.com/show_bug.cgi?id=1244035
* https://bugzilla.suse.com/show_bug.cgi?id=1246556
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250804/b06f8548/attachment.htm>
More information about the sle-security-updates
mailing list