<div class="container">
<h1>Security update for buildkit</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:20107-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-02-03T09:18:58Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219267">bsc#1219267</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219268">bsc#1219268</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219438">bsc#1219438</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-23651.html">CVE-2024-23651</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-23652.html">CVE-2024-23652</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-23653.html">CVE-2024-23653</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-23651</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.4</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-23651</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-23652</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.7</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-23652</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-23653</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.0</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-23653</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves three vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for buildkit fixes the following issues:</p>
<ul>
<li>Update to version 0.12.5:</li>
<li>update runc to v1.1.12</li>
<li>exec: add extra validation for submount sources (fixes CVE-2024-23651, bsc#1219267)</li>
<li>oci: fix error handling on submount calls</li>
<li>executor: recheck mount stub path within root after container run (fixes CVE-2024-23652, bsc#1219268)</li>
<li>llbsolver: make sure interactive container API validates entitlements (fixes CVE-2024-23653, bsc#1219438)</li>
<li>gateway: pass executor with build and not access worker directly</li>
<li>pb: add extra validation to protobuf types</li>
<li>sourcepolicy: add validations for nil values</li>
<li>exporter: add validation for platforms key value</li>
<li>exporter: add validation for invalid platorm</li>
<li>exporter: validate null config metadata from gateway</li>
<li>ci: disable push if not upstream repo</li>
<li>hack: use git context only for upstream repo</li>
<li>hack/test: allow ALPINE_VERSION to be set from env</li>
<li>hack: align syntax</li>
<li>vendor: github.com/cyphar/filepath-securejoin v0.2.4</li>
<li>
<p>tracing: allow the <code>Resource</code> to be set externally</p>
</li>
<li>
<p>Update to version 0.12.4:</p>
</li>
<li>Fix possible concurrent map access on remote cache export</li>
<li>Fix hang on debug server listener</li>
<li>Fix possible deadlock in History API under high number of parallel builds</li>
<li>Fix possible panic on handling deleted records in History API</li>
<li>
<p>Fix possible data corruption in zstd library</p>
</li>
<li>
<p>Update to version 0.12.3:</p>
</li>
<li>Fix possible duplicate source files in provenance attestation for chained builds</li>
<li>Fix possible negative step time in progressbar for step shared with other build request</li>
<li>Fix properly closing history and cache DB on shutdown to avoid corruption</li>
<li>Fix incorrect error handling for invalid HTTP source URLs</li>
<li>Fix fallback cases for ambiguous insecure configuration provided for registry used as push target.</li>
<li>Fix possible data race with parallel image config resolves</li>
<li>Fix regression in v0.12 for clients waiting on buildkitd to become available</li>
<li>
<p>Fix Cgroup NS handling for hosts supporting only CgroupV1</p>
</li>
<li>
<p>Update to version 0.12.2:</p>
</li>
<li>Fix possible discarded network error when exporting result to client</li>
<li>
<p>Avoid unnecessary memory allocations when writing build progress</p>
</li>
<li>
<p>Update to version 0.12.1:</p>
</li>
<li>executor: fix resource sampler goroutine leak</li>
<li>[v0.11] make tracing socket forward error non-fatal</li>
<li>integration: missing env var to check feature compat</li>
<li>test: update pinned busybox image to 1.36</li>
<li>test: update pinned alpine image to 3.18</li>
<li>vendor: github.com/docker/docker 8e51b8b59cb8 (master, v25.0.0-dev)</li>
<li>executor/resource: stub out NewSysSampler on Windows</li>
<li>vendor: github.com/docker/cli v24.0.4</li>
<li>testutil: move CheckContainerdVersion to a separate package</li>
<li>llbsolver: fix policy rule ordering</li>
<li>filesync: fix backward compatibility with encoding + and %</li>
<li>hack: allow to set GO_VERSION during tests</li>
<li>test: always disable tls for dockerd worker</li>
<li>buildctl: set max backoff delay to 1 second</li>
<li>contenthash: data race</li>
<li>filesync: escape special query characters</li>
<li>applier: add hack to support docker zstd layers</li>
<li>Fix various nits</li>
<li>pullprogress data race</li>
<li>use sampler lock instead</li>
<li>Fix ResolveImageConfig to evaluate source policy</li>
<li>sampler data race fix</li>
<li>update cgroup parent test to work with cgroupns</li>
<li>Revert "specify a <code>ResponseHeaderTimeout</code> value"</li>
<li>oci: make sure cgroupns is enabled if supported</li>
<li>bash lint fix</li>
<li>rename BUILDFLAGS to GOBUILDFLAGS</li>
<li>allow ENOTSUP for PSI cgroup files</li>
<li>containerimage: use platform matcher to detect platform to unpack</li>
<li>exporter: silently skip unpacking unknown reference</li>
<li>improve error handling in ReadFile</li>
<li>dockerfile: arg for controlling go build flags</li>
<li>dockerfile: arg to enable go race detection</li>
<li>Add support for health start interval</li>
<li>Re-vendor moby/moby</li>
<li>filesync: mark if options have been encoded to detect old versions</li>
<li>dockerfile: heredoc should use 0644 permissions</li>
<li>docs: update README to reference OpenTelemetry instead of OpenTracing</li>
<li>gateway: restore original filename in ReadFile error message</li>
<li>Dockerfile: update containerd to v1.7.2</li>
<li>Use system.ToSlash() instead of filepath.ToSlash()</li>
<li>Revert most changes to client/llb</li>
<li>Remove Architecture</li>
<li>Default to linux in client</li>
<li>Ensure we use proper path separators</li>
<li>Set default platform</li>
<li>Add nil pointer check in dispatchWorkdir</li>
<li>Remove nil pointer check and extra NormalizePath</li>
<li>Rename variable, remove superfluous check</li>
<li>Use current OS as a default</li>
<li>Handle file paths base on target platform</li>
<li>exporter: unlazy references in parallel</li>
<li>exporter: simplify unlazy references to reduce duplication</li>
<li>exporter: allow unpack on multi-platform images</li>
<li>tests: add unpack to scratch export test</li>
<li>overlay: set whiteout timestamps to 1970-01-01 (not to SOURCE_DATE_EPOCH)</li>
<li>dockerfile: graduate <code>ADD --checksum=<checksum></code> from labs</li>
<li>dockerfile: graduate <code>ADD <git ref></code> from labs</li>
<li>dockerfile: mod-outdated target to check modules updates</li>
<li>dockerfile: use xx in dnsname stage</li>
<li>dockerfile: install musl-dev to fix compilation issue</li>
<li>dockerfile: update Alpine to 3.18</li>
<li>vendor: update fsutil to 36ef4d8</li>
<li>export(local): split opt</li>
<li>buildctl: Provide --wait option</li>
<li>containerimage: support SOURCE_DATE_EPOCH for CreatedAt</li>
<li>move flightcontrol to use generics</li>
<li>containerimage: keep layer labels for exported images</li>
<li>shell: start shell from cmd, not entrypoint</li>
<li>sbom: propogate image-resolve-mode for generator image</li>
<li>client: add extra debug to tests</li>
<li>handle missing provenance for non-evaluated result</li>
<li>tests: add provenance test for duplicate platform</li>
<li>tests: add provenance test for when context directory does not exist</li>
<li>forward: make BridgeClient public for lint</li>
<li>gateway: enable named contexts for gateway frontend</li>
<li>vendor: update vt100 with resize panic fix</li>
<li>docs: dockerfile: remove "known issues" related to AuFS</li>
<li>docs: add running instruction to CONTRIBUTING.md</li>
<li>tests: add worker close method to interface</li>
<li>add and check for gateway.exec.secretenv cap</li>
<li>move Secretenv from Meta to InitMessage</li>
<li>support passing SecretEnv to gateway containers</li>
<li>Add comment, update from review</li>
<li>Fix issue with digest merge (inconsistent graph state)</li>
<li>docs: add helper commands section to CONTRIBUTING.md</li>
<li>docs: update CONTRIBUTING.md whitespace formatting</li>
<li>integration: fix not deleting dockerd workdir</li>
<li>remove uses of deprecated ResolverOptions.Client</li>
<li>filesync: fix handling non-ascii in file paths</li>
<li>tests: add test for unicode filenames</li>
<li>Adding more docs to client/llb</li>
<li>Add special case for rw bind mounts</li>
<li>vendor: github.com/docker/cli v24.0.2</li>
<li>vendor: github.com/docker/docker v24.0.2</li>
<li>progressui: fix index printing on partial rows</li>
<li>gateway: wrap ExecProcessServer Send calls with a mutex</li>
<li>resources: make maxsamples configurable</li>
<li>llbsolver: add systemusage samples to provenance attestation</li>
<li>resources: store sys cpu usage per step</li>
<li>resources: add sampler for periodic stat reads</li>
<li>resources: CNI network usage sampling support</li>
<li>resources: add build step resource tracking via cgroups</li>
<li>solver: lock before using actives</li>
<li>Emulate "bind" mounts using the bind filter</li>
<li>Fix mount layers on host</li>
<li>llbsolver: set temporary lease in Commit context</li>
<li>Update containerd dependency</li>
<li>exporter: Add exptypes with Common exporter keys</li>
<li>exporter/image/exptypes: Make strongly typed</li>
<li>solver: move AddBuildConfig into llbsolver package</li>
<li>tests: add test to check url format for image loaded from oci layout</li>
<li>solver: mark locally loaded images as such</li>
<li>solver: merge local and remote images into single list</li>
<li>purl: allow RefToPURL to take a type parameter</li>
<li>tests: don't use purl code to test itself</li>
<li>Use linux as a default for inputOS</li>
<li>Add path handling functions</li>
<li>response to comments</li>
<li>containerimage: Export option keys</li>
<li>vendor: update spdx/tools-golang to v0.5.1</li>
<li>exporter: remove non dist options from tar exporter</li>
<li>exporter: move fs opt parsing to method</li>
<li>tests: fixup attestation tar to not panic when file not found</li>
<li>git: set umask without reexec</li>
<li>add language property for sourcemap</li>
<li>dockerfile/docs: add set -ex to heredoc #3870</li>
<li>authprovider: fix a bug where registry-1.docker.io auth was always a cache miss</li>
<li>response to comments</li>
<li>tracing: fix buildx tracing delegation</li>
<li>Update continuity and fsutil</li>
<li>cache: add a few more fields to ref trace logs.</li>
<li>vendor: github.com/containerd/go-runc v1.1.0</li>
<li>provenance: fix possible empty digest access</li>
<li>vendor: fix broken vendoring</li>
<li>dockerfile: bump up nerdctl to v1.4.0</li>
<li>bump nydus-snapshotter dependence to v0.8.2</li>
<li>vendor: github.com/docker/cli v24.0.1</li>
<li>vendor: github.com/docker/docker v24.0.1</li>
<li>vendor: github.com/containerd/containerd v1.7.1</li>
<li>vendor: github.com/Microsoft/hcsshim v0.10.0-rc.8</li>
<li>vendor: github.com/Microsoft/go-winio v0.6.1</li>
<li>vendor: golang.org/x/sys v0.7.0</li>
<li>vendor: github.com/containerd/typeurl/v2 v2.1.1</li>
<li>chore: bump spdx tools</li>
<li>Fix typo in attestation-storage.md</li>
<li>vendor: github.com/docker/cli v24.0.0</li>
<li>vendor: github.com/docker/docker v24.0.0</li>
<li>vendor: github.com/opencontainers/runc v1.1.7</li>
<li>vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.2</li>
<li>vendor: github.com/klauspost/compress v1.16.3</li>
<li>Dockerfile: CONTAINERD_VERSION=v1.7.1</li>
<li>Dockerfile: CONTAINERD_ALT_VERSION_16=v1.6.21</li>
<li>Dockerfile: RUNC_VERSION=v1.1.7</li>
<li>session: avoid logging healthcheck error on canceled connection</li>
<li>session: fix run and close synchronization</li>
<li>testutil: update ReadImages to fallback to reading manifest</li>
<li>Add trace logs for cache leaks.</li>
<li>Add some doc strings for LLB functions</li>
<li>attestations: move containerd media type warnings</li>
<li>update generated proto files</li>
<li>attestations: replace intoto media type with vendored const</li>
<li>nydus: bump nydus versions in Dockerfile and doc</li>
<li>feedback changes for moby/buildkit #2251</li>
<li>testutil: expose underlying docker address for supported workers</li>
<li>testutil: expose integration workers as public</li>
<li>remove type aliases for leasemanager/contentstore</li>
<li>llbsolver: move history blobs to a separate namespace</li>
<li>build(deps): bump github.com/docker/distribution</li>
<li>added import/export support for OCI compatible image manifest version of cache manifest (opt-in on export, inferred on import) moby/buildkit #2251</li>
<li>llb: carry platform from inputs for merge/diff</li>
<li>llb: don't include platform in fileop</li>
<li>control: fix possible deadlock on network error</li>
<li>exporter/containerimage: remove redundant type for var declaration</li>
<li>Fix not to set the value on empty vertex</li>
<li>Fix to import as digest</li>
<li>cache: always release ref when getting size in usage.</li>
<li>Drop unneeded variable</li>
<li>ssh: add fallback to ensure conn is closed in all cases.</li>
<li>vendor: github.com/opencontainers/image-spec v1.1.0-rc3</li>
<li>vendor: github.com/docker/cli v23.0.5</li>
<li>vendor: github.com/docker/docker v23.0.5</li>
<li>nydus: update nydus-snapshotter dependency to v0.8.0</li>
<li>progressui: fix possible zero prefix numbers in logs</li>
<li>llbsolver: send active event only to current client</li>
<li>llbsolver: send delete status event</li>
<li>llbsolver: filter out records marked deleted from list responses</li>
<li>Add Windows service support</li>
<li>docs: fixup build repro doc with updated policy format</li>
<li>test: use appropriate snapshotter service to walk snapshots</li>
<li>overlay: use function to check for overlay-based mounts</li>
<li>Update uses of Image platform fields in OCI image-spec</li>
<li>allow setting user agent products</li>
<li>Bump up golangci-lint to v1.52.2</li>
<li>chore: tidy up duplicated imports</li>
<li>solver: Release unused refs in LoadWithParents</li>
<li>Avoid panic on parallel walking on DefinitionOp</li>
<li>solver: skip sbom post processor if result is nil</li>
<li>vendor: github.com/docker/docker v23.0.4</li>
<li>vendor: github.com/docker/cli v23.0.4</li>
<li>vendor: golang.org/x/time v0.3.0</li>
<li>vendor: github.com/docker/cli v23.0.2</li>
<li>vendor: github.com/docker/docker v23.0.2</li>
<li>test: don't hang if a process doesn't run</li>
<li>ci: put worker name first for better UX in actions</li>
<li>go.mod: remove github.com/kr/pretty</li>
<li>Revert "Problem: can't use anonymous S3 credentials"</li>
<li>go.mod: bump up runc to v1.1.6</li>
<li>go.mod: Bump up stargz-snapshotter to v0.14.3</li>
<li>dockerfile: bump up stargz-snapshotter to v0.14.3</li>
<li>dockerfile: bump up runc to v1.1.6</li>
<li>buildkitd: add grpc reflection</li>
<li>Bump up nerdctl to 1.3.0</li>
<li>Bump up containerd 1.6.20</li>
<li>Fix gzip decoding of HTTP sources.</li>
<li>ci: update runner os to ubuntu 22.04</li>
<li>Fix bearer token expiration check (fixes #3779)</li>
<li>docs: update buildkitd.toml with new field info</li>
<li>buildkitd: allow durations for gc config</li>
<li>buildkitd: allow multiple units for gc config</li>
<li>dockerui: expose context detection functions as public</li>
<li>Prevent overflow of runc exit code.</li>
<li>Upgrade to latest go-runc.</li>
<li>runc worker: fix sigkill handling</li>
<li>Dockerfile: RUNC_VERSION=v1.1.5</li>
<li>client: add client opts to enable system certificates</li>
<li>Make ClientOpts type safe</li>
<li>build(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5</li>
<li>fileop: create new fileOpSolver instance per Exec call</li>
<li>Provide CacheManager to Controller instead of CacheKeyManager.</li>
<li>http: ensure HEAD and GET requests have same headers</li>
<li>docs: add auto-generated sections to buildctl.md</li>
<li>client: allow grpc dial option passthrough</li>
<li>cni: simplify netns creation</li>
<li>add Bass to list of LLB languages</li>
<li>llbsolver: fix sorting of history records</li>
<li>llbsolver: Fix performance of recomputeDigests</li>
<li>solve: use comparables instead of reflection in result struct</li>
<li>vendor: github.com/docker/cli v23.0.1</li>
<li>vendor: github.com/docker/docker v23.0.1</li>
<li>client: create oci-layout file in StoreIndex</li>
<li>ci: output annotations for failures</li>
<li>test: set mod vendor</li>
<li>test: use gotestsum to generate reports</li>
<li>fix gateway exec tty cleanup on context.Canceled</li>
<li>fix process termination handling for runc exec</li>
<li>Register builds before recording build history</li>
<li>docs(dockerfile): minimal Dockerfile version support for chmod</li>
<li>Update builder.md to document newly supported --chmod features in both ADD and COPY statements.</li>
<li>use bklog.G(ctx) instead of logrus directly</li>
<li>integration: missing mergeDiff compat check</li>
<li>chore: <code>translateLegacySolveRequest</code> does not need to return error checking.</li>
<li>integration: split feature compat check for subtests</li>
<li>integration: missing feature compat check for cache</li>
<li>dockerfile: fix reproducible digest test for non-amd64</li>
<li>integration: add FeatureMergeDiff compat</li>
<li>integration: add FeatureCacheBackend* compat</li>
<li>integration: enforce features compat through env vars</li>
<li>ci: upstream docs conformance validation</li>
<li>dockerfile(docs): fix liquid syntax</li>
<li>Problem: can't use anonymous S3 credentials</li>
<li>hack: remove build_ci_first_pass script</li>
<li>hack: binaries and cross bake targets</li>
<li>go.mod: update to go 1.20</li>
<li>Dockerfile: CONTAINERD_VERSION=v1.7.0</li>
<li>go.mod: github.com/containerd/containerd v1.7.0</li>
<li>Add Namespace to list of buildkit users.</li>
<li>remove buildinfo</li>
<li>buildinfo: add BUILDKIT_BUILDINFO build arg</li>
<li>buildinfo: mark as deprecated</li>
<li>docs: deprecated features page</li>
<li>rootless: guide for Bottlerocket OS (<code>sysctl -w user.max_user_namespaces=N</code>)</li>
<li>rootless: fix up unprivileged mount opts</li>
<li>Dockerfile: CONTAINERD_VERSION=v1.7.0-rc.3, CONTAINERD_ALT_VERSION_16=v1.6.19</li>
<li>go.mod: github.com/containerd/containerd v1.7.0-rc.3</li>
<li>version: add "v" prefix to version for tagging convention consistency</li>
<li>remove context name validation from kubepod connhelper</li>
<li>gateway: add hostname option to NewContainer API</li>
<li>fix error message typo</li>
<li>provenance: ensure URLs are redacted before written</li>
<li>test/client: Close buildkit client</li>
<li>docs: missing security policy markdown file</li>
<li>diffapply: do chown before xattrs</li>
<li>Add test for merge of files with capabilities.</li>
<li>fix a possible panic on cache</li>
<li>Update cmd/buildkitd/main_windows.go</li>
<li>ci(validate): use bake</li>
<li>hack: shfmt bake target</li>
<li>hack: generated-files bake target</li>
<li>hack: doctoc bake target</li>
<li>hack: lint bake target</li>
<li>hack: authors Dockerfile and bake target</li>
<li>hack: bake definition with vendor targets</li>
<li>Fix buildkitd panic when frontend input is nil.</li>
<li>ci: trigger workflows on push to release branches</li>
<li>build(deps): bump golang.org/x/net from 0.5.0 to 0.7.0</li>
<li>ci: create GitHub Release for frontend as well</li>
<li>ci: make release depends on image job</li>
<li>lint: fix issues with go 1.20</li>
<li>remove deprecated golangci-lint linters</li>
<li>update golangci-lint to v1.51.1</li>
<li>update to go 1.20</li>
<li>Allow DefinitionOp to track sources</li>
<li>specify a <code>ResponseHeaderTimeout</code> value</li>
<li>Ensures that the primary GID is also included in the additional GIDs</li>
<li>ci: fix missing TESTFLAGS env var in test-os workflow</li>
<li>Dockerfile: update containerd to v1.7.0-beta.4, v1.6.18</li>
<li>go.mod: github.com/containerd/containerd v1.7.0-beta.4</li>
<li>ci: update softprops/action-gh-release to v0.1.15</li>
<li>ci: remove unused vars in dockerd workflow</li>
<li>ci: split cross job</li>
<li>Dockerfile: remove binaries-linux-helper stage</li>
<li>ci: rename unclear env vars</li>
<li>readme: fix and update badges</li>
<li>ci: rename build workflow to buildkit</li>
<li>ci: reusable test workflow</li>
<li>ci: move test-os to a dedicated workflow</li>
<li>ci: move frontend integration tests and build to a dedicated workflow</li>
<li>stargz-snapshotter: graduate from experimental</li>
<li>Bump up stargz-snapshotter to v0.14.1</li>
<li>set osversion in index descriptor from base image</li>
<li>progress: solve status description</li>
<li>ci: update buildx to latest</li>
<li>Dockerfile: update xx to 1.2.1</li>
<li>integration: make sure registry directory exists</li>
<li>gha: avoid range requests with too big offset</li>
<li>ci: merge test-nydus job in test one</li>
<li>ci: remove branch restriction on pull request event</li>
<li>client: add tests for layerID in comment field</li>
<li>exporter: fix sbom supplement core detection</li>
<li>exporter: fix supplement sboms on empty scratch layer</li>
<li>exporter: fix file layer finder whiteout detection</li>
<li>exporter: canonicalize sbom file paths during search</li>
<li>Add platform tracing socket paths and mounts</li>
<li>integration: log dockerd cmd</li>
<li>integration: set custom flags for dockerd worker</li>
<li>remotecache: proper exporter naming for gha, s3 and azblob</li>
<li>remotecache: explicit names for registry and local</li>
<li>exporter: use compression.ParseAttributes func</li>
<li>remotecache: mutualize compression parsing attrs</li>
<li>lex: add support for optional colon in variable expansion</li>
<li>test: rework TestProcessWithMatches to use a matrix</li>
<li>dockerfile: update to use dockerui pkg</li>
<li>dockerui: separate docker frontend params to reusable package</li>
<li>cache: add fallback for snapshotID</li>
<li>exporter: remove wrappers for oci data types</li>
<li>vendor: github.com/docker/cli v23.0.0</li>
<li>vendor: github.com/docker/docker v23.0.0</li>
<li>hack: do not cache some stages on release</li>
<li>hack: do not set attest flags when exporting to docker</li>
<li>git: override the locale to ensure consistent output</li>
<li>fix support for empty git ref with subdir</li>
<li>gitutil: use subtests</li>
<li>source: more tests cases for git identifier</li>
<li>source: use subtests cases for git identifier</li>
<li>otel: bump dependencies to v1.11.2/v0.37.0</li>
<li>hack: treat unset variables as an error</li>
<li>frontend: fix typo in release script</li>
<li>ci: create matrix for building frontend image</li>
<li>inline cache: fix blob indexes by uncompressed digest</li>
<li>Skip configuring cache exporter if it is nil.</li>
<li>docs: update syntax for labs channel in examples</li>
<li>integration: remove wrong compat condition</li>
<li>integration: fix compat check for CNI DNS test</li>
<li>cache: don’t link blobonly based on chainid</li>
<li>do not mount secrets that are optional and missing from solve opts</li>
<li>SOURCE_DATE_EPOCH: drop timezone</li>
<li>sbom: create tmp directory for scanner image</li>
<li>progress: keep color enabled with NO_COLOR empty</li>
<li>hack: remove azblob_test</li>
<li>integration: basic azblob cache test</li>
<li>test: add proxy build args when existed</li>
<li>vendor: github.com/docker/cli v23.0.0-rc.3</li>
<li>vendor: github.com/docker/docker v23.0.0-rc.3</li>
<li>vendor: golang.org/x/net v0.5.0</li>
<li>vendor: golang.org/x/text v0.6.0</li>
<li>vendor: golang.org/x/sys v0.4.0</li>
<li>Dockerfile: CNI plugins v1.2.0</li>
<li>Dockerfile: CONTAINERD_VERSION=v1.7.0-beta.3, CONTAINERD_ALT_VERSION_16=v1.6.16</li>
<li>Fix tracing listener on Windows</li>
<li>go.mod: github.com/containerd/containerd v1.7.0-beta.3</li>
<li>control: send current timestamp header with event streams</li>
<li>vendor: update containerd to v1.6.16-0.1709cfe273d9</li>
<li>buildctl: add ref-file to get history record for a build</li>
<li>client: make sure ref is configurable for the history API</li>
<li>history: save completed steps with cache stats</li>
<li>history: fix exporter key not being passed</li>
<li>history: fix logs and traces are saving on canceled builds</li>
<li>hack: add correct entrypoint to shell script</li>
<li>ci: use moby/buildkit:latest in build action</li>
<li>dockerfile: add testReproSourceDateEpoch</li>
<li>Fix cache cannot reuse lazy layers</li>
<li>Correct manifests_prefix documentation for S3 cache</li>
<li>Use golang.org/x/sys/windows instead of syscall</li>
<li>dockerfile: release frontend for i386 platform</li>
<li>Add get-user-info utility</li>
<li>optimize --dry-run flag</li>
<li>fix(tracing): spelling of OTEL_TRACES_EXPORTER value</li>
<li>Propagate sshforward send side connection close</li>
<li>buildctl: add <code>buildctl debug histories, buildctl prune-histories</code></li>
<li>dockerfile: fix panic on warnings with multi-platform</li>
<li>vendor: github.com/docker/cli v23.0.0-rc.2</li>
<li>vendor: github.com/docker/docker v23.0.0-rc.2</li>
<li>vendor: github.com/containerd/containerd v1.6.15</li>
<li>cache: add registry.insecure option to registry exporter</li>
<li>Make local cache non-lazy</li>
<li>docs/build-repro.md: add the SOURCE_DATE_EPOCH section</li>
<li>docs: clarified build argument example by changing the variable name</li>
<li>azblob cache: account_name attribute</li>
<li>docs: master -> 0.11</li>
<li>ci: fix dockerd workflow with latest changes from moby</li>
<li>integration: set mirrors and entitlements with dockerd worker</li>
<li>github: update CI to buildkit version</li>
<li>exporter: ensure spdx order prioritizes primary sbom</li>
<li>hack: remove s3_test</li>
<li>integration: basic s3 cache test</li>
<li>integration: add runCmd and randomString utils</li>
<li>integration: expose backend logs in sandbox interface</li>
<li>azblob_test: pin busybox to avoid "Illegal instruction" error</li>
<li>docs: add nerdctl container buildkitd address docs</li>
<li>feat: add namespace support for nerdctl container</li>
<li>ci: add ci to check README toc</li>
<li>testutil: pin busybox and alpine used in releases</li>
<li>exporter: allow configuring inline attestations for image exporters</li>
<li>exporter: force enabling inline attestations for image export</li>
<li>docs: change semicolons to double ampersands</li>
<li>llbsolver: fix panic when requesting provenance on nil result</li>
<li>vendor: update fsutil to fb43384</li>
<li>attestation: only supplement file data for the core scan</li>
<li>docs: add index page for attestations</li>
<li>docs: move attestation docs to dedicated directory</li>
<li>docs: rename slsa.md to slsa-provenance.md</li>
<li>docs: tidy up json examples for slsa definitions</li>
<li>docs: add cross-linking between slsa pages</li>
<li>Flakiness in azblob test job</li>
<li>vendor: update spdx/tools-golang to d6f58551be3f</li>
<li>feat: add nerdctl-container support for client</li>
<li>docs: slsa review updates</li>
<li>docs: moved slsa definitions to a separate page</li>
<li>docs: slsa editorial fixes</li>
<li>docs: add filename to provenance attestation</li>
<li>docs: update hermetic field after it was moved in implementation</li>
<li>docs: update provenance docs</li>
<li>docs: add slsa provenance documentation</li>
<li>progress: fix clean context cancelling</li>
<li>fix: updated_at -> updated-at</li>
<li>Solve panic due to concurrent access to ExportSpans</li>
<li>feat: allow ignoring remote cache-export error if failing</li>
<li>add cache stats to the build history API</li>
<li>vendor: github.com/docker/cli v23.0.0-rc.1</li>
<li>vendor: github.com/docker/docker v23.0.0-rc.1</li>
<li>vendor: github.com/containerd/containerd v1.6.14</li>
<li>frontend: fix testMultiStageImplicitFrom to account for busybox changes</li>
<li>sshforward: skip conn close on stream CloseSend.</li>
<li>chore: update buildkitd.toml docs with mirror path example</li>
<li>feat: handle mirror url with path</li>
<li>provenance: fix the order of the build steps</li>
<li>provenance: move hermetic field into a correct struct</li>
<li>add possibility to override filename for provenance</li>
<li>Fix typo in CapExecMountBindReadWriteNoOutput.</li>
<li>Use SkipOutput instead of -1 for output indexes to clarify semantics.</li>
<li>fix indentation for in-toto and traces</li>
<li>attestation: forbid provenance attestations from frontend</li>
<li>attestation: validate attestations before unbundling as well</li>
<li>exporter: make attestation validation public</li>
<li>result: change reason types to strings</li>
<li>attestations: ignore spdx parse errors</li>
<li>attestations: propogate metadata through unbundling</li>
<li>gateway: add addition check to prevent content func from being forwarded</li>
<li>ociindex: add utility method for getting a single manifest from the index</li>
<li>ociindex: refactor to hide implementation internally</li>
<li>cache: test gha cache exporter</li>
<li>containerdexecutor: add network namespace callback</li>
<li>frontend/dockerfile: BFlags.Parse(): use strings.Cut()</li>
<li>frontend/dockerfile: parseExtraHosts(): use strings.Cut()</li>
<li>frontend/dockerfile: parseMount() use strings.Cut(), and some minor cleanup</li>
<li>frontend/dockerfile: move check for cache-sharing</li>
<li>frontend/dockerfile: provide suggestions for mount share mode</li>
<li>frontend/dockerfile: define types for enums</li>
<li>frontend/dockerfile/shell: use strings.Equalfold</li>
<li>frontend/dockerfile/parser: remove redundant concat</li>
<li>frontend/dockerfile: parseBuildStageName(): pre-compile regex</li>
<li>frontend/dockerfile: remove isSSHMountsSupported, isSecretMountsSupported</li>
<li>docs: Enable rootless for stargz-snapshotter</li>
<li>executor/oci: GetResolvConf(): simplify handling of resolv.conf</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.0
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.0-156=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
<ul>
<li>buildkit-0.12.5-1.1</li>
<li>buildkit-debuginfo-0.12.5-1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-23651.html">https://www.suse.com/security/cve/CVE-2024-23651.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-23652.html">https://www.suse.com/security/cve/CVE-2024-23652.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-23653.html">https://www.suse.com/security/cve/CVE-2024-23653.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219267">https://bugzilla.suse.com/show_bug.cgi?id=1219267</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219268">https://bugzilla.suse.com/show_bug.cgi?id=1219268</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219438">https://bugzilla.suse.com/show_bug.cgi?id=1219438</a>
</li>
</ul>
</div>