<div class="container">
<h1>Security update for docker</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:20510-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-07-28T14:32:31Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1240150">bsc#1240150</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1241830">bsc#1241830</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1242114">bsc#1242114</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1243833">bsc#1243833</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244035">bsc#1244035</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1246556">bsc#1246556</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-22872.html">CVE-2025-22872</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-22872</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-22872</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-22872</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability and has five fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for docker fixes the following issues:</p>
<ul>
<li>
<p>Update to Go 1.24 for builds, to match upstream.</p>
</li>
<li>
<p>Update to Docker 28.3.2-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2832></p>
</li>
<li>
<p>Update to Docker 28.3.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2831></p>
</li>
<li>
<p>Update to Docker 28.3.0-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2830>
bsc#1246556</p>
</li>
<li>
<p>Update to docker-buildx v0.25.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.25.0></p>
</li>
<li>
<p>CVE-2025-22872: golang.org/x/net/html: Fixed incorrectly interpreted tags
causing content to be placed wrong scope during DOM construction (bsc#1241830) </p>
</li>
<li>
<p>Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
Docker does not have permission to access the host zypper credentials in this
mode (and unprivileged users cannot disable the feature using
/etc/docker/suse-secrets-enable.) bsc#1240150</p>
</li>
<li>
<p>Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.</p>
</li>
</ul>
<p>This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035</p>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.0
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.0-398=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
<ul>
<li>docker-debuginfo-28.3.2_ce-5.1</li>
<li>docker-buildx-debuginfo-0.25.0-5.1</li>
<li>docker-28.3.2_ce-5.1</li>
<li>docker-buildx-0.25.0-5.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-22872.html">https://www.suse.com/security/cve/CVE-2025-22872.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1240150">https://bugzilla.suse.com/show_bug.cgi?id=1240150</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1241830">https://bugzilla.suse.com/show_bug.cgi?id=1241830</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1242114">https://bugzilla.suse.com/show_bug.cgi?id=1242114</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1243833">https://bugzilla.suse.com/show_bug.cgi?id=1243833</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244035">https://bugzilla.suse.com/show_bug.cgi?id=1244035</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1246556">https://bugzilla.suse.com/show_bug.cgi?id=1246556</a>
</li>
</ul>
</div>