SUSE-SU-2025:20385-1: moderate: Security update for docker-compose
SLE-UPDATES
null at suse.de
Thu Jun 12 12:30:28 UTC 2025
# Security update for docker-compose
Announcement ID: SUSE-SU-2025:20385-1
Release Date: 2025-06-10T11:32:07Z
Rating: moderate
References:
* bsc#1217070
Cross-References:
* CVE-2023-47108
CVSS scores:
* CVE-2023-47108 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-47108 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
* SUSE Linux Micro 6.0
An update that solves one vulnerability can now be installed.
## Description:
This update for docker-compose fixes the following issues:
Update to version 2.33.1:
* Improvements
* Add support for gw_priority, enable_ipv4 (requires docker v28.0) by @thaJeztah in #12570
* Fixes
* Run watch standalone if menu fails to start by @ndeloof in #12536
* Report error using non-file secret|config with read-only service by @ndeloof in #12531
* Don't display bake suggestion when using --progress with quiet or json option by @glours in #12561
* Fix pull --parallel and --no-parallel deprecation warnings missing by @maxproske in #12555
* Fix error message when detach is implied by wait by @ndeloof in #12566
* Dependencies
* build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @dependabot in #12556
* build(deps): bump google.golang.org/grpc from 1.68.1 to 1.70.0 by @dependabot in #12494
* go.mod: update to docker v28.0.0 by @thaJeztah in #12545
Update to version 2.33.0:
* Important
* This release introduce support for Bake to manage builds as an alternative to the internal buildkit client. This new feature can be enabled by setting COMPOSE_BAKE=1 variable. Bake will become the default builder in a future release.
* Improvements
* let user know bake is now supported by @ndeloof in #12524
* support additional_context reference to another service by @ndeloof in #12485
* add support for BUILDKIT_PROGRESS by @ndeloof in #12458
* add --with-env flag to publish command by @glours in #12482
* Update ls --quiet help description by @maxproske in #12541
* Publish warn display env vars by @glours in #12486
* Fixes
* Fix bake support by @ndeloof in #12507
* Update link in stats --help output by @maxproske in #12523
* Properly handle "builtin" seccomp profile by @r-bk in #12478
* manage watch applied to mulitple services by @ndeloof in #12469
* Internal
* use main branch for docs upstream validation workflow by @crazy-max in #12487
* fix provenance for binaries and generate sbom by @crazy-max in #12479
* add codeowners file by @glours in #12480
* remove exit code per error type used by legacy metrics system by @ndeloof in #12502
* Dockerfile: update golangci-lint to v1.63.4 by @thaJeztah in #12546
* Full test coverage for compatibility cmd by @maxproske in #12528
* don't send raw os.Args to opentelemetry but a pseudo command line by @ndeloof in #12530
* add docker engine v28.x to the test-matrix by @thaJeztah in #12539
* enable copyloopvar linter by @thaJeztah in #12542
* go.mod: remove toolchain directive by @thaJeztah in #12551
* Dependencies
* bump buildx v0.20.1 by @ndeloof in #12488
* bump docker to v27.5.1 by @ndeloof in #12491
* bump compose-go v2.4.8 by @ndeloof in #12543
* bump golang.org/x/sys from 0.28.0 to 0.30.0 by @dependabot in #12529
* bump github.com/moby/term v0.5.2 by @thaJeztah in #12540
* bump github.com/otiai10/copy from 1.14.0 to 1.14.1 by @dependabot in #12493
* bump github.com/jonboulle/clockwork from 0.4.0 to 0.5.0 by @dependabot in #12430
* bump github.com/spf13/pflag from 1.0.5 to 1.0.6 by @dependabot in #12548
* bump golang.org/x/sync from 0.10.0 to 0.11.0 by @dependabot in #12547
* bump gotest.tools/v3 from 3.5.1 to 3.5.2 by @dependabot in #12549
Update to version 2.32.4:
* add missing tag for build during merge workflow
* ci: re-use local source to build binary images
* ci: use local source for binary builds
Update to version 2.32.3:
* ci: update bake-action to v6
* simplification
* image can be set to a local ID, that isn't a valid docker ref
* can't render progress concurrently with buildkit
* exclude one-off container running convergence
* Only override service mac if set on the main network.
Update to version 2.32.2:
* remove engine v25 from e2e test matrix The 1st version available for Ubuntu
24.x is Docker Engine v26
* fix relative path in compose file
* bump compose-go to v2.4.7
* replace tibdex/github-app-token by official GitHub create-github-app-token
* bump golang.org/x/net to v0.33.0 to fix potential security issue
https://github.com/golang/go/issues/70906
* checkExpectedVolumes must ignore anonymous volumes
* When retrying to resolveOrCreateNetwork, retry with a valid network name
* only check bind mount conflict if sync action is involved
* use the 3 latest major versions of the engine to run e2e step
* bump Golang version to v1.22.10 and update CI actions
* add --pull to run command
* CI to validate fmt
* `make fmt` so any contributor can enforce formatting
* format code with gofumpt
Update to version 2.32.1:
* e2e test to prevent future regression
* only check volume mounts for updated config
Update to version 2.32.0:
* e2e test for recreate volume
* build(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1
* build(deps): bump golang.org/x/crypto from 0.27.0 to 0.31.0
* build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0
* prompt user to confirm volume recreation
* Recreate container on volume configuration change
* introduce watch restart action
* bump otel dependencies to v1.28.0 and v0.53.0 to align with buildx, buildkit
and engine versions
* bump docker/buildx to latest release
* fix support for service.mac_address
* update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+
* build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0
* Update pkg/e2e/watch_test.go
* first watch action for a file event wins
* fix
* revisit TestDebounceBatching
* introduce sync+exec watch action
* log configuration error as a watch log event
* do not require a build section but for `rebuild` action
* pull --quiet should not drop status message, only progress
* use latest engine tags
* Bump buildx to 0.19.1
* be sure everything has been cleanup at the end of each tests
* add local config.json to test configuration dir if exists
* disable failing TestBuildSSH test
* fix build with bake
Update to version 2.31.0:
* bump containerd to v1.7,24
* bump google.golang.org/grpc to v1.68.0
* build(deps): bump github.com/moby/buildkit from 0.17.1 to 0.17.2
* build(deps): bump github.com/compose-spec/compose-go/v2
* only stop dependent containers ... if there's some
* disable TestNetworkConfigChanged which is unstable on CI
* only check attached networks on running containers
* fix: commit tests
* feat: add commit command
* run build tests against bake
* delegate build to buildx bake
* build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0
* use service.stop to stop dependent containers
* Update wait-timeout flag usage to include the unit
* go.mod: github.com/docker/cli v27.4.0-rc.2
* go.mod: github.com/docker/docker v27.4.0-rc.2
* go.mod: github.com/docker/cli 8d1bacae3e49 (v27.4.0-rc.2-dev)
* go.mod: github.com/docker/cli v27.4.0-rc.1
* go.mod: github.com/docker/docker v27.4.0-rc.1
* Update pkg/compose/convergence.go
* detect network config changes and recreate if needed
* go.mod: github.com/docker/buildx v0.18.0
* go.mod: github.com/moby/buildkit v0.17.1
* gha: test against docker engine v27.4.0
* push empty descriptor layer when using OCI version 1.1 for Compose artifact
it fixes a repository creation issue when pushing the 1st time a Compose OCI
artifact on the Hub
* remove ddev e2e tests
* implement remove-orphans on run
* ci: enable testifylint linter
* Emit events for building images
* Fix compose images that reutn a different image with the same ID
* remove obsolete containers first on scale down
* pass stal bot inactivity limit from 6 to 3 months
* fix(config): Print service names with --no-interpolate
* build(deps): bump golang.org/x/sys from 0.26.0 to 0.27.0
* build(deps): bump golang.org/x/sync from 0.8.0 to 0.9.0
Update to version 2.30.3:
* bump compose-go v2.4.4
* Avoid starting all services on rebuild
Update to version 2.30.2:
* remove ArtifactType from Config in OCI v1.1 definition of the artifact
* build(deps): bump github.com/compose-spec/compose-go/v2
* Service being declared in a profile must not trigger re-creation
* Add profile e2e test case to document in compose
* Update `MAINTAINERS` file
Update to version 2.30.1:
* bump compose-go to version v2.4.2
Update to version 2.30.0:
* Improvements
* Introduce service hooks by @ndeloof (12166)
* Introduce generate command as alpha command by @glours (12209)
* Add export command by @jarqvi (12120)
* Add support for CDI device request using devices by @ndeloof (12184)
* Add support for bind recursive by @ndeloof (12210)
* Allow usage of -f flag with OCI Compose artifacts by @glours (12220)
* Fixes
* Append unix-style relative path when computing container target path by @ndeloof (12145)
* Wait for dependent service up to delay set by --wait-timeout by @ndeloof (12156)
* Check secret source exists, as bind mount would create target by @ndeloof (12151)
* After container restart register printer consumer by @jhrotko (12158)
* Fix(down): Fix down command if specified services are not running by @idsulik (12164)
* Show watch error message and open DD only when w is pressed by @jhrotko (12165)
* Fix(push): Fix unexpected EOF on alpha publish by @idsulik (12169)
* Fix(convergence): Serialize access to observed state by @anantadwi13 (12150)
* Remove feature flag integration with Docker Desktop for ComposeUI and ComposeNav by @jhrotko (12192)
* Support Dockerfile-specific ignore-file with watch by @ndeloof (12193)
* Add support for raw env_file format by @ndeloof (12179)
* Convert GPUs to DeviceRequests with implicit "gpu" capability by @ndeloof (12197)
* Improve error message to include expected network label by @divinity76 (12213)
* Don't use progress to render restart, which hides logs by @ndeloof (12226)
* One-off containers are not indexed, and must be ignored by exec --index command by @ndeloof (12224)
* Don't warn about uid/gid not being supported while ... they are by @ndeloof (12232)
* Connect to external networks by name by @ndeloof (12234)
* Fix push error message typo by @chris-crone (12237)
* Fix(dockerignore): Add wildcard support to dockerignore.go by @idsulik (12239)
* Internal
* Remove bind options when creating a volume type by @jhrotko (12177)
* pass device.options to engine by @ndeloof (12183)
* Add security policy by @thaJeztah (12194)
* Gha: set default permissions to "contents: read" by @thaJeztah (12195)
* Desktop: allow this client to be identified via user-agent by @djs55 (12212)
* Compose-go clean volume target to avoid ambiguous comparisons by @ndeloof (12208)
* Dependencies
* Bump docker v27.3.1 by @ndeloof (12178)
* Build(deps): bump golang.org/x/sys from 0.25.0 to 0.26.0 by @dependabot (12189)
* Bump compose-go to v2.3.0 by @glours (12198)
* Bump compose-go to v2.4.0 by @glours (12231)
* Bump compose-go to v2.4.1 by @glours (12243)
* Build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23 by @dependabot (12211)
* Bump golang minimal version to 1.22 in go.mod by @glours (12246)
* Bump go.uber.org/mock to v0.5.0 and google.golang.org/grpc to v1.67.1 by @glours (12245)
Update to version 2.29.7:
* revert commits link to mount API over bind changes
Update to version 2.29.6:
* don't set propagation if target engine isn't linux
* build(deps): bump github.com/docker/docker v27.3.0-rc.2
* build(deps): bump github.com/docker/cli v27.3.0-rc.2
Update to version 2.29.5:
* set propagation default
* Remove custom codeql workflow
Update to version 2.29.4:
* fix import
* chore(watch): Add debug log when skipping service without build context
* stop dependent containers before recreating diverged service
* Fixed possible `nil` pointer dereference
* bump github.com/docker/buildx v0.17.1
* build(deps): bump docker, docker/cli to v27.3.0-rc.1
* gha: test against docker engine v27.3.0
Update to version 2.29.3:
* show sync files only in debug level
* chore(watch): Add changed files path/count to log
* build(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0
* bump compose-go to version v2.2.0
* Restore compose v1 behavior to recreate containers when ran with -V
* fix linting issues with golangci-lint 1.60.2
* bump golang to version 1.22.7
* bump dependencies versions, engine and cli v27.2.1 containerd v1.7.22 buildx
v0.17.0 buildkit v0.16.0
* build(deps): bump golang.org/x/sys from 0.22.0 to 0.25.0
* Fix typos
* Use logrus instead of direct output to stderr.
* attach: close streams when done
* Fix typo in pull.go
* Allow combination of bind mounts and 'rebuild' watches
* service hash must exlude depends_on
* prefer mount API over bind
* docs: duplicate documentation for root cmd
* docs(wait): Fix wait command description
* allow to add empty line in the logs when nav menu activated
* upgrade docker versions
Update to version 2.29.2:
* initial sync files that modified after image creation
* initial sync for root directory
* Removes redundant condition from toAPIBuildOptions in build.go
* docs: Update docker compose kill usage
* Fix stop on file chane for sync-restart action
* bump engine and cli to v27.1.1, buildx to v0.16.1
* remove all dependabot update PRs for OTel dependencies
* gp.mod: github.com/gofrs/flock v0.12.1
* go.mod: golang.org/x/sys v0.22.0
* update to go1.21.12
Update to version 2.29.1:
* Enhance JSON progress events with more fields.
* bump compose-go v2.1.5
* bump github.com/docker/cli v27.1.0
* bump github.com/docker/docker v27.1.0
* bump github.com/containerd/containerd v1.7.20
* gha: add docker 27.1.0
* fix(containers): fix sorting logic by adding secondary sorting for one-off
containers
Update to version 2.29.0:
* update docs generation to avoid man pages generation
* bump compose-go to v2.1.4, buildx to v0.16.0, containerd to v1.7.19 and
buildx to v0.15.0
* restore setEnvWithDotEnv
* empty env variable with no value must be unset in container
* exclude unnecessary resources after services have been selected
* change time for stale bot
* Remove debug mode and run twice a week
* Add stale workflow
* update docs
* feat(watch): Add --prune option to docker-compose watch command
* Remove COMPOSE_MENU env from e2e tests
* Use rawjson for the build backend.
* Set logging format to JSON.
* Format errors as JSON when in JSON progress mode.
* Pass 'plain' instead of 'json' to build backend
* Add JSON stream progress writer
* go.mod: docker/cli, docker/docker v27.0.3
* gha: test against docker v27.0.3
* go.mod: docker/cli, docker/docker v27.0.2
Update to version 2.28.1:
* Remove `console.Terminal` check and use `IsTerminal` from `streams.Out`
Update to version 2.28.0:
* go.mod: github.com/compose-spec/compose-go v2.1.3
* go.mod: docker/docker and docker/cli v27.0.1-rc.1
Update to version 2.27.3:
* build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1
* build(deps): bump github.com/docker/buildx from 0.15.0 to 0.15.1
Update to version 2.27.2:
* using as flag of the up command, watch was blocking process shutdown This
happened when sunsetting the application from docker compose down command
* Add open watch docs in up menu
* bump buildkit to v0.14.0 and buildx to v0.15.0
* stop watch process when associated up process is stopped
* build(deps): bump github.com/docker/docker
* build(deps): bump github.com/containerd/containerd from 1.7.17 to 1.7.18
* build(deps): bump golang.org/x/sys from 0.20.0 to 0.21.0
* build(deps): bump github.com/hashicorp/go-version from 1.6.0 to 1.7.0
* build: replace uses of archive.CanonicalTarNameForPath
* update gh actions versions, update engine matrix, bump golang to 1.21.11
* enforce keyboard.Close is always executed to restore terminal
* config --environment
* Readd event
* remove unreachable code
* Fix dot env file to define COMPOSE_* variables
* return an error when --detach and --watch are used together in up command
* Correct 'cancellation' typo in comment
* Fix: change append to use slice index in ps.go
* COMPOSE_PROFILES can be set by .env file
* prevent concurrent map write relying on project immutability
Update to version 2.27.1: * build(deps): bump github.com/containerd/containerd
from 1.7.16 to 1.7.17 * build(deps): bump github.com/docker/buildx from 0.14.0
to 0.14.1 * drop COMPOSE_EXPERIMENTAL_OTEL as docker/cli has opentelemetry in *
add gui/composeview as part of available commands * fix opentelemetry * bump
compose-go to version v2.1.1 * Set endpoint-specific DriverOpts * Bump compose-
go version to latest main * Backport OpenBSD patches * add new navigation menu
to open Compose app configuration in Docker Desktop * build(deps): bump
github.com/fsnotify/fsevents from 0.1.1 to 0.2.0 * build(deps): bump
golang.org/x/sys from 0.19.0 to 0.20.0 * fix --resolve-image-digests * allow a
local .env file to override compose.yaml sibling .env * Bump docker engine and
cli to version 26.1.3 * Bump docker to v26.1.2 * Add documentation for --menu up
option and COMPOSE_MENU environemnt variable * chore(deps): bump docker to
v26.1.1 (#11794)
Update to version 2.27.0: * fix: overlapping logs and menu navigation (#11765) *
build(deps): bump github.com/moby/buildkit * chore(e2e): fix flaky cascade
failure test * use v2.26.1 tag for moby and Docker cli * chore(deps): update to
Moby v26.1 & buildx v0.14 * bump compose-go version to v2.1.0 * fix support for
--context=foo * Fix #11710: Avoid to try to close channel twice after hitting
Ctrl-C on compose up (#11719) * fix(desktop): remove overly-aggressive feature
flag check (#11748) * chore: fix typo in comment * bump dependencies * fix: do
not try to create file shares for non-directories * check container_name is not
in use by another service we will create * don't clear line when navigation is
disabled * fix: return correct exit code with `--exit-code-from` (#11715) *
progress for resource can be restarted after more Working event comes * Revert
"Stop the resource timer after last expected event" * Revert change to allow
trying to kill again if a kill fails * Handle errors and allow to send multiple
kills if one failed * Ignore errors when killing on second Ctrl-C * docker
compose up always kills the containers on second Ctrl-C * read
COMPOSE_REMOVE_ORPHANS from .env * Set Required false to depends_on containers
for compose -p stop/down * Ignore missing containers when compose stop -p *
Ignore missing containers when compose down -p * Introduce support for
build.entitlements * Remove dead url reference. * e2e test for --all-resources *
introduce --all-resources to _not_ exclude resources not used by services *
Introduce --abort-on-container-failure * bump golang version to 1.21.9 * don't
use ansi espace sequence when disabled
Update to version 2.26.1: * Does not start keyboard manager if there is no tty *
Change menu information text to dim * Handle --no-build and --watch args *
build(deps): bump github.com/opencontainers/image-spec * Unwrap error message. *
Include error message in pull warning/errors
Update to version 2.26.0: * chore(desktop): revised feature detection for file
shares * Add Navigation Menu to compose up * Add support for volume Subpath
option * Bump docker v26.0.0 * introduce config --variables to list compose
model variables * Fix docs on default build image name * Bump compose-go to
v2.0.2 * add support for annotations * Revert "Bump compose-go to v2.0.1" * Bump
compose-go to v2.0.1 * feat(desktop): synchronized file share integration
(#11614) * feat(experiments): add experimental feature state (#11633) * reduce
timeout of the Otel tracing command * fix `compose config --format json`
Update to version 2.25.0: * Bump compose-go v2.0.0 * services shell completion
bugfix * fix TestBuildPlatformsWithCorrectBuildxConfig * only use ToModel when
--no-interpolate is set * feat(desktop): add Docker Desktop detection and client
skeleton (#11593)
Update to version 2.24.7: * chore(deps): upgrade go to 1.21.8 (#11578) *
ci(deps): bump moby/moby & docker/cli to v25.0.4 (#11566) * Add test summary for
test jobs in ci * make code simpler * avoid duplicated "xx exited with code 0"
message * introduce --watch * move code into small functions for better
readability * restore support for `config --no-interpolate` * remove docker cli
step in ci.yml * get log to manage `attach` * bump compose-go to version
v2.0.0-rc.8 * use an dedicated compose file --quiet-pull e2e test * Add a
fallback check of Watch pid on Windows False positives were detected when
checking the previous watch process state * add support of QuietOption to create
command * pass QuietOption when starting dependencies from run command * when
ran with ANSI disabled, force progress=plain * Issue-11374: Modified compose up
command to respect COMPOSE_REMOVE_ORPHANS environment variable * ci: bump engine
version to `25.0.3` * sort containers to optimize scale down * discard stdout
for laaarge log test
Update to version 2.24.6:
* use listeners to collect include metrics
* docs: update cli reference link
* docs: unify no trailing dots in docstrings and help (#11301)
* Use listener for file metadata
* fix deadlock collecting large logs
* chore(watch): remove old `docker cp` implementation
* ci(deps): bump docker/cli to v25.0.3 (#11481)
* pass All option to backend api.Service when length statuses is not equal to
zero
* Add OTEL specs: build, depends_on, capabilities (gpu/tpu)
* build(deps): bump github.com/opencontainers/image-spec
* feat(tracing): add project hash attr
* chore(load): ensure context passed to load
* Include all networks in ContainerCreate call if API >= 1.44
* bump compose-go to v2.0.0-rc.4
* CI: docker engine version matrix
* build(deps): bump github.com/docker/cli
* Fix load .env from project directory when project file is set by
COMPOSE_FILE
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-348=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* docker-compose-2.33.1-1.1
## References:
* https://www.suse.com/security/cve/CVE-2023-47108.html
* https://bugzilla.suse.com/show_bug.cgi?id=1217070
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250612/e31d4187/attachment.htm>
More information about the sle-updates
mailing list