Skip to content

chore(deps): update module github.com/docker/docker to v28 [security] (release-v0.16) #738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
redhat-renovate-bot wants to merge 1 commit into from
Closed

chore(deps): update module github.com/docker/docker to v28 [security] (release-v0.16) #738

redhat-renovate-bot wants to merge 1 commit into from

Conversation

@redhat-renovate-bot
Copy link
Collaborator

@redhat-renovate-bot redhat-renovate-bot commented Jul 30, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/docker/docker indirect major v25.0.6+incompatible -> v28.0.0+incompatible

Moby firewalld reload removes bridge network isolation

CVE-2025-54410 / GHSA-4vq8-7jfc-9cvp / GO-2025-3829

More information

Details

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as moby/moby is commonly referred to as Docker, or Docker Engine.

Firewalld is a daemon used by some Linux distributions to provide a dynamically managed firewall. When Firewalld is running, Docker uses its iptables backend to create rules, including rules to isolate containers in one bridge network from containers in other bridge networks.

Impact

The iptables rules created by Docker are removed when firewalld is reloaded using, for example "firewall-cmd --reload", "killall -HUP firewalld", or "systemctl reload firewalld".

When that happens, Docker must re-create the rules. However, in affected versions of Docker, the iptables rules that isolate containers in different bridge networks from each other are not re-created.

Once these rules have been removed, containers have access to any port, on any container, in any non-internal bridge network, running on the Docker host.

Containers running in networks created with --internal or equivalent have no access to other networks. Containers that are only connected to these networks remain isolated after a firewalld reload.

Where Docker Engine is not running in the host's network namespace, it is unaffected. Including, for example, Rootless Mode, and Docker Desktop.

Patches

Moby releases 28.0.0 and newer are not affected. A fix is available in moby release 25.0.13.

Workarounds

After reloading firewalld, either:

  • Restart the docker daemon,
  • Re-create bridge networks, or
  • Use rootless mode.
References

https://firewalld.org/
https://firewalld.org/documentation/howto/reload-firewalld.html

Severity

  • CVSS Score: 3.3 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Moby firewalld reload removes bridge network isolation in github.com/docker/docker

CVE-2025-54410 / GHSA-4vq8-7jfc-9cvp / GO-2025-3829

More information

Details

Moby firewalld reload removes bridge network isolation in github.com/docker/docker

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

docker/docker (github.com/docker/docker)

v28.0.0+incompatible

Compare Source

v27.5.1+incompatible

Compare Source

v27.5.0+incompatible

Compare Source

v27.4.1+incompatible

Compare Source

v27.4.0+incompatible

Compare Source

v27.3.1+incompatible

Compare Source

v27.3.0+incompatible

Compare Source

v27.2.1+incompatible

Compare Source

v27.2.0+incompatible

Compare Source

v27.1.2+incompatible

Compare Source

v27.1.1+incompatible

Compare Source

v27.1.0+incompatible

Compare Source

v27.0.3+incompatible

Compare Source

v27.0.2+incompatible

Compare Source

v26.1.5+incompatible

Compare Source

v26.1.4+incompatible

Compare Source

v26.1.3+incompatible

Compare Source

v26.1.2+incompatible

Compare Source

v26.1.1+incompatible

Compare Source

v26.1.0+incompatible

Compare Source

v26.0.2+incompatible

Compare Source

v26.0.1+incompatible

Compare Source

v26.0.0+incompatible

Compare Source

v25.0.12+incompatible

Compare Source

v25.0.11+incompatible

Compare Source

v25.0.10+incompatible

Compare Source

v25.0.9+incompatible

Compare Source

v25.0.8+incompatible

Compare Source

v25.0.7+incompatible

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@redhat-renovate-bot redhat-renovate-bot added the release-note-none Denotes a PR that doesn't merit a release note. label Jul 30, 2025
@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. size/M labels Jul 30, 2025
@kubevirt-bot kubevirt-bot requested review from 0xFelix and ksimon1 July 30, 2025 06:12
@kubevirt-bot
Copy link
Contributor

kubevirt-bot commented Jul 30, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ksimon1 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot requested a review from codingben July 30, 2025 06:12
@openshift-ci
Copy link

openshift-ci bot commented Jul 30, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: redhat-renovate-bot
Once this PR has been reviewed and has the lgtm label, please assign ksimon1 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@redhat-renovate-bot redhat-renovate-bot force-pushed the renovate/release-v0.16-go-github.com-docker-docker-vulnerability branch from da7c457 to 7d947aa Compare August 15, 2025 06:12
@redhat-renovate-bot redhat-renovate-bot changed the title chore(deps): update module github.com/docker/docker to v26 [security] (release-v0.16) chore(deps): update module github.com/docker/docker to v28 [security] (release-v0.16) Aug 15, 2025
@redhat-renovate-bot redhat-renovate-bot changed the title chore(deps): update module github.com/docker/docker to v28 [security] (release-v0.16) chore(deps): update module github.com/docker/docker to v28 [security] (release-v0.16) - autoclosed Aug 20, 2025
@redhat-renovate-bot redhat-renovate-bot deleted the renovate/release-v0.16-go-github.com-docker-docker-vulnerability branch August 20, 2025 22:03
@redhat-renovate-bot redhat-renovate-bot changed the title chore(deps): update module github.com/docker/docker to v28 [security] (release-v0.16) - autoclosed chore(deps): update module github.com/docker/docker to v28 [security] (release-v0.16) Aug 20, 2025
@redhat-renovate-bot redhat-renovate-bot force-pushed the renovate/release-v0.16-go-github.com-docker-docker-vulnerability branch from 9cf37b9 to 7d947aa Compare August 20, 2025 23:12
@openshift-ci
Copy link

openshift-ci bot commented Aug 21, 2025

@redhat-renovate-bot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-tests 7d947aa link true /test e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@ksimon1 ksimon1 closed this Aug 28, 2025
@redhat-renovate-bot
Copy link
Collaborator Author

redhat-renovate-bot commented Aug 28, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 28.x releases. But if you manually upgrade to 28.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0xFelix 0xFelix Awaiting requested review from 0xFelix

@ksimon1 ksimon1 Awaiting requested review from ksimon1

@codingben codingben Awaiting requested review from codingben

Assignees

No one assigned

Labels

dco-signoff: yes Indicates the PR's author has DCO signed all their commits. release-note-none Denotes a PR that doesn't merit a release note. size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@redhat-renovate-bot @kubevirt-bot @ksimon1