SUSE alert SUSE-SU-2025:20510-1 (docker)

From:
             
 
SLE-SECURITY-UPDATES <null@suse.de>
To:
             
 
sle-security-updates@lists.suse.com
Subject:
             
 
SUSE-SU-2025:20510-1: moderate: Security update for docker
Date:
             
 
Mon, 04 Aug 2025 08:33:49 -0000
Message-ID:
             
 
<175429642940.25540.9232820828350551071@smelt2.prg2.suse.org>


# Security update for docker

Announcement ID: SUSE-SU-2025:20510-1  
Release Date: 2025-07-28T14:32:31Z  
Rating: moderate  
References:

  * bsc#1240150
  * bsc#1241830
  * bsc#1242114
  * bsc#1243833
  * bsc#1244035
  * bsc#1246556

  
Cross-References:

  * CVE-2025-22872

  
CVSS scores:

  * CVE-2025-22872 ( SUSE ):  6.3
    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
  * CVE-2025-22872 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
  * CVE-2025-22872 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

  
Affected Products:

  * SUSE Linux Micro 6.0

  
  
An update that solves one vulnerability and has five fixes can now be installed.

## Description:

This update for docker fixes the following issues:

  * Update to Go 1.24 for builds, to match upstream.

  * Update to Docker 28.3.2-ce. See upstream changelog online at
    <https://docs.docker.com/engine/release-notes/28/#2832>

  * Update to Docker 28.3.1-ce. See upstream changelog online at
    <https://docs.docker.com/engine/release-notes/28/#2831>

  * Update to Docker 28.3.0-ce. See upstream changelog online at
    <https://docs.docker.com/engine/release-notes/28/#2830> bsc#1246556

  * Update to docker-buildx v0.25.0. Upstream changelog:
    <https://github.com/docker/buildx/releases/tag/v0.25.0>

  * CVE-2025-22872: golang.org/x/net/html: Fixed incorrectly interpreted tags
    causing content to be placed wrong scope during DOM construction
    (bsc#1241830)

  * Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
    Docker does not have permission to access the host zypper credentials in
    this mode (and unprivileged users cannot disable the feature using
    /etc/docker/suse-secrets-enable.) bsc#1240150

  * Always clear SUSEConnect suse_* secrets when starting containers regardless
    of whether the daemon was built with SUSEConnect support. Not doing this
    causes containers from SUSEConnect-enabled daemons to fail to start when
    running with SUSEConnect-disabled (i.e. upstream) daemons.

This was a long-standing issue with our secrets support but until recently this
would've required migrating from SLE packages to openSUSE packages (which wasn't
supported). However, as SLE Micro 6.x and SLES 16 will move away from in-built
SUSEConnect support, this is now a practical issue users will run into.
bsc#1244035

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.0  
    zypper in -t patch SUSE-SLE-Micro-6.0-398=1

## Package List:

  * SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
    * docker-debuginfo-28.3.2_ce-5.1
    * docker-buildx-debuginfo-0.25.0-5.1
    * docker-28.3.2_ce-5.1
    * docker-buildx-0.25.0-5.1

## References:

  * https://www.suse.com/security/cve/CVE-2025-22872.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1240150
  * https://bugzilla.suse.com/show_bug.cgi?id=1241830
  * https://bugzilla.suse.com/show_bug.cgi?id=1242114
  * https://bugzilla.suse.com/show_bug.cgi?id=1243833
  * https://bugzilla.suse.com/show_bug.cgi?id=1244035
  * https://bugzilla.suse.com/show_bug.cgi?id=1246556



Attachment: None (type=text/html)
(HTML attachment elided)