Skip to content

Update module github.com/docker/docker to v25.0.13+incompatible [SECURITY] - autoclosed #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
renovate wants to merge 1 commit into from
Closed

Update module github.com/docker/docker to v25.0.13+incompatible [SECURITY] - autoclosed #199

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jul 30, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/docker/docker v25.0.6+incompatiblev25.0.13+incompatible age confidence

Moby firewalld reload removes bridge network isolation

CVE-2025-54410 / GHSA-4vq8-7jfc-9cvp / GO-2025-3829

More information

Details

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as moby/moby is commonly referred to as Docker, or Docker Engine.

Firewalld is a daemon used by some Linux distributions to provide a dynamically managed firewall. When Firewalld is running, Docker uses its iptables backend to create rules, including rules to isolate containers in one bridge network from containers in other bridge networks.

Impact

The iptables rules created by Docker are removed when firewalld is reloaded using, for example "firewall-cmd --reload", "killall -HUP firewalld", or "systemctl reload firewalld".

When that happens, Docker must re-create the rules. However, in affected versions of Docker, the iptables rules that isolate containers in different bridge networks from each other are not re-created.

Once these rules have been removed, containers have access to any port, on any container, in any non-internal bridge network, running on the Docker host.

Containers running in networks created with --internal or equivalent have no access to other networks. Containers that are only connected to these networks remain isolated after a firewalld reload.

Where Docker Engine is not running in the host's network namespace, it is unaffected. Including, for example, Rootless Mode, and Docker Desktop.

Patches

Moby releases 28.0.0 and newer are not affected. A fix is available in moby release 25.0.13.

Workarounds

After reloading firewalld, either:

  • Restart the docker daemon,
  • Re-create bridge networks, or
  • Use rootless mode.
References

https://firewalld.org/
https://firewalld.org/documentation/howto/reload-firewalld.html

Severity

  • CVSS Score: 3.3 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Moby firewalld reload removes bridge network isolation in github.com/docker/docker

CVE-2025-54410 / GHSA-4vq8-7jfc-9cvp / GO-2025-3829

More information

Details

Moby firewalld reload removes bridge network isolation in github.com/docker/docker

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

docker/docker (github.com/docker/docker)

v25.0.13+incompatible

Compare Source

v25.0.12+incompatible

Compare Source

v25.0.11+incompatible

Compare Source

v25.0.10+incompatible

Compare Source

v25.0.9+incompatible

Compare Source

v25.0.8+incompatible

Compare Source

v25.0.7+incompatible

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from proelbtn July 30, 2025 12:27
@renovate renovate bot force-pushed the renovate/go-github.com-docker-docker-vulnerability branch from f33ad85 to 20e46de Compare August 15, 2025 06:10
@renovate renovate bot changed the title Update module github.com/docker/docker to v26 [SECURITY] Update module github.com/docker/docker to v28 [SECURITY] Aug 15, 2025
@renovate renovate bot changed the title Update module github.com/docker/docker to v28 [SECURITY] Update module github.com/docker/docker to v28 [SECURITY] - autoclosed Sep 30, 2025
@renovate renovate bot closed this Sep 30, 2025
@renovate renovate bot deleted the renovate/go-github.com-docker-docker-vulnerability branch September 30, 2025 14:42
@renovate renovate bot changed the title Update module github.com/docker/docker to v28 [SECURITY] - autoclosed Update module github.com/docker/docker to v28 [SECURITY] Sep 30, 2025
@renovate renovate bot reopened this Sep 30, 2025
@renovate renovate bot force-pushed the renovate/go-github.com-docker-docker-vulnerability branch from 97dd220 to 20e46de Compare September 30, 2025 17:50
@renovate renovate bot changed the title Update module github.com/docker/docker to v28 [SECURITY] Update module github.com/docker/docker to v28 [SECURITY] - autoclosed Oct 27, 2025
@renovate renovate bot closed this Oct 27, 2025
@renovate renovate bot changed the title Update module github.com/docker/docker to v28 [SECURITY] - autoclosed Update module github.com/docker/docker to v28 [SECURITY] Oct 27, 2025
@renovate renovate bot reopened this Oct 27, 2025
@renovate renovate bot force-pushed the renovate/go-github.com-docker-docker-vulnerability branch 2 times, most recently from 20e46de to b03bef8 Compare October 27, 2025 06:49
@renovate renovate bot changed the title Update module github.com/docker/docker to v28 [SECURITY] Update module github.com/docker/docker to v28 [SECURITY] - autoclosed Dec 4, 2025
@renovate renovate bot closed this Dec 4, 2025
@renovate renovate bot changed the title Update module github.com/docker/docker to v28 [SECURITY] - autoclosed Update module github.com/docker/docker to v28 [SECURITY] Dec 4, 2025
@renovate renovate bot reopened this Dec 4, 2025
@renovate renovate bot force-pushed the renovate/go-github.com-docker-docker-vulnerability branch 2 times, most recently from b03bef8 to 476d287 Compare December 4, 2025 20:26
@renovate renovate bot force-pushed the renovate/go-github.com-docker-docker-vulnerability branch from 476d287 to 6f86a41 Compare December 15, 2025 16:45
@renovate renovate bot force-pushed the renovate/go-github.com-docker-docker-vulnerability branch from 6f86a41 to e0ad514 Compare December 17, 2025 05:37
@renovate renovate bot changed the title Update module github.com/docker/docker to v28 [SECURITY] Update module github.com/docker/docker to v25.0.13+incompatible [SECURITY] Dec 17, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Dec 17, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go mod tidy
go: downloading github.com/stretchr/testify v1.8.4
go: downloading gotest.tools/v3 v3.5.1
go: downloading go.uber.org/goleak v1.2.1
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0
go: downloading go.opentelemetry.io/otel/sdk v1.10.0
go: downloading github.com/kr/pretty v0.3.1
go: downloading github.com/morikuni/aec v1.0.0
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.10.0
go: downloading github.com/sergi/go-diff v1.1.0
go: downloading github.com/stretchr/objx v0.5.0
go: finding module for package github.com/containerd/log
go: downloading github.com/containerd/log v0.1.0
go: finding module for package go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
go: downloading go.opentelemetry.io/otel v1.39.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0
go: downloading go.opentelemetry.io v0.1.0
go: downloading go.opentelemetry.io/otel/exporters/otlp v0.20.1
go: finding module for package go.opentelemetry.io/otel/semconv/v1.21.0
go: found github.com/containerd/log in github.com/containerd/log v0.1.0
go: found go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0
go: found go.opentelemetry.io/otel/semconv/v1.21.0 in go.opentelemetry.io/otel v1.39.0
go: downloading golang.org/x/crypto v0.44.0
go: downloading golang.org/x/sys v0.39.0
go: downloading golang.org/x/term v0.37.0
go: downloading github.com/go-logr/logr v1.4.3
go: downloading github.com/google/go-cmp v0.7.0
go: downloading github.com/stretchr/testify v1.11.1
go: downloading golang.org/x/net v0.47.0
go: downloading go.opentelemetry.io/otel/trace v1.39.0
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading google.golang.org/protobuf v1.36.10
go: downloading github.com/google/uuid v1.6.0
go: downloading go.opentelemetry.io/otel/metric v1.39.0
go: downloading go.opentelemetry.io/otel/sdk v1.39.0
go: downloading golang.org/x/sync v0.18.0
go: downloading golang.org/x/text v0.31.0
go: downloading golang.org/x/tools v0.38.0
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading go.opentelemetry.io/proto/otlp v1.9.0
go: downloading go.opentelemetry.io/auto/sdk v1.2.1
go: downloading google.golang.org/grpc v1.77.0
go: downloading github.com/cenkalti/backoff/v5 v5.0.3
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3
go: downloading github.com/grpc-ecosystem/grpc-gateway v1.16.0
go: downloading golang.org/x/mod v0.29.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217
go: downloading google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217
go: downloading go.uber.org/goleak v1.3.0
go: downloading github.com/rogpeppe/go-internal v1.14.1
go: finding module for package go.opentelemetry.io/otel/metric/global
go: finding module for package go.opentelemetry.io/otel/metric/instrument/syncfloat64
go: finding module for package go.opentelemetry.io/otel/metric/instrument/syncint64
go: github.com/janog-netcon/netcon-problem-management-subsystem/cmd/nclet imports
	github.com/docker/docker/client imports
	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp imports
	go.opentelemetry.io/otel/metric/global: module go.opentelemetry.io/otel/metric@latest found (v1.39.0), but does not contain package go.opentelemetry.io/otel/metric/global
go: github.com/janog-netcon/netcon-problem-management-subsystem/cmd/nclet imports
	github.com/docker/docker/client imports
	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp imports
	go.opentelemetry.io/otel/metric/instrument/syncfloat64: module go.opentelemetry.io/otel/metric@latest found (v1.39.0), but does not contain package go.opentelemetry.io/otel/metric/instrument/syncfloat64
go: github.com/janog-netcon/netcon-problem-management-subsystem/cmd/nclet imports
	github.com/docker/docker/client imports
	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp imports
	go.opentelemetry.io/otel/metric/instrument/syncint64: module go.opentelemetry.io/otel/metric@latest found (v1.39.0), but does not contain package go.opentelemetry.io/otel/metric/instrument/syncint64

proelbtn added a commit that referenced this pull request Jan 12, 2026
@proelbtn
Update module github.com/docker/docker to v25.0.13+incompatible
3279c61 
#199
@renovate renovate bot changed the title Update module github.com/docker/docker to v25.0.13+incompatible [SECURITY] Update module github.com/docker/docker to v25.0.13+incompatible [SECURITY] - autoclosed Jan 12, 2026
@renovate renovate bot closed this Jan 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@proelbtn proelbtn proelbtn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@proelbtn