Skip to content

fix(deps): Update module github.com/docker/docker to v28.3.3+incompatible [SECURITY] #528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kodiakhq merged 1 commit into from
Jul 30, 2025
Merged

fix(deps): Update module github.com/docker/docker to v28.3.3+incompatible [SECURITY] #528

kodiakhq merged 1 commit into from
Jul 30, 2025

Conversation

@cq-bot
Copy link
Contributor

@cq-bot cq-bot commented Jul 30, 2025

This PR contains the following updates:

Package Type Update Change
github.com/docker/docker require patch v28.3.2+incompatible -> v28.3.3+incompatible

GitHub Vulnerability Alerts

CVE-2025-54388

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as moby/moby is commonly referred to as Docker, or Docker Engine.

Firewalld is a daemon used by some Linux distributions to provide a dynamically managed firewall. When Firewalld is running, Docker uses its iptables backend to create rules, including rules to isolate containers in one bridge network from containers in other bridge networks.

Impact

The iptables rules created by Docker are removed when firewalld is reloaded using, for example "firewall-cmd --reload", "killall -HUP firewalld", or "systemctl reload firewalld".

When that happens, Docker must re-create the rules. However, in affected versions of Docker, the iptables rules that prevent packets arriving on a host interface from reaching container addresses are not re-created.

Once these rules have been removed, a remote host configured with a route to a Docker bridge network can access published ports, even when those ports were only published to a loopback address. Unpublished ports remain inaccessible.

For example, following a firewalld reload on a Docker host with address 192.168.0.10 and a bridge network with subnet 172.17.0.0/16, running the following command on another host in the local network will give it access to published ports on container addresses in that network: ip route add 172.17.0.0/16 via 192.168.0.10.

Containers running in networks created with --internal or equivalent have no access to other networks. Containers that are only connected to these networks remain isolated after a firewalld reload.

Where Docker Engine is not running in the host's network namespace, it is unaffected. Including, for example, Rootless Mode, and Docker Desktop.

Patches

Moby releases older than 28.2.0 are not affected. A fix is available in moby release 28.3.3.

Workarounds

After reloading firewalld, either:

  • Restart the docker daemon,
  • Re-create bridge networks, or
  • Use rootless mode.

References

https://firewalld.org/
https://firewalld.org/documentation/howto/reload-firewalld.html

Release Notes

docker/docker (github.com/docker/docker)

v28.3.3+incompatible

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cq-bot cq-bot added automerge Add to automerge PRs once requirements are met security labels Jul 30, 2025
@github-actions github-actions bot added the fix label Jul 30, 2025
@kodiakhq kodiakhq bot merged commit bcf436e into main Jul 30, 2025
11 checks passed
@kodiakhq kodiakhq bot deleted the renovate/go-github.com-docker-docker-vulnerability branch July 30, 2025 15:49
@cq-bot cq-bot mentioned this pull request Jul 30, 2025
Merged
kodiakhq bot pushed a commit that referenced this pull request Jul 30, 2025
@cq-bot
chore(main): Release v1.26.18 (#527)
9df3d95 
🤖 I have created a release *beep* *boop*
---


## [1.26.18](v1.26.17...v1.26.18) (2025-07-30)


### Bug Fixes

* **deps:** Update module github.com/docker/docker to v28.3.3+incompatible [SECURITY] ([#528](#528)) ([bcf436e](bcf436e))
* Use Docker SDK to configure  port binding ([#526](#526)) ([63023a1](63023a1))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erezrokah erezrokah erezrokah approved these changes

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

automerge Add to automerge PRs once requirements are met fix security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cq-bot @erezrokah