File docker-stable.changes of Package docker-stable
-------------------------------------------------------------------
Thu Apr 10 03:18:42 UTC 2025 - Aleksa Sarai <asarai@suse.com>
- Update to docker-buildx v0.22.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.22.0>
* Includes fixes for CVE-2025-0495. bsc#1239765
-------------------------------------------------------------------
Thu Apr 10 03:09:38 UTC 2025 - Aleksa Sarai <asarai@suse.com>
- Disable transparent SUSEConnect support for SLE-16. PED-12534
When this patchset was first added in 2013 (and rewritten over the years),
there was no upstream way to easily provide SLE customers with a way to build
container images based on SLE using the host subscription. However, with
docker-buildx you can now define secrets for builds (this is not entirely
transparent, but we can easily document this new requirement for SLE-16).
Users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
- Now that the only blocker for docker-buildx support was removed for SLE-16,
enable docker-buildx for SLE-16 as well. PED-8905
-------------------------------------------------------------------
Wed Mar 26 02:36:16 UTC 2025 - Aleksa Sarai <asarai@suse.com>
- Don't use the new container-selinux conditional requires on SLE-12, as the
RPM version there doesn't support it. Arguably the change itself is a bit
suspect but we can fix that later. bsc#1237367
-------------------------------------------------------------------
Tue Mar 25 01:11:54 UTC 2025 - Aleksa Sarai <asarai@suse.com>
- Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185
+ 0011-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322
+ 0012-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Refresh patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
* 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
* 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
* 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
* 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
- Move test-related patch to the end of the patch stack:
- 0011-TESTS-backport-fixes-for-integration-tests.patch
+ 0013-TESTS-backport-fixes-for-integration-tests.patch
-------------------------------------------------------------------
Thu Mar 20 16:09:49 UTC 2025 - Fabian Vogt <fvogt@suse.com>
- Make container-selinux requirement conditional on selinux-policy
(bsc#1237367)
-------------------------------------------------------------------
Wed Dec 18 05:53:11 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Add backport for CVE-2024-29018 fix. bsc#1234089
+ 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
- Add backport for CVE-2024-23650 fix and rename patch filename. bsc#1219437
- 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
+ 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
- Reorder and rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
* 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
* 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
- 0010-TESTS-backport-fixes-for-integration-tests.patch
+ 0011-TESTS-backport-fixes-for-integration-tests.patch
-------------------------------------------------------------------
Tue Dec 17 13:20:39 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Update to docker-buildx 0.19.3. See upstream changelog online at
<https://github.com/docker/buildx/releases/tag/v0.19.3>
-------------------------------------------------------------------
Wed Dec 11 10:14:56 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Update docker-buildx to v0.19.2. See upstream changelog online at
<https://github.com/docker/buildx/releases/tag/v0.19.2>.
Some notable changelogs from the last update:
* <https://github.com/docker/buildx/releases/tag/v0.19.0>
* <https://github.com/docker/buildx/releases/tag/v0.18.0>
- Update to Go 1.22.
-------------------------------------------------------------------
Wed Dec 11 05:39:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Add a new toggle file /etc/docker/suse-secrets-enable which allows users to
disable the SUSEConnect integration with Docker (which creates special mounts
in /run/secrets to allow container-suseconnect to authenticate containers
with registries on registered hosts). bsc#1231348 bsc#1232999
In order to disable these mounts, just do
echo 0 > /etc/docker/suse-secrets-enable
and restart Docker. In order to re-enable them, just do
echo 1 > /etc/docker/suse-secrets-enable
and restart Docker. Docker will output information on startup to tell you
whether the SUSE secrets feature is enabled or not.
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
-------------------------------------------------------------------
Wed Nov 27 12:10:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Disable docker-buildx builds for SLES. It turns out that build containers
with docker-buildx don't currently get the SUSE secrets mounts applied,
meaning that container-suseconnect doesn't work when building images.
bsc#1233819
-------------------------------------------------------------------
Wed Nov 20 05:34:38 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Add docker-integration-tests-devel subpackage for building and running the
upstream Docker integration tests on machines to test that Docker works
properly. Users should not install this package.
- docker-rpmlintrc updated to include allow-list for all of the integration
tests package, since it contains a bunch of stuff that wouldn't normally be
allowed.
- Rebased patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
* 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
* 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
* 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
- Added patches:
+ 0010-TESTS-backport-fixes-for-integration-tests.patch
-------------------------------------------------------------------
Tue Nov 12 06:34:28 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from
sysconfig a long time ago, and apparently this causes issues with systemd in
some cases.
- Update --add-runtime to point to correct binary path.
-------------------------------------------------------------------
Wed Oct 16 22:24:52 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Further merge docker and docker-stable specfiles to minimise the differences.
The main thing is that we now include both halves of the
Conflicts/Provides/Obsoletes dance in both specfiles.
-------------------------------------------------------------------
Wed Oct 16 05:37:14 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Update to docker-buildx v0.17.1 to match standalone docker-buildx package we
are replacing. See upstream changelog online at
<https://github.com/docker/buildx/releases/tag/v0.17.1>
-------------------------------------------------------------------
Sat Sep 7 13:10:30 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Import specfile changes for docker-buildx as well as the changes to help
reduce specfile differences between docker-stable and docker. bsc#1230331
bsc#1230333
-------------------------------------------------------------------
Wed Aug 14 03:21:00 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Backport patch for CVE-2024-41110. bsc#1228324
+ 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
-------------------------------------------------------------------
Wed Jun 16 04:18:11 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Initial docker-stable release, forked from Docker 24.0.6-ce release
(packaged on 2023-10-11).
- Update to Docker 24.0.9-ce, which is the latest version of the 24.0.x branch.
It seems likely this will be the last upstream version of the 24.0.x branch
(it seems Mirantis is going to do LTS for 23.0.x, not 24.0.x).
<https://docs.docker.com/engine/release-notes/24.0/#2409>
- Fix BuildKit's symlink resolution logic to correctly handle non-lexical
symlinks. Backport of <https://github.com/moby/buildkit/pull/4896> and
<https://github.com/moby/buildkit/pull/5060>. bsc#1221916
+ 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
- Write volume options atomically so sudden system crashes won't result in
future Docker starts failing due to empty files. Backport of
<https://github.com/moby/moby/pull/48034>. bsc#1214855
+ 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
