[ubuntu/resolute-security] docker.io-app 29.1.3-0ubuntu4.1 (Accepted)
Edwin Jiang
edwin.jiang at canonical.com
Tue May 5 13:19:09 UTC 2026
docker.io-app (29.1.3-0ubuntu4.1) resolute-security; urgency=medium
* SECURITY UPDATE: BuildKit path traversal
- debian/patches/CVE-2026-33747_1.patch: Validate container IDs centrally
in engine/vendor/.../buildkit/executor/containerdexecutor/executor.go,
engine/vendor/.../buildkit/executor/containerid.go,
engine/vendor/.../buildkit/executor/runcexecutor/executor.go.
- debian/patches/CVE-2026-33747_2.patch: Sanitize downloaded filenames in
engine/vendor/.../buildkit/source/http/source.go.
- debian/patches/CVE-2026-33747_3.patch: Use os.Root for saved file
operations in engine/vendor/.../buildkit/source/http/source.go.
- CVE-2026-33747
* SECURITY UPDATE: BuildKit path traversal
- debian/patches/CVE-2026-33748_1.patch: Harden ref arg handling in
engine/vendor/.../buildkit/source/git/source.go.
- debian/patches/CVE-2026-33748_2.patch: Normalize and validate subdir
paths in engine/vendor/.../buildkit/client/llb/source.go,
engine/vendor/.../buildkit/source/git/identifier.go,
engine/vendor/.../buildkit/source/git/source.go,
engine/vendor/.../buildkit/util/gitutil/git_url.go.
- CVE-2026-33748
Date: 2026-04-30 01:15:22.441313+00:00
Changed-By: Edwin Jiang <edwin.jiang at canonical.com>
https://launchpad.net/ubuntu/+source/docker.io-app/29.1.3-0ubuntu4.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Resolute-changes
mailing list