openSUSE has issued an advisory on December 19: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NQV4EZSYKG44SJCC2XH72E7WLVFELCEO/
Source RPM: (none) => docker-24.0.5-5.mga10.src.rpm, docker-24.0.5-4.mga9.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-29018
The Suse ref says "security issues fixed in the docker-27.4.1_ce-12.1 package on the GA media of openSUSE Tumbleweed", so there is a fix. Another link says "Patchnames: openSUSE-Tumbleweed-2024-14597 openSUSE-Tumbleweed-2024-14598" and the Mitre page has these links: https://github.com/moby/moby/pull/46609 https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx https://nvd.nist.gov/vuln/detail/CVE-2024-29018 looks a useful page, including: "Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, ..." Assigning to Bruno believing you are still with us; you are the principle maintainer of docker.
Assignee: bugsquad => bruno
Status: NEW => ASSIGNED
From this link https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx it doesn't seem that mga9 is affected as version 24 is NOT mentionned. The latest 24 version doesn't mention that CVE either see https://github.com/moby/moby/releases/tag/v24.0.9 But that latest 24.0.9 version also doesn't fix other CVEs: CVE-2024-23651 CVE-2024-23652 CVE-2024-23653 CVE-2024-23650 So I think it would be wise to update mga9 to 25.latest and cauldron to 27.latest. Will work on that if that's ok for you Nicolas and Lewis.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=34353
Is this ready for QA? It is recommended to rebuild with new golang 1.24.4 If you are busy just let me know if I can proceed
CC: (none) => j.alberto.vc
wrt mga9, there is no need to rebuild as this CVE doesn't seem to apply. Didn't get feedback from Lewis nor Nicolas, so I think it's not useful to do it. On cauldron, Docker could be updated to latest versions, but the SPEC file sent is so heavily modified I need time to look at it.
Not help too much that from 23,0.18 the releases jumps to 25.0.9 https://github.com/moby/moby/releases But https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx says >= 23.0.11 have this issue fixed I find where is the syntax file for nano, so I'll add again, I don't know if the logrotate still apply so I let that part to you. I'll send to list the fixed spec About the CVE I'll make an advisory to just let know to our users that this CVE is already fixed
@Dan I assign this to you because is other special case where the package that fix the CVE is already released.
Assignee: bruno => danWhiteboard: MGA9TOO => (none)Keywords: (none) => advisoryVersion: Cauldron => 9
Looks like docker was updated to docker-24.0.5-4.mga9 in bug 31733 back in 2023. It appears that the previous docker version was 20.10.22. The vulnerable version range listed in GHSA-mq39-4gv4-mvpx is unfortunately, ambiguous. It lists vulnerable and non-vulnerable version in the 23.X, 25.X and 26.X branches, but nothing for the 24.X branch, which is the one we have. That could mean either that 24.X is not affected (seems unlikely given that the ones before AND after are affected) or rather that 24.X is not supported so no statement on the vulnerability of that version is being made. https://endoflife.date/docker-engine states that 24.X has been out of support for a year (since 08 Jun 2024) so I suspect the latter interpretation is true. I believe "Patched versions: >= 23.0.11" refers to only versions on the 23.X branch. If that's the case, then we can't assume that our version (24.0.5) is safe, either from CVE-2024-29018 or any subsequent one. In fact, there could be many more vulnerabilities in our version but nobody else cares (or knows) because that version is no longer being supported. For that reason, I think we need to update to 25.X (as suggested in comment 2), which is still getting security updates, rather than searching out and back-porting patches for CVE-2024-29018 and all subsequent vulnerabilities.
Assignee: dan => qa-bugs
Source RPM: docker-24.0.5-5.mga10.src.rpm, docker-24.0.5-4.mga9.src.rpm => docker-24.0.5-5.mga10, docker-24.0.5-4.mga9
RPMS: docker-25.0.7-1.mga9 docker-devel-25.0.7-1.mga9 docker-fish-completion-25.0.7-1.mga9 docker-logrotate-25.0.7-1.mga9 docker-nano-25.0.7-1.mga9 docker-zsh-completion-25.0.7-1.mga9 SRPM: docker-25.0.7-1.mga9
RH x86_64 LC_ALL=C urpmi docker docker-logrotate To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") docker 25.0.7 1.mga9 x86_64 docker-logrotate 25.0.7 1.mga9 x86_64 (medium "Core Release") cgroup 0.41 5.mga9 x86_64 lib64cgroup1 0.41 5.mga9 x86_64 (medium "Core Updates") docker-containerd 1.7.27 1.mga9 x86_64 opencontainers-runc 1.1.14 1.mga9 x86_64 289MB of additional disk space will be used. 81MB of packages will be retrieved. Proceed with the installation of the 6 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/cgroup-0.41-5.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64cgroup1-0.41-5.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/docker-containerd-1.7.27-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/opencontainers-runc-1.1.14-1.mga9.x86_64.rpm installing /var/cache/urpmi/rpms/cgroup-0.41-5.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/docker-25.0.7-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/docker-logrotate-25.0.7-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/docker-containerd-1.7.27-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64cgroup1-0.41-5.mga9.x86_64.rpm /var/cache/urpmi/rpms/opencontainers-runc-1.1.14-1.mga9.x86_64.rpm Preparing... ################################################################################################## 1/6: lib64cgroup1 ################################################################################################## 2/6: cgroup ################################################################################################## 3/6: opencontainers-runc ################################################################################################## 4/6: docker-containerd ################################################################################################## 5/6: docker ################################################################################################## 6/6: docker-logrotate ################################################################################################## ---------------------------------------------------------------------- More information on package docker-25.0.7-1.mga9.x86_64 docker is managing its own iptables rules and can work with shorewall. You may look at this post for examples of configuration https://gist.github.com/lukasnellen/20761a20286f32efc396e207d986295d Remember to re-start shorewall first and docker afterwards when you make modifications to your firewall setup. ---------------------------------------------------------------------- systemctl start docker.service systemctl status docker.service ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; preset: disabled) Active: active (running) since Tue 2025-06-10 12:19:36 CST; 50s ago Docs: http://docs.docker.com Process: 103619 ExecStartPre=/usr/sbin/docker-network-cleanup (code=exited, status=0/SUCCESS) Main PID: 103622 (dockerd) Tasks: 21 Memory: 72.5M CPU: 751ms CGroup: /system.slice/docker.service ├─103622 /usr/sbin/dockerd --data-root /var/cache/docker -H unix:///var/run/docker.sock -H tcp://127.0.0.1:2375 └─103634 containerd --config /var/run/docker/containerd/containerd.toml jun 10 12:19:33 jgrey.phoenix dockerd[103622]: time="2025-06-10T12:19:33.003897715-06:00" level=info msg="[graphdriver] using prior > jun 10 12:19:33 jgrey.phoenix dockerd[103622]: time="2025-06-10T12:19:33.748766901-06:00" level=info msg="Loading containers: start." jun 10 12:19:34 jgrey.phoenix dockerd[103622]: time="2025-06-10T12:19:34.921243916-06:00" level=info msg="Default bridge (docker0) i> jun 10 12:19:35 jgrey.phoenix dockerd[103622]: time="2025-06-10T12:19:35.063856419-06:00" level=info msg="Loading containers: done." jun 10 12:19:35 jgrey.phoenix dockerd[103622]: time="2025-06-10T12:19:35.579659261-06:00" level=warning msg="WARNING: API is accessi> jun 10 12:19:35 jgrey.phoenix dockerd[103622]: time="2025-06-10T12:19:35.579722083-06:00" level=info msg="Docker daemon" commit=libr> jun 10 12:19:35 jgrey.phoenix dockerd[103622]: time="2025-06-10T12:19:35.593068983-06:00" level=info msg="Daemon has completed initi> jun 10 12:19:36 jgrey.phoenix dockerd[103622]: time="2025-06-10T12:19:36.936617694-06:00" level=info msg="API listen on /var/run/doc> jun 10 12:19:36 jgrey.phoenix dockerd[103622]: time="2025-06-10T12:19:36.936656266-06:00" level=info msg="API listen on 127.0.0.1:23> jun 10 12:19:36 jgrey.phoenix systemd[1]: Started docker.service. docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/ For more examples and ideas, visit: https://docs.docker.com/get-started/ docker run -it ubuntu bash Unable to find image 'ubuntu:latest' locally docker: Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution. See 'docker run --help'. Loose conection :S , after stop docker and restart the network , LC_ALL=C urpmi docker-devel To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") docker-devel 25.0.7 1.mga9 x86_64 (medium "Core Updates") golang 1.24.4 1.mga9 x86_64 golang-bin 1.24.4 1.mga9 x86_64 golang-src 1.24.4 1.mga9 noarch 225MB of additional disk space will be used. 45MB of packages will be retrieved. Proceed with the installation of the 4 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/golang-bin-1.24.4-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/golang-1.24.4-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/golang-src-1.24.4-1.mga9.noarch.rpm installing /var/cache/urpmi/rpms/golang-src-1.24.4-1.mga9.noarch.rpm //home/katnatek/qa-testing/x86_64/docker-devel-25.0.7-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/golang-1.24.4-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/golang-bin-1.24.4-1.mga9.x86_64.rpm Preparing... ################################################################################################## 1/4: golang-src ################################################################################################## 2/4: golang-bin ################################################################################################## 3/4: golang ################################################################################################## 4/4: docker-devel ################################################################################################## stop firewall to test, & restart docker docker run -it ubuntu bash Unable to find image 'ubuntu:latest' locally latest: Pulling from library/ubuntu d9d352c11bbd: Pull complete Digest: sha256:b59d21599a2b151e23eea5f6602f4af4d7d31c4e236d22bf0b62b86d2e386b8f Status: Downloaded newer image for ubuntu:latest root@e1639b8fb794:/# ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var root@e1639b8fb794:/# exit exit docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e1639b8fb794 ubuntu "bash" About a minute ago Exited (0) 29 seconds ago cool_swartz 95cb39132cab hello-world "/hello" 16 minutes ago Exited (0) 16 minutes ago zen_austin 5f2f23db1410 hello-world "/hello" 2 months ago Exited (0) 2 months ago ecstatic_ganguly 088936b0ce6c mariadb "docker-entrypoint.s…" 14 months ago Exited (0) 14 months ago tmp-db-1 7e8c9b684507 b8bba28b797b "docker-entrypoint.s…" 15 months ago Exited (0) 15 months ago docker-db-1 Looks good to me but I have to really configure the firewall when I test or remember disable firewall during test :P
Just lose the net again when I send the previous message :( How avoid it?
CC: j.alberto.vc => tarazed25
(In reply to katnatek from comment #10) > Just lose the net again when I send the previous message :( > How avoid it? https://stackoverflow.com/questions/75003625/when-starting-docker-containers-host-machine-loses-internet-connection Will have this information for next round
Advisory Updated
Len and rest of the team I really like other eye on this
In reply to katnatek in comment #13: Sorry mate to leave you to do all the heavy lifting just lately. Might have time tomorrow to dust off my old notes and have a go at this.
mga9, x64 Tried out the existing docker installation after ensuring user was in docker group. No problems there. Updated the packages and restarted docker daemon. $ docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. ...... $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 0a2f88c32710 hello-world "/hello" 58 seconds ago Exited (0) 57 seconds ago compassionate_shirley 125489acf4b8 fedora:latest "bash" 17 minutes ago Exited (1) 11 minutes ago friendly_hoover 4f27bbd21429 hello-world "/hello" 4 hours ago Exited (0) 4 hours ago wonderful_diffie $ docker run -it fedora:latest bash [root@8d834f717d7e /]# dnf install ruby Updating and loading repositories: Fedora 42 - x86_64 - Updates 100% | 3.2 MiB/s | 6.4 MiB | 00m02s Fedora 42 openh264 (From Cisco) - x86_ 100% | 5.8 KiB/s | 5.8 KiB | 00m01s Fedora 42 - x86_64 100% | 6.3 MiB/s | 35.4 MiB | 00m06s Repositories loaded. Package Arch Version Repository Size Installing: ruby x86_64 3.4.2-23.fc42 fedora 85.5 KiB Installing dependencies: ruby-default-gems noarch 3.4.2-23.fc42 fedora 65.8 KiB ruby-libs x86_64 3.4.2-23.fc42 fedora 14.9 MiB [...] [15/16] Installing rubygem-bigdecimal-0 100% | 45.0 MiB/s | 138.2 KiB | 00m00s [16/16] Installing rubygem-bundler-0:2. 100% | 20.8 MiB/s | 1.5 MiB | 00m00s Complete! [root@8d834f717d7e /]# irb irb(main):001> puts "Hello world from fedora" Hello world from fedora => nil irb(main):002> quit [root@8d834f717d7e /]# dnf install nano Updating and loading repositories: Repositories loaded. [...] [root@8d834f717d7e /]# nano sample.txt [root@8d834f717d7e /]# [root@8d834f717d7e /]# cat sample.txt Editing a junk file with nano running inside a docker container running fedora. That looks OK. [root@8d834f717d7e /]# ls afs boot etc lib media opt root sample.txt srv tmp var bin dev home lib64 mnt proc run sbin sys usr [root@8d834f717d7e /]# ls afs boot etc lib media opt root sample.txt srv tmp var bin dev home lib64 mnt proc run sbin sys usr [root@8d834f717d7e /]# mv sample.txt home [root@8d834f717d7e /]# ls home sample.txt [root@8d834f717d7e /]# exit exit $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 8d834f717d7e fedora:latest "bash" 23 minutes ago Exited (0) 39 seconds ago blissful_blackburn 0395df0ca65e fedora:latest "bash" 26 minutes ago Exited (0) 23 minutes ago suspicious_aryabhata 0a2f88c32710 hello-world "/hello" 29 minutes ago Exited (0) 29 minutes ago compassionate_shirley 125489acf4b8 fedora:latest "bash" 45 minutes ago Exited (1) 40 minutes ago friendly_hoover 4f27bbd21429 hello-world "/hello" 4 hours ago Exited (0) 4 hours ago wonderful_diffie $ docker remove 125489acf4b8 4f27bbd21429 125489acf4b8 4f27bbd21429 $ docker inspect blissful_blackburn [ { "Id": "8d834f717d7e288fd4385a45666c650df4d4aebe4b588271a157afde645cc5bf", "Created": "2025-06-21T10:12:43.051152812Z", [...] $ docker inspect blissful_blackburn | grep Image "Image": "sha256:14fc97566f69b325b9094e97261eb95fe1cd98d11f5161c0095fdba75c55d1cf", "Image": "fedora:latest", $ docker run -it --name cowsay --hostname cowsay debian bash Unable to find image 'debian:latest' locally latest: Pulling from library/debian 0c01110621e0: Pull complete Digest: sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe Status: Downloaded newer image for debian:latest root@cowsay:/# apt-get update Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB] [...] Reading package lists... Done root@cowsay:/# apt-get install -y cowsay fortune [..lot of stuff..] root@cowsay:/# /usr/games/fortune | /usr/games/cowsay ______________________________________ / You are only young once, but you can \ \ stay immature indefinitely. / -------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || root@cowsay:/# exit exit @katnatek So all looks good so far but these are very basic tests. Not using moby so the CVE-2024-29018 issue does not apply (?). Have not touched the firewall and see no issues with internet connectivity. I would be out of my depth trying to start a docker network or use docker-compose so I do not expect any of this to be much help to you.
(In reply to Len Lawrence from comment #15) > mga9, x64 > Tried out the existing docker installation after ensuring user was in docker > group. No problems there. > > Updated the packages and restarted docker daemon. > $ docker run hello-world > > Hello from Docker! > This message shows that your installation appears to be working correctly. > ...... > > $ docker ps -a > CONTAINER ID IMAGE COMMAND CREATED STATUS > PORTS NAMES > 0a2f88c32710 hello-world "/hello" 58 seconds ago Exited (0) 57 > seconds ago compassionate_shirley > 125489acf4b8 fedora:latest "bash" 17 minutes ago Exited (1) 11 > minutes ago friendly_hoover > 4f27bbd21429 hello-world "/hello" 4 hours ago Exited (0) 4 > hours ago wonderful_diffie > > $ docker run -it fedora:latest bash > [root@8d834f717d7e /]# dnf install ruby > Updating and loading repositories: > Fedora 42 - x86_64 - Updates 100% | 3.2 MiB/s | 6.4 MiB | > 00m02s > Fedora 42 openh264 (From Cisco) - x86_ 100% | 5.8 KiB/s | 5.8 KiB | > 00m01s > Fedora 42 - x86_64 100% | 6.3 MiB/s | 35.4 MiB | > 00m06s > Repositories loaded. > Package Arch Version Repository > Size > Installing: > ruby x86_64 3.4.2-23.fc42 fedora 85.5 > KiB > Installing dependencies: > ruby-default-gems noarch 3.4.2-23.fc42 fedora 65.8 > KiB > ruby-libs x86_64 3.4.2-23.fc42 fedora 14.9 > MiB > [...] > [15/16] Installing rubygem-bigdecimal-0 100% | 45.0 MiB/s | 138.2 KiB | > 00m00s > [16/16] Installing rubygem-bundler-0:2. 100% | 20.8 MiB/s | 1.5 MiB | > 00m00s > Complete! > [root@8d834f717d7e /]# irb > irb(main):001> puts "Hello world from fedora" > Hello world from fedora > => nil > irb(main):002> quit > [root@8d834f717d7e /]# dnf install nano > Updating and loading repositories: > Repositories loaded. > [...] > [root@8d834f717d7e /]# nano sample.txt > [root@8d834f717d7e /]# > [root@8d834f717d7e /]# cat sample.txt > Editing a junk file with nano running inside a docker container running > fedora. > That looks OK. > > [root@8d834f717d7e /]# ls > afs boot etc lib media opt root sample.txt srv tmp var > bin dev home lib64 mnt proc run sbin sys usr > [root@8d834f717d7e /]# ls > afs boot etc lib media opt root sample.txt srv tmp var > bin dev home lib64 mnt proc run sbin sys usr > [root@8d834f717d7e /]# mv sample.txt home > [root@8d834f717d7e /]# ls home > sample.txt > [root@8d834f717d7e /]# exit > exit > > $ docker ps -a > CONTAINER ID IMAGE COMMAND CREATED STATUS > PORTS NAMES > 8d834f717d7e fedora:latest "bash" 23 minutes ago Exited (0) 39 > seconds ago blissful_blackburn > 0395df0ca65e fedora:latest "bash" 26 minutes ago Exited (0) 23 > minutes ago suspicious_aryabhata > 0a2f88c32710 hello-world "/hello" 29 minutes ago Exited (0) 29 > minutes ago compassionate_shirley > 125489acf4b8 fedora:latest "bash" 45 minutes ago Exited (1) 40 > minutes ago friendly_hoover > 4f27bbd21429 hello-world "/hello" 4 hours ago Exited (0) 4 > hours ago wonderful_diffie > $ docker remove 125489acf4b8 4f27bbd21429 > 125489acf4b8 > 4f27bbd21429 > $ docker inspect blissful_blackburn > [ > { > "Id": > "8d834f717d7e288fd4385a45666c650df4d4aebe4b588271a157afde645cc5bf", > "Created": "2025-06-21T10:12:43.051152812Z", > [...] > $ docker inspect blissful_blackburn | grep Image > "Image": > "sha256:14fc97566f69b325b9094e97261eb95fe1cd98d11f5161c0095fdba75c55d1cf", > "Image": "fedora:latest", > > $ docker run -it --name cowsay --hostname cowsay debian bash > Unable to find image 'debian:latest' locally > latest: Pulling from library/debian > 0c01110621e0: Pull complete > Digest: > sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe > Status: Downloaded newer image for debian:latest > root@cowsay:/# apt-get update > Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB] > [...] > Reading package lists... Done > root@cowsay:/# apt-get install -y cowsay fortune > [..lot of stuff..] > root@cowsay:/# /usr/games/fortune | /usr/games/cowsay > ______________________________________ > / You are only young once, but you can \ > \ stay immature indefinitely. / > -------------------------------------- > \ ^__^ > \ (oo)\_______ > (__)\ )\/\ > ||----w | > || || > root@cowsay:/# exit > exit > > @katnatek > So all looks good so far but these are very basic tests. Not using moby so > the CVE-2024-29018 issue does not apply (?). Have not touched the firewall > and see no issues with internet connectivity. I would be out of my depth > trying to start a docker network or use docker-compose so I do not expect > any of this to be much help to you. For docker compose I go to bug#32897 and all goes well
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm
Looks good enough to me. Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
ping
CC: (none) => dan
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0189.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
There's a non-URL in the references in the advisory...
Dan I send a fix for the bogus reference, please do a magic spell to fix the published advisory Thanks and sorry
The fix was picked up just now when Firefox was pushed.