openSUSE has issued an advisory on December 19: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NQV4EZSYKG44SJCC2XH72E7WLVFELCEO/
Source RPM: (none) => docker-24.0.5-5.mga10.src.rpm, docker-24.0.5-4.mga9.src.rpmCVE: (none) => CVE-2024-29018Whiteboard: (none) => MGA9TOO
The Suse ref says "security issues fixed in the docker-27.4.1_ce-12.1 package on the GA media of openSUSE Tumbleweed", so there is a fix. Another link says "Patchnames: openSUSE-Tumbleweed-2024-14597 openSUSE-Tumbleweed-2024-14598" and the Mitre page has these links: https://github.com/moby/moby/pull/46609 https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx https://nvd.nist.gov/vuln/detail/CVE-2024-29018 looks a useful page, including: "Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, ..." Assigning to Bruno believing you are still with us; you are the principle maintainer of docker.
Assignee: bugsquad => bruno
Status: NEW => ASSIGNED
From this link https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx it doesn't seem that mga9 is affected as version 24 is NOT mentionned. The latest 24 version doesn't mention that CVE either see https://github.com/moby/moby/releases/tag/v24.0.9 But that latest 24.0.9 version also doesn't fix other CVEs: CVE-2024-23651 CVE-2024-23652 CVE-2024-23653 CVE-2024-23650 So I think it would be wise to update mga9 to 25.latest and cauldron to 27.latest. Will work on that if that's ok for you Nicolas and Lewis.