35081 – docker-containerd new security issues CVE-2024-25621 and CVE-2025-64329

Bug 35081 - docker-containerd new security issues CVE-2024-25621 and CVE-2025-64329

Summary: docker-containerd new security issues CVE-2024-25621 and CVE-2025-64329

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-01-29 15:45 CET by Nicolas Salguero
Modified:	2026-02-02 20:17 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	docker-containerd-1.7.27-1.mga9.src.rpm
CVE:	CVE-2024-25621, CVE-2025-64329
Status comment:	Package in comment 6

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-01-29 15:45:39 CET

Ubuntu has issued an advisory on January 29:
https://ubuntu.com/security/notices/USN-7983-1

Those issues are already fixed in Cauldron.

Nicolas Salguero 2026-01-29 15:46:07 CET

Status comment: (none) => Fixed upstream in 1.7.29
Source RPM: (none) => docker-containerd-1.7.27-1.mga9.src.rpm
CVE: (none) => CVE-2024-25621, CVE-2025-64329

Comment 1 Lewis Smith 2026-01-29 20:41:41 CET

Yes, Cauldro, jumped from 1.7.3 to 2.2.1. So this update for M9 falls between the two. Could it swallow 2.2.1 directly?
Assigning to Bruno who nurses docker-containerd.

Assignee: bugsquad => bruno

Comment 2 Bruno Cornec 2026-01-30 00:05:44 CET

Pushing 1.7.29 to updates_testing.
FTR, my local testing doesn't show regression.

Status: NEW => ASSIGNED
Assignee: bruno => qa-bugs

Comment 3 katnatek 2026-01-30 02:00:11 CET

LC_ALL=C urpmi docker docker-containerd
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  docker-containerd              1.7.27       1.mga9        x86_64  
(medium "Core Release (distrib1)")
  cgroup                         0.41         5.mga9        x86_64  
  lib64cgroup1                   0.41         5.mga9        x86_64  
(medium "Core Updates (distrib3)")
  docker                         25.0.7       1.mga9        x86_64  
  opencontainers-runc            1.2.8        2.1.mga9      x86_64  
299MB of additional disk space will be used.
84MB of packages will be retrieved.
Proceed with the installation of the 5 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64cgroup1-0.41-5.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/cgroup-0.41-5.mga9.x86_64.rpm                   
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/docker-25.0.7-1.mga9.x86_64.rpm                 
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/opencontainers-runc-1.2.8-2.1.mga9.x86_64.rpm   
installing //home/katnatek/qa-testing/x86_64/docker-containerd-1.7.27-1.mga9.x86_64.rpm                                              
/var/cache/urpmi/rpms/opencontainers-runc-1.2.8-2.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/cgroup-0.41-5.mga9.x86_64.rpm
/var/cache/urpmi/rpms/docker-25.0.7-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64cgroup1-0.41-5.mga9.x86_64.rpm
Preparing...                     ###################################################################################################
      1/5: lib64cgroup1          ###################################################################################################
      2/5: cgroup                ###################################################################################################
      3/5: opencontainers-runc   ###################################################################################################
      4/5: docker-containerd     ###################################################################################################
      5/5: docker                ###################################################################################################
----------------------------------------------------------------------
More information on package docker-25.0.7-1.mga9.x86_64
docker is managing its own iptables rules and can work with shorewall.

You may look at this post for examples of configuration https://gist.github.com/lukasnellen/20761a20286f32efc396e207d986295d

Remember to re-start shorewall first and docker afterwards when you make modifications to your firewall setup.

Add my user to docker , restart session

Reference bug 34145 comment 6

systemctl start docker.service
[root@jgrey ~]# systemctl status docker
● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; preset: disabled)
     Active: active (running) since Thu 2026-01-29 18:54:20 CST; 12s ago
       Docs: http://docs.docker.com
    Process: 75281 ExecStartPre=/usr/sbin/docker-network-cleanup (code=exited, status=0/SUCCESS)
   Main PID: 75284 (dockerd)
      Tasks: 20
     Memory: 83.1M
        CPU: 499ms
     CGroup: /system.slice/docker.service
             ├─75284 /usr/sbin/dockerd --data-root /var/cache/docker -H unix:///var/run/docker.sock -H tcp://127.0.0.1:2375
             └─75292 containerd --config /var/run/docker/containerd/containerd.toml

ene 29 18:54:16 jgrey.phoenix dockerd[75292]: time="2026-01-29T18:54:16.655642397-06:00" level=info msg=serving... address=/var/run/d>
ene 29 18:54:16 jgrey.phoenix dockerd[75292]: time="2026-01-29T18:54:16.655707376-06:00" level=info msg="containerd successfully boot>
ene 29 18:54:18 jgrey.phoenix dockerd[75284]: time="2026-01-29T18:54:18.165919269-06:00" level=info msg="Loading containers: start."
ene 29 18:54:18 jgrey.phoenix dockerd[75284]: time="2026-01-29T18:54:18.813142440-06:00" level=info msg="Loading containers: done."
ene 29 18:54:19 jgrey.phoenix dockerd[75284]: time="2026-01-29T18:54:19.281838001-06:00" level=warning msg="WARNING: API is accessibl>
ene 29 18:54:19 jgrey.phoenix dockerd[75284]: time="2026-01-29T18:54:19.281933672-06:00" level=info msg="Docker daemon" commit=librar>
ene 29 18:54:19 jgrey.phoenix dockerd[75284]: time="2026-01-29T18:54:19.282165540-06:00" level=info msg="Daemon has completed initial>
ene 29 18:54:20 jgrey.phoenix dockerd[75284]: time="2026-01-29T18:54:20.209675359-06:00" level=info msg="API listen on /var/run/docke>
ene 29 18:54:20 jgrey.phoenix dockerd[75284]: time="2026-01-29T18:54:20.209704559-06:00" level=info msg="API listen on 127.0.0.1:2375"
ene 29 18:54:20 jgrey.phoenix systemd[1]: Started docker.service.


docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
17eec7bbc9d7: Pull complete 
Digest: sha256:05813aedc15fb7b4d732e1be879d3252c1c9c25d885824f6295cab4538cb85cd
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

docker ps -a
CONTAINER ID   IMAGE         COMMAND    CREATED          STATUS                      PORTS     NAMES
7646cc0e353b   hello-world   "/hello"   33 seconds ago   Exited (0) 31 seconds ago             heuristic_chaum



Looks good to me I not remember why I have other images in previous test

Whiteboard: (none) => MGA9-64-OK

katnatek 2026-01-30 02:07:46 CET

Keywords: (none) => advisory

Comment 4 Nicolas Salguero 2026-01-30 09:15:06 CET

Version 1.7.29 is not in updates_testing.

Assignee: qa-bugs => bruno
Whiteboard: MGA9-64-OK => (none)
Keywords: advisory => (none)

Comment 5 Bruno Cornec 2026-01-30 22:58:12 CET

Sorry, should be better now.

Comment 6 katnatek 2026-01-31 00:39:32 CET

[S]RPM: docker-containerd-1.7.29-1.mga9

Status comment: Fixed upstream in 1.7.29 => Package in comment 6
Assignee: bruno => qa-bugs

Comment 7 katnatek 2026-01-31 21:26:42 CET

LC_ALL=C urpmi docker docker-containerd
Package docker-25.0.7-1.mga9.x86_64 is already installed


installing docker-containerd-1.7.29-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/1: docker-containerd     ###################################################################################################
      1/1: removing docker-containerd-1.7.27-1.mga9.x86_64
                                 ###################################################################################################

systemctl start docker.service
systemctl status docker.service 
● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; preset: disabled)
     Active: active (running) since Sat 2026-01-31 14:22:15 CST; 13s ago
       Docs: http://docs.docker.com
    Process: 20431 ExecStartPre=/usr/sbin/docker-network-cleanup (code=exited, status=0/SUCCESS)
   Main PID: 20434 (dockerd)
      Tasks: 20
     Memory: 182.9M
        CPU: 616ms
     CGroup: /system.slice/docker.service
             ├─20434 /usr/sbin/dockerd --data-root /var/cache/docker -H unix:///var/run/docker.sock -H tcp://127.0.0.1:2375
             └─20447 containerd --config /var/run/docker/containerd/containerd.toml

ene 31 14:22:14 jgrey.phoenix dockerd[20434]: time="2026-01-31T14:22:14.018298571-06:00" level=info msg="[graphdriver] using prior st>
ene 31 14:22:14 jgrey.phoenix dockerd[20434]: time="2026-01-31T14:22:14.063436505-06:00" level=info msg="Loading containers: start."
ene 31 14:22:14 jgrey.phoenix dockerd[20434]: time="2026-01-31T14:22:14.683251752-06:00" level=info msg="Default bridge (docker0) is >
ene 31 14:22:14 jgrey.phoenix dockerd[20434]: time="2026-01-31T14:22:14.849917420-06:00" level=info msg="Loading containers: done."
ene 31 14:22:15 jgrey.phoenix dockerd[20434]: time="2026-01-31T14:22:15.189637426-06:00" level=warning msg="WARNING: API is accessibl>
ene 31 14:22:15 jgrey.phoenix dockerd[20434]: time="2026-01-31T14:22:15.189744959-06:00" level=info msg="Docker daemon" commit=librar>
ene 31 14:22:15 jgrey.phoenix dockerd[20434]: time="2026-01-31T14:22:15.215915236-06:00" level=info msg="Daemon has completed initial>
ene 31 14:22:15 jgrey.phoenix dockerd[20434]: time="2026-01-31T14:22:15.904078393-06:00" level=info msg="API listen on /var/run/docke>
ene 31 14:22:15 jgrey.phoenix dockerd[20434]: time="2026-01-31T14:22:15.904126504-06:00" level=info msg="API listen on 127.0.0.1:2375"
ene 31 14:22:15 jgrey.phoenix systemd[1]: Started docker.service.

docker ps -a
CONTAINER ID   IMAGE         COMMAND    CREATED          STATUS                      PORTS     NAMES
3665637fc16a   hello-world   "/hello"   40 seconds ago   Exited (0) 38 seconds ago             mystifying_maxwell
7646cc0e353b   hello-world   "/hello"   43 hours ago     Exited (0) 43 hours ago               heuristic_chaum


How I clean the previous dockers?

docker run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

docker ps -a
CONTAINER ID   IMAGE         COMMAND    CREATED          STATUS                      PORTS     NAMES
3665637fc16a   hello-world   "/hello"   40 seconds ago   Exited (0) 38 seconds ago             mystifying_maxwell
7646cc0e353b   hello-world   "/hello"   43 hours ago     Exited (0) 43 hours ago               heuristic_chaum

Where and how I clean dockers?

Looks good BTW

katnatek 2026-01-31 21:27:10 CET

Whiteboard: (none) => MGA9-64-OK

katnatek 2026-01-31 21:30:19 CET

Keywords: (none) => advisory

Comment 8 Thomas Andrews 2026-02-01 18:07:45 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 9 Mageia Robot 2026-02-02 20:17:03 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0030.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.