This release contains a security fix for CVE-2024-29018, a potential data exfiltration from 'internal' networks via authoritative DNS servers.
Bug fixes and enhancements
CVE-2024-29018: Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a localhost address, like systemd's 127.0.0.53. moby/moby#47589
plugin: fix mounting /etc/hosts when running in UserNS. moby/moby#47588
rootless: fix open /etc/docker/plugins: permission denied. moby/moby#47587
Fix multiple parallel docker build runs leaking disk space. moby/moby#47527
v25.0.4
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Restore DNS names for containers in the default "nat" network on Windows. moby/moby#47490
Fix docker start failing when used with --checkpointmoby/moby#47466
Don't enforce new validation rules for existing swarm networks moby/moby#47482
Restore IP connectivity between the host and containers on an internal bridge network. moby/moby#47481
Fix a regression introduced in v25.0 that prevented the classic builder from ADDing a tar archive with xattrs created on a non-Linux OS moby/moby#47483
containerd image store: Fix image pull not emitting Pulling fs layer status moby/moby#47484
API
To preserve backwards compatibility, make read-only mounts not recursive by default when using older clients (API version < v1.44). moby/moby#47393
GET /images/{id}/json omits the Created field (previously it was 0001-01-01T00:00:00Z) if the Created field is missing from the image config. moby/moby#47451
Populate a missing Created field in GET /images/{id}/json with 0001-01-01T00:00:00Z for API version <= 1.43. moby/moby#47387
Fix a regression that caused API socket connection failures to report an API version negotiation failure instead. moby/moby#47470
Preserve supplied endpoint configuration in a container-create API request, when a container-wide MAC address is specified, but NetworkMode name-or-id is not the same as the name-or-id used in NetworkSettings.Networks. moby/moby#47510
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/docker/docker from 23.0.8+incompatible to 25.0.5+incompatible.
Release notes
Sourced from github.com/docker/docker's releases.
... (truncated)
Commits
e63daec
Merge pull request #47589 from vvoland/v25.0-47538817bccb
Merge pull request #47588 from vvoland/v25.0-475582a0601e
Merge pull request #47587 from vvoland/v25.0-475599df9ccc
Merge pull request #47586 from vvoland/v25.0-47569a987bc5
libnet: Don't forward to upstream resolvers on internal nw20c205f
Environment variable to override resolv.conf path.4be9723
daemon: move getUnprivilegedMountFlags to internal package7ed7e6c
plugin: fix mounting /etc/hosts when running in UserNS81ad706
rootless: fixopen /etc/docker/plugins: permission denied
02d4ee3
Makefile: generate-files: fix check for empty TMP_OUTDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show