diff --git a/2003-CVE-2025-54410.patch b/2003-CVE-2025-54410.patch new file mode 100644 index 0000000000000000000000000000000000000000..2bf60027dac72e36466c4e7c5b7cc31c7ad9440f --- /dev/null +++ b/2003-CVE-2025-54410.patch @@ -0,0 +1,45 @@ +From 651b2feb27316cf907173c2a76cc6eb85f763663 Mon Sep 17 00:00:00 2001 +From: Rob Murray +Date: Fri, 14 Feb 2025 16:50:43 +0000 +Subject: [PATCH] Restore INC iptables rules on firewalld reload + +Signed-off-by: Rob Murray +--- + integration/networking/bridge_test.go | 1 + + libnetwork/drivers/bridge/bridge_linux.go | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go +index ce049a1c74..c368d9aa0d 100644 +--- a/integration/networking/bridge_test.go ++++ b/integration/networking/bridge_test.go +@@ -354,6 +354,7 @@ func TestBridgeINC(t *testing.T) { + defer c.ContainerRemove(ctx, id1, containertypes.RemoveOptions{ + Force: true, + }) ++ networking.FirewalldReload(t, d) + + ctr1Info := container.Inspect(ctx, t, c, id1) + targetAddr := ctr1Info.NetworkSettings.Networks[bridge1].IPAddress +diff --git a/libnetwork/drivers/bridge/bridge_linux.go b/libnetwork/drivers/bridge/bridge_linux.go +index 7de358de89..8d0183b9eb 100644 +--- a/libnetwork/drivers/bridge/bridge_linux.go ++++ b/libnetwork/drivers/bridge/bridge_linux.go +@@ -1432,6 +1432,14 @@ func (d *driver) handleFirewalldReloadNw(nid string) { + } + nw.portMapper.ReMapAll() + ++ // Restore the inter-network connectivity (INC) rules. ++ if err := nw.isolateNetwork(true); err != nil { ++ log.G(context.TODO()).WithFields(log.Fields{ ++ "network": nw.id, ++ "error": err, ++ }).Warn("Failed to restore inter-network iptables rules on firewalld reload") ++ } ++ + // Re-add legacy links - only added during ProgramExternalConnectivity, but legacy + // links are default-bridge-only, and it's not possible to connect a container to + // the default bridge and a user-defined network. So, the default bridge is always +-- +2.20.1 + diff --git a/moby.spec b/moby.spec index e71caeb8464d7dceb97b63e7fbd6912c1ea98be4..69fe31d4c04e754c42272a5866810c935ad1c0a7 100644 --- a/moby.spec +++ b/moby.spec @@ -8,7 +8,7 @@ Name: moby Version: 25.0.7 -Release: 4 +Release: 5 Summary: The open-source application container engine License: Apache-2.0 URL: https://www.docker.com @@ -32,6 +32,7 @@ Patch1006: 1006-fix-libnetwork-osl-test-TestAddRemoveInterface.patch # Patch 2001-2999 for tini Patch2001: 2001-tini.c-a-function-declaration-without-a-prototype-is.patch Patch2002: 2002-tini-port-to-newer-cmake.patch +Patch2003: 2003-CVE-2025-54410.patch Requires(meta): %{name}-engine = %{version}-%{release} Requires(meta): %{name}-client = %{version}-%{release} @@ -221,6 +222,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Tue Aug 19 2025 Yu Peng - 25.0.7-5 +- Fix CVE-2025-54410 + * Wed Apr 16 14:32:36 CST 2025 Wenlong Zhang - 25.0.7-4 - fix build error on loongarch64