diff --git a/0001-fix-cve-2024-29018.patch b/0001-fix-cve-2024-29018.patch
new file mode 100644
index 0000000000000000000000000000000000000000..709be1f8a1a326ba0eaad69605157294c5b631c8
--- /dev/null
+++ b/0001-fix-cve-2024-29018.patch
@@ -0,0 +1,212 @@
+From a9b119d4858a40936583262cb8d878036a0171dd Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Sun, 14 Apr 2024 19:46:56 +0800
+Subject: [PATCH] fix cve-2024-29018
+
+---
+ integration/networking/bridge_test.go | 20 +++++++++++++++-----
+ libnetwork/endpoint.go                |  8 +++++++-
+ libnetwork/resolver.go                | 21 +++++++++++++++++----
+ libnetwork/sandbox_dns_unix.go        |  5 +----
+ 4 files changed, 40 insertions(+), 14 deletions(-)
+
+diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go
+index e3d1fe2..4be3e55 100644
+--- a/integration/networking/bridge_test.go
++++ b/integration/networking/bridge_test.go
+@@ -36,7 +36,8 @@ func TestBridgeICC(t *testing.T) {
+ 		name           string
+ 		bridgeOpts     []func(*types.NetworkCreate)
+ 		ctr1MacAddress string
+-		linkLocal      bool
++		isIPv6         bool
++		isLinkLocal    bool
+ 		pingHost       string
+ 	}{
+ 		{
+@@ -55,6 +56,7 @@ func TestBridgeICC(t *testing.T) {
+ 				network.WithIPv6(),
+ 				network.WithIPAM("fdf1:a844:380c:b200::/64", "fdf1:a844:380c:b200::1"),
+ 			},
++			isIPv6: true,
+ 		},
+ 		{
+ 			name: "IPv6 ULA on internal network",
+@@ -74,7 +76,8 @@ func TestBridgeICC(t *testing.T) {
+ 				// 2. the one dynamically assigned by the IPAM driver.
+ 				network.WithIPAM("fe80::/64", "fe80::1"),
+ 			},
+-			linkLocal: true,
++			isLinkLocal: true,
++			isIPv6:      true,
+ 		},
+ 		{
+ 			name: "IPv6 link-local address on internal network",
+@@ -84,7 +87,8 @@ func TestBridgeICC(t *testing.T) {
+ 				// See the note above about link-local addresses.
+ 				network.WithIPAM("fe80::/64", "fe80::1"),
+ 			},
+-			linkLocal: true,
++			isLinkLocal: true,
++			isIPv6:      true,
+ 		},
+ 		{
+ 			// As for 'LL non-internal', but ping the container by name instead of by address
+@@ -122,6 +126,7 @@ func TestBridgeICC(t *testing.T) {
+ 			// specify one here to hardcode the SLAAC LL address below.
+ 			ctr1MacAddress: "02:42:ac:11:00:02",
+ 			pingHost:       "fe80::42:acff:fe11:2%eth0",
++			isIPv6:         true,
+ 		},
+ 		{
+ 			name: "IPv6 internal network with SLAAC LL address",
+@@ -133,6 +138,7 @@ func TestBridgeICC(t *testing.T) {
+ 			// specify one here to hardcode the SLAAC LL address below.
+ 			ctr1MacAddress: "02:42:ac:11:00:02",
+ 			pingHost:       "fe80::42:acff:fe11:2%eth0",
++			isIPv6:         true,
+ 		},
+ 	}
+ 
+@@ -162,7 +168,7 @@ func TestBridgeICC(t *testing.T) {
+ 
+ 			pingHost := tc.pingHost
+ 			if pingHost == "" {
+-				if tc.linkLocal {
++				if tc.isLinkLocal {
+ 					inspect := container.Inspect(ctx, t, c, id1)
+ 					pingHost = inspect.NetworkSettings.Networks[bridgeName].GlobalIPv6Address + "%eth0"
+ 				} else {
+@@ -170,7 +176,11 @@ func TestBridgeICC(t *testing.T) {
+ 				}
+ 			}
+ 
+-			pingCmd := []string{"ping", "-c1", "-W3", pingHost}
++			pingCmd := []string{"ping", "-c1", "-W3"}
++			if tc.isIPv6 {
++				pingCmd = append(pingCmd, "-6")
++			}
++			pingCmd = append(pingCmd, pingHost)
+ 
+ 			ctr2Name := fmt.Sprintf("ctr-icc-%d-2", tcID)
+ 			attachCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go
+index d9c257d..93ddbc9 100644
+--- a/libnetwork/endpoint.go
++++ b/libnetwork/endpoint.go
+@@ -538,8 +538,11 @@ func (ep *Endpoint) sbJoin(sb *Sandbox, options ...EndpointOption) (err error) {
+ 		return sb.setupDefaultGW()
+ 	}
+ 
+-	moveExtConn := sb.getGatewayEndpoint() != extEp
++	currentExtEp := sb.getGatewayEndpoint()
++	// Enable upstream forwarding if the sandbox gained external connectivity.
++	sb.resolver.SetForwardingPolicy(currentExtEp != nil)
+ 
++	moveExtConn := currentExtEp != extEp
+ 	if moveExtConn {
+ 		if extEp != nil {
+ 			log.G(context.TODO()).Debugf("Revoking external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
+@@ -735,6 +738,9 @@ func (ep *Endpoint) sbLeave(sb *Sandbox, force bool, options ...EndpointOption)
+ 
+ 	// New endpoint providing external connectivity for the sandbox
+ 	extEp = sb.getGatewayEndpoint()
++	// Disable upstream forwarding if the sandbox lost external connectivity.
++	sb.resolver.SetForwardingPolicy(extEp != nil)
++
+ 	if moveExtConn && extEp != nil {
+ 		log.G(context.TODO()).Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
+ 		extN, err := extEp.getNetworkFromStore()
+diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go
+index 9df2154..6da595c 100644
+--- a/libnetwork/resolver.go
++++ b/libnetwork/resolver.go
+@@ -9,6 +9,7 @@ import (
+ 	"strconv"
+ 	"strings"
+ 	"sync"
++	"sync/atomic"
+ 	"time"
+ 
+ 	"github.com/containerd/log"
+@@ -75,7 +76,7 @@ type Resolver struct {
+ 	tcpListen     *net.TCPListener
+ 	err           error
+ 	listenAddress string
+-	proxyDNS      bool
++	proxyDNS      atomic.Bool
+ 	startCh       chan struct{}
+ 	logger        *log.Entry
+ 
+@@ -85,15 +86,17 @@ type Resolver struct {
+ 
+ // NewResolver creates a new instance of the Resolver
+ func NewResolver(address string, proxyDNS bool, backend DNSBackend) *Resolver {
+-	return &Resolver{
++	r := &Resolver{
+ 		backend:       backend,
+-		proxyDNS:      proxyDNS,
+ 		listenAddress: address,
+ 		err:           fmt.Errorf("setup not done yet"),
+ 		startCh:       make(chan struct{}, 1),
+ 		fwdSem:        semaphore.NewWeighted(maxConcurrent),
+ 		logInverval:   rate.Sometimes{Interval: logInterval},
+ 	}
++	r.proxyDNS.Store(proxyDNS)
++
++	return r
+ }
+ 
+ func (r *Resolver) log(ctx context.Context) *log.Entry {
+@@ -103,6 +106,8 @@ func (r *Resolver) log(ctx context.Context) *log.Entry {
+ 	return r.logger
+ }
+ 
++
++
+ // SetupFunc returns the setup function that should be run in the container's
+ // network namespace.
+ func (r *Resolver) SetupFunc(port int) func() {
+@@ -194,6 +199,14 @@ func (r *Resolver) SetExtServers(extDNS []extDNSEntry) {
+ 	}
+ }
+ 
++// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to
++// external servers.
++func (r *Resolver) SetForwardingPolicy(policy bool) {
++	if r != nil {
++		r.proxyDNS.Store(policy)
++	}
++}
++
+ // NameServer returns the IP of the DNS resolver for the containers.
+ func (r *Resolver) NameServer() string {
+ 	return r.listenAddress
+@@ -421,7 +434,7 @@ func (r *Resolver) serveDNS(w dns.ResponseWriter, query *dns.Msg) {
+ 		return
+ 	}
+ 
+-	if r.proxyDNS {
++	if r.proxyDNS.Load(){
+ 		// If the user sets ndots > 0 explicitly and the query is
+ 		// in the root domain don't forward it out. We will return
+ 		// failure and let the client retry with the search domain
+diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go
+index e30f394..505c5f5 100644
+--- a/libnetwork/sandbox_dns_unix.go
++++ b/libnetwork/sandbox_dns_unix.go
+@@ -30,10 +30,7 @@ const (
+ func (sb *Sandbox) startResolver(restore bool) {
+ 	sb.resolverOnce.Do(func() {
+ 		var err error
+-		// The embedded resolver is always started with proxyDNS set as true, even when the sandbox is only attached to
+-		// an internal network. This way, it's the driver responsibility to make sure `connect` syscall fails fast when
+-		// no external connectivity is available (eg. by not setting a default gateway).
+-		sb.resolver = NewResolver(resolverIPSandbox, true, sb)
++		sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb)
+ 		defer func() {
+ 			if err != nil {
+ 				sb.resolver = nil
+-- 
+2.27.0
+
diff --git a/moby.spec b/moby.spec
index 003227e9f2f59ff3f3a7cf9c11b87cb188624e2d..f7e0e3362beb53360d2d27c6c901af15666fb9c3 100644
--- a/moby.spec
+++ b/moby.spec
@@ -7,7 +7,7 @@
 
 Name: 	  moby
 Version:  25.0.3
-Release:  1
+Release:  2
 Summary:  The open-source application container engine
 License:  ASL 2.0
 URL:	  https://www.docker.com
@@ -20,6 +20,8 @@ Source2:  tini-0.19.0.tar.gz
 Source3:  docker.service
 Source4:  docker.socket
 Source5:  docker.sysconfig
+Patch0000:  0001-fix-cve-2024-29018.patch
+
 
 Requires: %{name}-engine = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
@@ -89,6 +91,8 @@ Docker client binary and related utilities
 %prep
 %setup -q -n %{_source_client}
 %setup -q -T -n %{_source_engine} -b 1
+%patch0000 -p1
+
 %setup -q -T -n %{_source_docker_init} -b 2
 
 %build
@@ -190,6 +194,9 @@ fi
 %systemd_postun_with_restart docker.service
 
 %changelog
+* Wed Apr 17 2024 lvxiangcong<lvxiangcong@kylinos.cn> - 25.0.3-2
+- DESC:fix cve-2024-29018
+
 * Tue Feb 06 2024 shechenglong<shechenglong@xfusion.com> - 25.0.3-1
 - DESC:update to 25.0.3