Your message dated Wed, 24 Jun 2026 14:37:05 +0000
with message-id <[email protected]>
and subject line Bug#1139967: fixed in docker.io 28.5.2+dfsg4-3
has caused the Debian Bug report #1139967,
regarding docker.io: CVE-2026-42306
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139967
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: docker.io
Version: 28.5.2+dfsg4-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for docker.io.
CVE-2026-42306[0]:
| Moby is an open source container framework. In Docker Engine prior
| to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby
| Daemon prior to version 2.0.0-beta.14, a race condition during
| docker cp mount setup allows a malicious container to redirect a
| bind mount target to an arbitrary host path, potentially overwriting
| host files or causing denial of service. This issue has been patched
| in Docker Engine version 29.5.1 and Moby Daemon version
| 2.0.0-beta.14.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42306
https://www.cve.org/CVERecord?id=CVE-2026-42306
[1] https://github.com/moby/moby/security/advisories/GHSA-rg2x-37c3-w2rh
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: docker.io
Source-Version: 28.5.2+dfsg4-3
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated docker.io package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Jun 2026 11:08:56 -0400
Source: docker.io
Architecture: source
Version: 28.5.2+dfsg4-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1139965 1139966 1139967 1140189
Changes:
docker.io (28.5.2+dfsg4-3) unstable; urgency=medium
.
[ Reinhard Tartler ]
* Backport patch for CVE-2026-41567 (Closes: #1139965)
* Backport patch for CVE-2026-42306 and CVE-2026-41568,
(Closes: #1139967, #1139966)
* Backport patches for CVE-2026-33747 and CVE-2026-33748,
(Closes: #1140189)
* Refresh patches
.
[ Luca Boccassi ]
* Install and use sysusers.d config file
* Drop workaround for versions older than 10 years ago
Checksums-Sha1:
a4492fc66ef48af7202317158c3d7aa62c9c8b6b 9325 docker.io_28.5.2+dfsg4-3.dsc
b7f1463911782ab287331df55222eae226f02e17 69684
docker.io_28.5.2+dfsg4-3.debian.tar.xz
Checksums-Sha256:
3baeba24908ebeb0acbab1fd1fe438dadb5a66b58a8502dda1abfe01fde1d1de 9325
docker.io_28.5.2+dfsg4-3.dsc
3d68e0e9998983bd290a97fed6943d572e6509bb998ecc97e8d7e9f6891fa591 69684
docker.io_28.5.2+dfsg4-3.debian.tar.xz
Files:
7e38b307f6d643a2ef526a388b712e71 9325 admin optional
docker.io_28.5.2+dfsg4-3.dsc
4877f12212f525f69b4fc7c70fd932b1 69684 admin optional
docker.io_28.5.2+dfsg4-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmo74nMUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsuYWxAAhRgEGy7a6Rz5ROLf4JSFZVIsbedS
9vGMJnUmAwrs5gvNsa7ow4jvgmOjdoMFASNV7qMFig+ZwqCHw32eRomkGnlHXdab
tHTPNxSgck47snF6YH/DsxuDO64tyEcHwlN25vWRRKHqD2SoL58CH8n/YPZLcj2y
VPv9biQUnyJHzRD1V4gvPnE/t7F28B0e01pAEGFrjtDvLbFsXY6P82dN5HD+0QLJ
oBHGlCtPNN3yN27oXfB+ZRA2ulVMj69JYpVxKhAWz7BPXS57I2yTXzP7pnDbckD9
5d5sd09Au9548bEse1obWPo6BQDtXZadHNPW6Wl7Z+ruE0YyXQRWwxhTF8ExQ0ML
2bLJR5suHIJg1HZi3RZBWoAEz8u5fGgqK0sGZSTpz6/n5r/uF1UHJqrACdCYkLNk
RY08WBmHvzncuNPM5s/XxPdSuktyTsBq2ALaM/fGuKD8WD3Nn1CLIniRQisJ73iN
gDLpkgJW6abhmu1lMlqCxh3wwwec+BDi0+47iHknes8leN4hy5i2bzdOar5NMAhY
XD7W09qoG+9V8yeKrGU3WMD2P4kN8p/l2FVCCa5XbDdj2PMGIq567kKao3WJD3lH
QJS1JpZe5nCCIDRcayPraVbdpDWYYTv5I0EiZ/0KPf2E1xm0USsHK+FwjM0Q7Poa
umEtR1SLRHYGODA=
=NMPh
-----END PGP SIGNATURE-----
pgpNt9d3HoDTH.pgp
Description: PGP signature
--- End Message ---
