Your message dated Wed, 24 Jun 2026 14:37:05 +0000
with message-id <[email protected]>
and subject line Bug#1140189: fixed in docker.io 28.5.2+dfsg4-3
has caused the Debian Bug report #1140189,
regarding docker.io: CVE-2026-33747 CVE-2026-33748
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140189
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: docker.io
Version: 28.5.2+dfsg4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for docker.io.
CVE-2026-33747[0]:
| BuildKit is a toolkit for converting source code to build artifacts
| in an efficient, expressive and repeatable manner. Prior to version
| 0.28.1, when using a custom BuildKit frontend, the frontend can
| craft an API message that causes files to be written outside of the
| BuildKit state directory for the execution context. The issue has
| been fixed in v0.28.1. The vulnerability requires using an untrusted
| BuildKit frontend set with `#syntax` or `--build-arg
| BUILDKIT_SYNTAX`. Using these options with a well-known frontend
| image like `docker/dockerfile` is not affected.
CVE-2026-33748[1]:
| BuildKit is a toolkit for converting source code to build artifacts
| in an efficient, expressive and repeatable manner. Prior to version
| 0.28.1, insufficient validation of Git URL fragment subdir
| components may allow access to files outside the checked-out Git
| repository root. Possible access is limited to files on the same
| mounted filesystem. The issue has been fixed in version v0.28.1 The
| issue affects only builds that use Git URLs with a subpath
| component. As a workaround, avoid building Dockerfiles from
| untrusted sources or using the subdir component from an untrusted
| Git repository where the subdir component could point to a symlink.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33747
https://www.cve.org/CVERecord?id=CVE-2026-33747
[1] https://security-tracker.debian.org/tracker/CVE-2026-33748
https://www.cve.org/CVERecord?id=CVE-2026-33748
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: docker.io
Source-Version: 28.5.2+dfsg4-3
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated docker.io package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Jun 2026 11:08:56 -0400
Source: docker.io
Architecture: source
Version: 28.5.2+dfsg4-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1139965 1139966 1139967 1140189
Changes:
docker.io (28.5.2+dfsg4-3) unstable; urgency=medium
.
[ Reinhard Tartler ]
* Backport patch for CVE-2026-41567 (Closes: #1139965)
* Backport patch for CVE-2026-42306 and CVE-2026-41568,
(Closes: #1139967, #1139966)
* Backport patches for CVE-2026-33747 and CVE-2026-33748,
(Closes: #1140189)
* Refresh patches
.
[ Luca Boccassi ]
* Install and use sysusers.d config file
* Drop workaround for versions older than 10 years ago
Checksums-Sha1:
a4492fc66ef48af7202317158c3d7aa62c9c8b6b 9325 docker.io_28.5.2+dfsg4-3.dsc
b7f1463911782ab287331df55222eae226f02e17 69684
docker.io_28.5.2+dfsg4-3.debian.tar.xz
Checksums-Sha256:
3baeba24908ebeb0acbab1fd1fe438dadb5a66b58a8502dda1abfe01fde1d1de 9325
docker.io_28.5.2+dfsg4-3.dsc
3d68e0e9998983bd290a97fed6943d572e6509bb998ecc97e8d7e9f6891fa591 69684
docker.io_28.5.2+dfsg4-3.debian.tar.xz
Files:
7e38b307f6d643a2ef526a388b712e71 9325 admin optional
docker.io_28.5.2+dfsg4-3.dsc
4877f12212f525f69b4fc7c70fd932b1 69684 admin optional
docker.io_28.5.2+dfsg4-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmo74nMUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsuYWxAAhRgEGy7a6Rz5ROLf4JSFZVIsbedS
9vGMJnUmAwrs5gvNsa7ow4jvgmOjdoMFASNV7qMFig+ZwqCHw32eRomkGnlHXdab
tHTPNxSgck47snF6YH/DsxuDO64tyEcHwlN25vWRRKHqD2SoL58CH8n/YPZLcj2y
VPv9biQUnyJHzRD1V4gvPnE/t7F28B0e01pAEGFrjtDvLbFsXY6P82dN5HD+0QLJ
oBHGlCtPNN3yN27oXfB+ZRA2ulVMj69JYpVxKhAWz7BPXS57I2yTXzP7pnDbckD9
5d5sd09Au9548bEse1obWPo6BQDtXZadHNPW6Wl7Z+ruE0YyXQRWwxhTF8ExQ0ML
2bLJR5suHIJg1HZi3RZBWoAEz8u5fGgqK0sGZSTpz6/n5r/uF1UHJqrACdCYkLNk
RY08WBmHvzncuNPM5s/XxPdSuktyTsBq2ALaM/fGuKD8WD3Nn1CLIniRQisJ73iN
gDLpkgJW6abhmu1lMlqCxh3wwwec+BDi0+47iHknes8leN4hy5i2bzdOar5NMAhY
XD7W09qoG+9V8yeKrGU3WMD2P4kN8p/l2FVCCa5XbDdj2PMGIq567kKao3WJD3lH
QJS1JpZe5nCCIDRcayPraVbdpDWYYTv5I0EiZ/0KPf2E1xm0USsHK+FwjM0Q7Poa
umEtR1SLRHYGODA=
=NMPh
-----END PGP SIGNATURE-----
pgpyCmKfumdNQ.pgp
Description: PGP signature
--- End Message ---
