Source: docker.io X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for docker.io. CVE-2026-33997[0]: | Moby is an open source container framework. Prior to version 29.3.1, | a security vulnerability has been detected that allows plugins | privilege validation to be bypassed during docker plugin install. | Due to an error in the daemon's privilege comparison logic, the | daemon may incorrectly accept a privilege set that differs from the | one approved by the user. Plugins that request exactly one privilege | are also affected, because no comparison is performed at all. This | issue has been patched in version 29.3.1. https://github.com/moby/moby/security/advisories/GHSA-pxq6-2prw-chj9 https://github.com/moby/moby/commit/0afb41ce194ca8f83436b332c18105279923ba14 (28.x) CVE-2026-34040[1]: | Moby is an open source container framework. Prior to version 29.3.1, | a security vulnerability has been detected that allows attackers to | bypass authorization plugins (AuthZ). This issue has been patched in | version 29.3.1. https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2 https://github.com/moby/moby/commit/6d311e0d8d4174a6347942db78c553fb7dc3762e (28.x) https://github.com/moby/moby/commit/db7dadaca041953430d1e2144088c311b78b96d7 (28.x) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33997 https://www.cve.org/CVERecord?id=CVE-2026-33997 [1] https://security-tracker.debian.org/tracker/CVE-2026-34040 https://www.cve.org/CVERecord?id=CVE-2026-34040 Please adjust the affected versions in the BTS as needed.
