Skip to content

fix(deps): update module github.com/docker/docker to v28 [security] (release-2.9.x) #19743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 8, 2025
Merged

fix(deps): update module github.com/docker/docker to v28 [security] (release-2.9.x) #19743

merged 2 commits into from
Nov 8, 2025
+9 −11

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Nov 7, 2025

This PR contains the following updates:

Package Change Age Confidence
github.com/docker/docker v25.0.8+incompatible -> v28.0.0+incompatible age confidence

Moby firewalld reload removes bridge network isolation

CVE-2025-54410 / GHSA-4vq8-7jfc-9cvp / GO-2025-3829

More information

Details

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as moby/moby is commonly referred to as Docker, or Docker Engine.

Firewalld is a daemon used by some Linux distributions to provide a dynamically managed firewall. When Firewalld is running, Docker uses its iptables backend to create rules, including rules to isolate containers in one bridge network from containers in other bridge networks.

Impact

The iptables rules created by Docker are removed when firewalld is reloaded using, for example "firewall-cmd --reload", "killall -HUP firewalld", or "systemctl reload firewalld".

When that happens, Docker must re-create the rules. However, in affected versions of Docker, the iptables rules that isolate containers in different bridge networks from each other are not re-created.

Once these rules have been removed, containers have access to any port, on any container, in any non-internal bridge network, running on the Docker host.

Containers running in networks created with --internal or equivalent have no access to other networks. Containers that are only connected to these networks remain isolated after a firewalld reload.

Where Docker Engine is not running in the host's network namespace, it is unaffected. Including, for example, Rootless Mode, and Docker Desktop.

Patches

Moby releases 28.0.0 and newer are not affected. A fix is available in moby release 25.0.13.

Workarounds

After reloading firewalld, either:

  • Restart the docker daemon,
  • Re-create bridge networks, or
  • Use rootless mode.
References

https://firewalld.org/
https://firewalld.org/documentation/howto/reload-firewalld.html

Severity

  • CVSS Score: 3.3 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Moby firewalld reload removes bridge network isolation in github.com/docker/docker

CVE-2025-54410 / GHSA-4vq8-7jfc-9cvp / GO-2025-3829

More information

Details

Moby firewalld reload removes bridge network isolation in github.com/docker/docker

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

docker/docker (github.com/docker/docker)

v28.0.0+incompatible

Compare Source

v27.5.1+incompatible

Compare Source

v27.5.0+incompatible

Compare Source

v27.4.1+incompatible

Compare Source

v27.4.0+incompatible

Compare Source

v27.3.1+incompatible

Compare Source

v27.3.0+incompatible

Compare Source

v27.2.1+incompatible

Compare Source

v27.2.0+incompatible

Compare Source

v27.1.2+incompatible

Compare Source

v27.1.1+incompatible

Compare Source

v27.1.0+incompatible

Compare Source

v27.0.3+incompatible

Compare Source

v27.0.2+incompatible

Compare Source

v26.1.5+incompatible

Compare Source

v26.1.4+incompatible

Compare Source

v26.1.3+incompatible

Compare Source

v26.1.2+incompatible

Compare Source

v26.1.1+incompatible

Compare Source

v26.1.0+incompatible

Compare Source

v26.0.2+incompatible

Compare Source

v26.0.1+incompatible

Compare Source

v26.0.0+incompatible

Compare Source

v25.0.14+incompatible

Compare Source

v25.0.13+incompatible

Compare Source

v25.0.12+incompatible

Compare Source

v25.0.11+incompatible

Compare Source

v25.0.10+incompatible

Compare Source

v25.0.9+incompatible

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app
fix(deps): update module github.com/docker/docker to v28 [security]
f660725 
| datasource | package                  | from                 | to                   |
| ---------- | ------------------------ | -------------------- | -------------------- |
| go         | github.com/docker/docker | v25.0.8+incompatible | v28.0.0+incompatible |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner November 7, 2025 21:47
@renovate-sh-app
Copy link
Contributor Author

renovate-sh-app bot commented Nov 7, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -t ./...
go: downloading github.com/grafana/dskit v0.0.0-20230925094553-c4a1874aadb0
go: downloading github.com/docker/docker v28.0.0+incompatible
go: downloading github.com/prometheus/prometheus v0.43.1-0.20230419161410-69155c6ba1e9
go: downloading github.com/felixge/fgprof v0.9.3
go: downloading github.com/Shopify/sarama v1.38.1
go: downloading github.com/hashicorp/consul/api v1.21.0
go: downloading github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/prometheus/client_golang v1.16.0
go: downloading github.com/fatih/color v1.16.0
go: downloading github.com/golang/snappy v0.0.4
go: downloading github.com/prometheus/common v0.44.0
go: downloading github.com/stretchr/testify v1.9.0
go: downloading github.com/grafana/cloudflare-go v0.0.0-20230110200409-c627cf6792f2
go: downloading github.com/prometheus/alertmanager v0.25.1
go: downloading github.com/fluent/fluent-bit-go v0.0.0-20190925192703-ea13c021720c
go: downloading github.com/bmatcuk/doublestar v1.3.4
go: downloading github.com/grafana/go-gelf/v2 v2.0.1
go: downloading cloud.google.com/go/pubsub v1.33.0
go: downloading github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749
go: downloading github.com/imdario/mergo v0.3.15
go: downloading github.com/influxdata/go-syslog/v3 v3.0.1-0.20201128200927-a1889d947b48
go: downloading github.com/fsnotify/fsnotify v1.6.0
go: downloading github.com/heroku/x v0.0.59
go: downloading github.com/Masterminds/sprig/v3 v3.2.3
go: downloading github.com/joncrlsn/dque v2.2.1-0.20200515025108-956d14155fa2+incompatible
go: downloading google.golang.org/api v0.149.0
go: downloading github.com/grafana/tail v0.0.0-20230510142333-77b18831edf0
go: downloading github.com/xdg-go/scram v1.1.2
go: downloading github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546
go: downloading cloud.google.com/go v0.110.10
go: downloading github.com/google/go-cmp v0.6.0
go: downloading go.uber.org/goleak v1.2.1
go: downloading github.com/prometheus/client_model v0.4.0
go: downloading golang.org/x/exp v0.0.0-20230321023759-10a507213a29
go: downloading github.com/docker/go-plugins-helpers v0.0.0-20181025120712-1e6269c305b8
go: downloading golang.org/x/text v0.27.0
go: downloading github.com/hashicorp/golang-lru v0.6.0
go: downloading github.com/c2h5oh/datasize v0.0.0-20200112174442-28bbd4740fee
go: downloading github.com/tonistiigi/fifo v0.0.0-20190226154929-a9fb20d87448
go: downloading github.com/oschwald/geoip2-golang v1.8.0
go: downloading golang.org/x/crypto v0.40.0
go: downloading github.com/grafana/regexp v0.0.0-20221005093135-b4c2bcb0a4b6
go: downloading github.com/opentracing/opentracing-go v1.2.0
go: downloading google.golang.org/grpc v1.59.0
go: downloading github.com/cespare/xxhash/v2 v2.2.0
go: downloading github.com/spf13/afero v1.9.5
go: downloading golang.org/x/sys v0.34.0
go: downloading github.com/influxdata/telegraf v1.16.3
go: downloading gopkg.in/alecthomas/kingpin.v2 v2.2.6
go: downloading github.com/cespare/xxhash v1.1.0
go: downloading github.com/gorilla/mux v1.8.0
go: downloading golang.org/x/net v0.42.0
go: downloading github.com/mattn/go-colorable v0.1.13
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading github.com/google/pprof v0.0.0-20230228050547-1710fef4ab10
go: downloading github.com/ugorji/go/codec v1.1.7
go: downloading github.com/eapache/go-resiliency v1.3.0
go: downloading github.com/eapache/go-xerial-snappy v0.0.0-20230111030713-bf00bc1b83b6
go: downloading github.com/eapache/queue v1.1.0
go: downloading github.com/jcmturner/gofork v1.7.6
go: downloading github.com/jcmturner/gokrb5/v8 v8.4.3
go: downloading github.com/klauspost/compress v1.16.7
go: downloading github.com/pierrec/lz4/v4 v4.1.17
go: downloading github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
go: downloading github.com/prometheus/procfs v0.10.1
go: downloading google.golang.org/protobuf v1.35.2
go: downloading github.com/Masterminds/semver/v3 v3.2.0
go: downloading github.com/huandu/xstrings v1.3.3
go: downloading github.com/mitchellh/copystructure v1.0.0
go: downloading github.com/shopspring/decimal v1.2.0
go: downloading github.com/spf13/cast v1.3.1
go: downloading github.com/xdg-go/pbkdf2 v1.0.0
go: downloading github.com/xdg-go/stringprep v1.0.4
go: downloading github.com/leodido/ragel-machinery v0.0.0-20181214104525-299bdde78165
go: downloading github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137
go: downloading github.com/opentracing-contrib/go-grpc v0.0.0-20210225150812-73cb765af46e
go: downloading github.com/prometheus/exporter-toolkit v0.10.1-0.20230714054209-2f4150c63f97
go: downloading github.com/soheilhy/cmux v0.1.5
go: downloading cloud.google.com/go/compute/metadata v0.3.0
go: downloading cloud.google.com/go/iam v1.1.5
go: downloading github.com/googleapis/gax-go/v2 v2.12.0
go: downloading github.com/gogo/googleapis v1.4.0
go: downloading gopkg.in/fsnotify/fsnotify.v1 v1.4.7
go: downloading github.com/docker/go-connections v0.4.0
go: downloading github.com/gorilla/websocket v1.5.0
go: downloading github.com/aws/aws-sdk-go v1.44.321
go: downloading github.com/Workiva/go-datastructures v1.1.0
go: downloading github.com/gophercloud/gophercloud v1.2.0
go: downloading github.com/Azure/azure-sdk-for-go v36.2.0+incompatible
go: downloading github.com/Azure/go-autorest/autorest v0.11.29
go: downloading github.com/Azure/go-autorest/autorest/adal v0.9.23
go: downloading github.com/go-zookeeper/zk v1.0.3
go: downloading k8s.io/api v0.29.0-alpha.3
go: downloading k8s.io/apimachinery v0.29.0-alpha.3
go: downloading k8s.io/client-go v0.29.0-alpha.3
go: downloading github.com/digitalocean/godo v1.98.0
go: downloading github.com/miekg/dns v1.1.53
go: downloading github.com/axiomhq/hyperloglog v0.0.0-20230201085229-3ddf4bad03dc
go: downloading github.com/alicebob/miniredis/v2 v2.30.4
go: downloading github.com/opentracing-contrib/go-stdlib v1.0.0
go: downloading github.com/richardartoul/molecule v1.0.0
go: downloading github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
go: downloading github.com/thanos-io/objstore v0.0.0-20230201072718-11ffbc490204
go: downloading github.com/oklog/run v1.1.0
go: downloading github.com/minio/minio-go/v7 v7.0.61
go: downloading github.com/aliyun/aliyun-oss-go-sdk v2.2.7+incompatible
go: downloading github.com/grafana/gomemcache v0.0.0-20230914135007-70d78eaabfe1
go: downloading github.com/weaveworks/common v0.0.0-20230511094633-334485600903
go: downloading github.com/baidubce/bce-sdk-go v0.9.141
go: downloading github.com/MasslessParticle/azure-storage-blob-go v0.14.1-0.20220216145902-b5e698eff68e
go: downloading github.com/Azure/go-autorest/autorest/azure/auth v0.5.12
go: downloading github.com/mattn/go-ieproxy v0.0.1
go: downloading cloud.google.com/go/bigtable v1.18.1
go: downloading github.com/cristalhq/hedgedhttp v0.7.2
go: downloading cloud.google.com/go/storage v1.30.1
go: downloading github.com/fsouza/fake-gcs-server v1.7.0
go: downloading github.com/IBM/go-sdk-core/v5 v5.13.1
go: downloading github.com/IBM/ibm-cos-sdk-go v1.10.0
go: downloading go.etcd.io/bbolt v1.3.10
go: downloading github.com/klauspost/pgzip v1.2.5
go: downloading github.com/mitchellh/go-wordwrap v1.0.1
go: downloading github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
go: downloading github.com/oschwald/maxminddb-golang v1.10.0
go: downloading github.com/opencontainers/image-spec v1.1.0
go: downloading github.com/containerd/fifo v1.1.0
go: downloading github.com/containerd/log v0.1.0
go: downloading github.com/docker/go-metrics v0.0.1
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
go: downloading go.opentelemetry.io/otel/trace v1.21.0
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.4
go: downloading go.opentelemetry.io/otel v1.21.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda
go: downloading github.com/felixge/httpsnoop v1.0.3
go: downloading github.com/jcmturner/dnsutils/v2 v2.0.0
go: downloading google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f
go: downloading github.com/mitchellh/reflectwalk v1.0.1
go: downloading github.com/hashicorp/go-sockaddr v1.0.2
go: downloading github.com/grafana/memberlist v0.3.1-0.20220714140823-09ffed8adbbe
go: downloading github.com/edsrzf/mmap-go v1.1.0
go: downloading k8s.io/klog/v2 v2.110.1
go: downloading k8s.io/utils v0.0.0-20230726121419-3b25d923346b
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.4.1
go: downloading golang.org/x/tools v0.34.0
go: downloading github.com/go-openapi/strfmt v0.21.3
go: downloading github.com/efficientgo/core v1.0.0-rc.2
go: downloading github.com/aws/aws-sdk-go-v2 v1.16.0
go: downloading github.com/aws/aws-sdk-go-v2/config v1.15.1
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1
go: downloading github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a
go: downloading github.com/yuin/gopher-lua v1.1.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading golang.org/x/term v0.33.0
go: downloading github.com/Azure/go-autorest/autorest/azure/cli v0.4.5
go: downloading cloud.google.com/go/longrunning v0.5.4
go: downloading github.com/google/btree v1.1.2
go: downloading github.com/go-playground/validator/v10 v10.11.2
go: downloading github.com/hashicorp/go-retryablehttp v0.7.7
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading github.com/moby/sys/userns v0.1.0
go: downloading github.com/containerd/containerd v1.7.29
go: downloading github.com/jcmturner/rpc/v2 v2.0.3
go: downloading go.opentelemetry.io/otel/metric v1.21.0
go: downloading go.uber.org/zap v1.21.0
go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
go: downloading github.com/go-openapi/errors v0.20.3
go: downloading go.mongodb.org/mongo-driver v1.11.2
go: downloading github.com/go-openapi/swag v0.22.3
go: downloading github.com/go-openapi/validate v0.22.1
go: downloading github.com/minio/sha256-simd v1.0.1
go: downloading github.com/klauspost/cpuid/v2 v2.2.5
go: downloading github.com/google/gnostic-models v0.6.8
go: downloading golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
go: downloading github.com/envoyproxy/go-control-plane v0.11.1
go: downloading github.com/leodido/go-urn v1.2.1
go: downloading github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6
go: downloading github.com/jcmturner/aescts/v2 v2.0.0
go: downloading github.com/coreos/go-semver v0.3.0
go: downloading go.uber.org/multierr v1.8.0
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/go-openapi/analysis v0.21.4
go: downloading github.com/go-openapi/jsonpointer v0.19.6
go: downloading github.com/go-openapi/loads v0.21.2
go: downloading github.com/go-openapi/spec v0.20.8
go: downloading github.com/aws/smithy-go v1.11.1
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.11.0
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.1
go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.3.8
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.11.1
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.16.1
go: downloading github.com/rs/xid v1.5.0
go: downloading golang.org/x/mod v0.26.0
go: downloading github.com/google/s2a-go v0.1.7
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.2
go: downloading k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/go-openapi/jsonreference v0.20.2
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.7
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.1
go: downloading github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4
go: downloading github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe
go: downloading github.com/envoyproxy/protoc-gen-validate v1.0.2
go: downloading github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.1
go: downloading github.com/census-instrumentation/opencensus-proto v0.4.1
go: downloading github.com/Azure/go-autorest/autorest/validation v0.3.1
go: downloading github.com/Azure/go-autorest/autorest/to v0.4.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0
go: downloading github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2
go: downloading github.com/containerd/containerd/v2 v2.2.0
go: github.com/containerd/containerd/v2@v2.2.0 requires go >= 1.24.3 (running go 1.23.12)

@paul1r paul1r merged commit ce5c5a7 into release-2.9.x Nov 8, 2025
47 checks passed
@paul1r paul1r deleted the deps-update/release-2.9.x-go-github.com-docker-docker-vulnerability branch November 8, 2025 18:20
@loki-gh-app loki-gh-app bot mentioned this pull request Nov 8, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paul1r paul1r paul1r approved these changes

Assignees

No one assigned

Labels

area/security automerge-security-update severity:UNKNOWN size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@paul1r