On Fri, 21 Mar 2025 14:24:26 +0100 Moritz Mühlenhoff <j...@inutil.org>
wrote:> The following vulnerability was published for docker-buildx.
CVE-2025-0495[0]:
| Buildx is a Docker CLI plugin that extends build capabilities using
| BuildKit. Cache backends support credentials by setting secrets
| directly as attribute values in cache-to/cache-from configuration.
| When supplied as user input, these secure values may be
| inadvertently captured in OpenTelemetry traces as part of the
| arguments and flags for the traced CLI command. OpenTelemetry traces
| are also saved in BuildKit daemon's history records. This
| vulnerability does not impact secrets passed to the Github cache
| backend via environment variables or registry authentication.
https://github.com/docker/buildx/security/advisories/GHSA-m4gq-fm9h-8q75
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I pushed commit [b16d18a] to a branch as it is my first time fixing a
CVE, I am not sure exactly what else I need to do.
From what I understand of the release notes [1], this commit should be
enough to fix the CVE.
See also the diff for this release:
https://github.com/docker/buildx/compare/v0.21.2...v0.21.3
[b16d18a]:
https://salsa.debian.org/go-team/packages/docker-buildx/-/commit/b16d18af52c18d0a2d3499c7d0839d9da3a76f5b
[1]: https://github.com/docker/buildx/releases/tag/v0.21.3
--
Nicolas Peugnet
