{"affected":[{"ecosystem_specific":{"binaries":[{"buildkit":"0.12.5-1.1"}]},"package":{"ecosystem":"SUSE:Linux Micro 6.0","name":"buildkit","purl":"pkg:rpm/suse/buildkit&distro=SUSE%20Linux%20Micro%206.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.12.5-1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for buildkit fixes the following issues:\n\n- Update to version 0.12.5:\n * update runc to v1.1.12\n * exec: add extra validation for submount sources (fixes CVE-2024-23651, bsc#1219267)\n * oci: fix error handling on submount calls\n * executor: recheck mount stub path within root after container run (fixes CVE-2024-23652, bsc#1219268)\n * llbsolver: make sure interactive container API validates entitlements (fixes CVE-2024-23653, bsc#1219438)\n * gateway: pass executor with build and not access worker directly\n * pb: add extra validation to protobuf types\n * sourcepolicy: add validations for nil values\n * exporter: add validation for platforms key value\n * exporter: add validation for invalid platorm\n * exporter: validate null config metadata from gateway\n * ci: disable push if not upstream repo\n * hack: use git context only for upstream repo\n * hack/test: allow ALPINE_VERSION to be set from env\n * hack: align syntax\n * vendor: github.com/cyphar/filepath-securejoin v0.2.4\n * tracing: allow the `Resource` to be set externally\n\n- Update to version 0.12.4:\n * Fix possible concurrent map access on remote cache export\n * Fix hang on debug server listener\n * Fix possible deadlock in History API under high number of parallel builds\n * Fix possible panic on handling deleted records in History API\n * Fix possible data corruption in zstd library\n\n- Update to version 0.12.3:\n * Fix possible duplicate source files in provenance attestation for chained builds\n * Fix possible negative step time in progressbar for step shared with other build request\n * Fix properly closing history and cache DB on shutdown to avoid corruption\n * Fix incorrect error handling for invalid HTTP source URLs\n * Fix fallback cases for ambiguous insecure configuration provided for registry used as push target.\n * Fix possible data race with parallel image config resolves\n * Fix regression in v0.12 for clients waiting on buildkitd to become available\n * Fix Cgroup NS handling for hosts supporting only CgroupV1\n\n- Update to version 0.12.2:\n * Fix possible discarded network error when exporting result to client\n * Avoid unnecessary memory allocations when writing build progress\n\n- Update to version 0.12.1:\n * executor: fix resource sampler goroutine leak\n * [v0.11] make tracing socket forward error non-fatal\n * integration: missing env var to check feature compat\n * test: update pinned busybox image to 1.36\n * test: update pinned alpine image to 3.18\n * vendor: github.com/docker/docker 8e51b8b59cb8 (master, v25.0.0-dev)\n * executor/resource: stub out NewSysSampler on Windows\n * vendor: github.com/docker/cli v24.0.4\n * testutil: move CheckContainerdVersion to a separate package\n * llbsolver: fix policy rule ordering\n * filesync: fix backward compatibility with encoding + and %\n * hack: allow to set GO_VERSION during tests\n * test: always disable tls for dockerd worker\n * buildctl: set max backoff delay to 1 second\n * contenthash: data race\n * filesync: escape special query characters\n * applier: add hack to support docker zstd layers\n * Fix various nits\n * pullprogress data race\n * use sampler lock instead\n * Fix ResolveImageConfig to evaluate source policy\n * sampler data race fix\n * update cgroup parent test to work with cgroupns\n * Revert \"specify a `ResponseHeaderTimeout` value\"\n * oci: make sure cgroupns is enabled if supported\n * bash lint fix\n * rename BUILDFLAGS to GOBUILDFLAGS\n * allow ENOTSUP for PSI cgroup files\n * containerimage: use platform matcher to detect platform to unpack\n * exporter: silently skip unpacking unknown reference\n * improve error handling in ReadFile\n * dockerfile: arg for controlling go build flags\n * dockerfile: arg to enable go race detection\n * Add support for health start interval\n * Re-vendor moby/moby\n * filesync: mark if options have been encoded to detect old versions\n * dockerfile: heredoc should use 0644 permissions\n * docs: update README to reference OpenTelemetry instead of OpenTracing\n * gateway: restore original filename in ReadFile error message\n * Dockerfile: update containerd to v1.7.2\n * Use system.ToSlash() instead of filepath.ToSlash()\n * Revert most changes to client/llb\n * Remove Architecture\n * Default to linux in client\n * Ensure we use proper path separators\n * Set default platform\n * Add nil pointer check in dispatchWorkdir\n * Remove nil pointer check and extra NormalizePath\n * Rename variable, remove superfluous check\n * Use current OS as a default\n * Handle file paths base on target platform\n * exporter: unlazy references in parallel\n * exporter: simplify unlazy references to reduce duplication\n * exporter: allow unpack on multi-platform images\n * tests: add unpack to scratch export test\n * overlay: set whiteout timestamps to 1970-01-01 (not to SOURCE_DATE_EPOCH)\n * dockerfile: graduate `ADD --checksum=` from labs\n * dockerfile: graduate `ADD ` from labs\n * dockerfile: mod-outdated target to check modules updates\n * dockerfile: use xx in dnsname stage\n * dockerfile: install musl-dev to fix compilation issue\n * dockerfile: update Alpine to 3.18\n * vendor: update fsutil to 36ef4d8\n * export(local): split opt\n * buildctl: Provide --wait option\n * containerimage: support SOURCE_DATE_EPOCH for CreatedAt\n * move flightcontrol to use generics\n * containerimage: keep layer labels for exported images\n * shell: start shell from cmd, not entrypoint\n * sbom: propogate image-resolve-mode for generator image\n * client: add extra debug to tests\n * handle missing provenance for non-evaluated result\n * tests: add provenance test for duplicate platform\n * tests: add provenance test for when context directory does not exist\n * forward: make BridgeClient public for lint\n * gateway: enable named contexts for gateway frontend\n * vendor: update vt100 with resize panic fix\n * docs: dockerfile: remove \"known issues\" related to AuFS\n * docs: add running instruction to CONTRIBUTING.md\n * tests: add worker close method to interface\n * add and check for gateway.exec.secretenv cap\n * move Secretenv from Meta to InitMessage\n * support passing SecretEnv to gateway containers\n * Add comment, update from review\n * Fix issue with digest merge (inconsistent graph state)\n * docs: add helper commands section to CONTRIBUTING.md\n * docs: update CONTRIBUTING.md whitespace formatting\n * integration: fix not deleting dockerd workdir\n * remove uses of deprecated ResolverOptions.Client\n * filesync: fix handling non-ascii in file paths\n * tests: add test for unicode filenames\n * Adding more docs to client/llb\n * Add special case for rw bind mounts\n * vendor: github.com/docker/cli v24.0.2\n * vendor: github.com/docker/docker v24.0.2\n * progressui: fix index printing on partial rows\n * gateway: wrap ExecProcessServer Send calls with a mutex\n * resources: make maxsamples configurable\n * llbsolver: add systemusage samples to provenance attestation\n * resources: store sys cpu usage per step\n * resources: add sampler for periodic stat reads\n * resources: CNI network usage sampling support\n * resources: add build step resource tracking via cgroups\n * solver: lock before using actives\n * Emulate \"bind\" mounts using the bind filter\n * Fix mount layers on host\n * llbsolver: set temporary lease in Commit context\n * Update containerd dependency\n * exporter: Add exptypes with Common exporter keys\n * exporter/image/exptypes: Make strongly typed\n * solver: move AddBuildConfig into llbsolver package\n * tests: add test to check url format for image loaded from oci layout\n * solver: mark locally loaded images as such\n * solver: merge local and remote images into single list\n * purl: allow RefToPURL to take a type parameter\n * tests: don't use purl code to test itself\n * Use linux as a default for inputOS\n * Add path handling functions\n * response to comments\n * containerimage: Export option keys\n * vendor: update spdx/tools-golang to v0.5.1\n * exporter: remove non dist options from tar exporter\n * exporter: move fs opt parsing to method\n * tests: fixup attestation tar to not panic when file not found\n * git: set umask without reexec\n * add language property for sourcemap\n * dockerfile/docs: add set -ex to heredoc #3870\n * authprovider: fix a bug where registry-1.docker.io auth was always a cache miss\n * response to comments\n * tracing: fix buildx tracing delegation\n * Update continuity and fsutil\n * cache: add a few more fields to ref trace logs.\n * vendor: github.com/containerd/go-runc v1.1.0\n * provenance: fix possible empty digest access\n * vendor: fix broken vendoring\n * dockerfile: bump up nerdctl to v1.4.0\n * bump nydus-snapshotter dependence to v0.8.2\n * vendor: github.com/docker/cli v24.0.1\n * vendor: github.com/docker/docker v24.0.1\n * vendor: github.com/containerd/containerd v1.7.1\n * vendor: github.com/Microsoft/hcsshim v0.10.0-rc.8\n * vendor: github.com/Microsoft/go-winio v0.6.1\n * vendor: golang.org/x/sys v0.7.0\n * vendor: github.com/containerd/typeurl/v2 v2.1.1\n * chore: bump spdx tools\n * Fix typo in attestation-storage.md\n * vendor: github.com/docker/cli v24.0.0\n * vendor: github.com/docker/docker v24.0.0\n * vendor: github.com/opencontainers/runc v1.1.7\n * vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.2\n * vendor: github.com/klauspost/compress v1.16.3\n * Dockerfile: CONTAINERD_VERSION=v1.7.1\n * Dockerfile: CONTAINERD_ALT_VERSION_16=v1.6.21\n * Dockerfile: RUNC_VERSION=v1.1.7\n * session: avoid logging healthcheck error on canceled connection\n * session: fix run and close synchronization\n * testutil: update ReadImages to fallback to reading manifest\n * Add trace logs for cache leaks.\n * Add some doc strings for LLB functions\n * attestations: move containerd media type warnings\n * update generated proto files\n * attestations: replace intoto media type with vendored const\n * nydus: bump nydus versions in Dockerfile and doc\n * feedback changes for moby/buildkit #2251\n * testutil: expose underlying docker address for supported workers\n * testutil: expose integration workers as public\n * remove type aliases for leasemanager/contentstore\n * llbsolver: move history blobs to a separate namespace\n * build(deps): bump github.com/docker/distribution\n * added import/export support for OCI compatible image manifest version of cache manifest (opt-in on export, inferred on import) moby/buildkit #2251\n * llb: carry platform from inputs for merge/diff\n * llb: don't include platform in fileop\n * control: fix possible deadlock on network error\n * exporter/containerimage: remove redundant type for var declaration\n * Fix not to set the value on empty vertex\n * Fix to import as digest\n * cache: always release ref when getting size in usage.\n * Drop unneeded variable\n * ssh: add fallback to ensure conn is closed in all cases.\n * vendor: github.com/opencontainers/image-spec v1.1.0-rc3\n * vendor: github.com/docker/cli v23.0.5\n * vendor: github.com/docker/docker v23.0.5\n * nydus: update nydus-snapshotter dependency to v0.8.0\n * progressui: fix possible zero prefix numbers in logs\n * llbsolver: send active event only to current client\n * llbsolver: send delete status event\n * llbsolver: filter out records marked deleted from list responses\n * Add Windows service support\n * docs: fixup build repro doc with updated policy format\n * test: use appropriate snapshotter service to walk snapshots\n * overlay: use function to check for overlay-based mounts\n * Update uses of Image platform fields in OCI image-spec\n * allow setting user agent products\n * Bump up golangci-lint to v1.52.2\n * chore: tidy up duplicated imports\n * solver: Release unused refs in LoadWithParents\n * Avoid panic on parallel walking on DefinitionOp\n * solver: skip sbom post processor if result is nil\n * vendor: github.com/docker/docker v23.0.4\n * vendor: github.com/docker/cli v23.0.4\n * vendor: golang.org/x/time v0.3.0\n * vendor: github.com/docker/cli v23.0.2\n * vendor: github.com/docker/docker v23.0.2\n * test: don't hang if a process doesn't run\n * ci: put worker name first for better UX in actions\n * go.mod: remove github.com/kr/pretty\n * Revert \"Problem: can't use anonymous S3 credentials\"\n * go.mod: bump up runc to v1.1.6\n * go.mod: Bump up stargz-snapshotter to v0.14.3\n * dockerfile: bump up stargz-snapshotter to v0.14.3\n * dockerfile: bump up runc to v1.1.6\n * buildkitd: add grpc reflection\n * Bump up nerdctl to 1.3.0\n * Bump up containerd 1.6.20\n * Fix gzip decoding of HTTP sources.\n * ci: update runner os to ubuntu 22.04\n * Fix bearer token expiration check (fixes #3779)\n * docs: update buildkitd.toml with new field info\n * buildkitd: allow durations for gc config\n * buildkitd: allow multiple units for gc config\n * dockerui: expose context detection functions as public\n * Prevent overflow of runc exit code.\n * Upgrade to latest go-runc.\n * runc worker: fix sigkill handling\n * Dockerfile: RUNC_VERSION=v1.1.5\n * client: add client opts to enable system certificates\n * Make ClientOpts type safe\n * build(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5\n * fileop: create new fileOpSolver instance per Exec call\n * Provide CacheManager to Controller instead of CacheKeyManager.\n * http: ensure HEAD and GET requests have same headers\n * docs: add auto-generated sections to buildctl.md\n * client: allow grpc dial option passthrough\n * cni: simplify netns creation\n * add Bass to list of LLB languages\n * llbsolver: fix sorting of history records\n * llbsolver: Fix performance of recomputeDigests\n * solve: use comparables instead of reflection in result struct\n * vendor: github.com/docker/cli v23.0.1\n * vendor: github.com/docker/docker v23.0.1\n * client: create oci-layout file in StoreIndex\n * ci: output annotations for failures\n * test: set mod vendor\n * test: use gotestsum to generate reports\n * fix gateway exec tty cleanup on context.Canceled\n * fix process termination handling for runc exec\n * Register builds before recording build history\n * docs(dockerfile): minimal Dockerfile version support for chmod\n * Update builder.md to document newly supported --chmod features in both ADD and COPY statements.\n * use bklog.G(ctx) instead of logrus directly\n * integration: missing mergeDiff compat check\n * chore: `translateLegacySolveRequest` does not need to return error checking.\n * integration: split feature compat check for subtests\n * integration: missing feature compat check for cache\n * dockerfile: fix reproducible digest test for non-amd64\n * integration: add FeatureMergeDiff compat\n * integration: add FeatureCacheBackend* compat\n * integration: enforce features compat through env vars\n * ci: upstream docs conformance validation\n * dockerfile(docs): fix liquid syntax\n * Problem: can't use anonymous S3 credentials\n * hack: remove build_ci_first_pass script\n * hack: binaries and cross bake targets\n * go.mod: update to go 1.20\n * Dockerfile: CONTAINERD_VERSION=v1.7.0\n * go.mod: github.com/containerd/containerd v1.7.0\n * Add Namespace to list of buildkit users.\n * remove buildinfo\n * buildinfo: add BUILDKIT_BUILDINFO build arg\n * buildinfo: mark as deprecated\n * docs: deprecated features page\n * rootless: guide for Bottlerocket OS (`sysctl -w user.max_user_namespaces=N`)\n * rootless: fix up unprivileged mount opts\n * Dockerfile: CONTAINERD_VERSION=v1.7.0-rc.3, CONTAINERD_ALT_VERSION_16=v1.6.19\n * go.mod: github.com/containerd/containerd v1.7.0-rc.3\n * version: add \"v\" prefix to version for tagging convention consistency\n * remove context name validation from kubepod connhelper\n * gateway: add hostname option to NewContainer API\n * fix error message typo\n * provenance: ensure URLs are redacted before written\n * test/client: Close buildkit client\n * docs: missing security policy markdown file\n * diffapply: do chown before xattrs\n * Add test for merge of files with capabilities.\n * fix a possible panic on cache\n * Update cmd/buildkitd/main_windows.go\n * ci(validate): use bake\n * hack: shfmt bake target\n * hack: generated-files bake target\n * hack: doctoc bake target\n * hack: lint bake target\n * hack: authors Dockerfile and bake target\n * hack: bake definition with vendor targets\n * Fix buildkitd panic when frontend input is nil.\n * ci: trigger workflows on push to release branches\n * build(deps): bump golang.org/x/net from 0.5.0 to 0.7.0\n * ci: create GitHub Release for frontend as well\n * ci: make release depends on image job\n * lint: fix issues with go 1.20\n * remove deprecated golangci-lint linters\n * update golangci-lint to v1.51.1\n * update to go 1.20\n * Allow DefinitionOp to track sources\n * specify a `ResponseHeaderTimeout` value\n * Ensures that the primary GID is also included in the additional GIDs\n * ci: fix missing TESTFLAGS env var in test-os workflow\n * Dockerfile: update containerd to v1.7.0-beta.4, v1.6.18\n * go.mod: github.com/containerd/containerd v1.7.0-beta.4\n * ci: update softprops/action-gh-release to v0.1.15\n * ci: remove unused vars in dockerd workflow\n * ci: split cross job\n * Dockerfile: remove binaries-linux-helper stage\n * ci: rename unclear env vars\n * readme: fix and update badges\n * ci: rename build workflow to buildkit\n * ci: reusable test workflow\n * ci: move test-os to a dedicated workflow\n * ci: move frontend integration tests and build to a dedicated workflow\n * stargz-snapshotter: graduate from experimental\n * Bump up stargz-snapshotter to v0.14.1\n * set osversion in index descriptor from base image\n * progress: solve status description\n * ci: update buildx to latest\n * Dockerfile: update xx to 1.2.1\n * integration: make sure registry directory exists\n * gha: avoid range requests with too big offset\n * ci: merge test-nydus job in test one\n * ci: remove branch restriction on pull request event\n * client: add tests for layerID in comment field\n * exporter: fix sbom supplement core detection\n * exporter: fix supplement sboms on empty scratch layer\n * exporter: fix file layer finder whiteout detection\n * exporter: canonicalize sbom file paths during search\n * Add platform tracing socket paths and mounts\n * integration: log dockerd cmd\n * integration: set custom flags for dockerd worker\n * remotecache: proper exporter naming for gha, s3 and azblob\n * remotecache: explicit names for registry and local\n * exporter: use compression.ParseAttributes func\n * remotecache: mutualize compression parsing attrs\n * lex: add support for optional colon in variable expansion\n * test: rework TestProcessWithMatches to use a matrix\n * dockerfile: update to use dockerui pkg\n * dockerui: separate docker frontend params to reusable package\n * cache: add fallback for snapshotID\n * exporter: remove wrappers for oci data types\n * vendor: github.com/docker/cli v23.0.0\n * vendor: github.com/docker/docker v23.0.0\n * hack: do not cache some stages on release\n * hack: do not set attest flags when exporting to docker\n * git: override the locale to ensure consistent output\n * fix support for empty git ref with subdir\n * gitutil: use subtests\n * source: more tests cases for git identifier\n * source: use subtests cases for git identifier\n * otel: bump dependencies to v1.11.2/v0.37.0\n * hack: treat unset variables as an error\n * frontend: fix typo in release script\n * ci: create matrix for building frontend image\n * inline cache: fix blob indexes by uncompressed digest\n * Skip configuring cache exporter if it is nil.\n * docs: update syntax for labs channel in examples\n * integration: remove wrong compat condition\n * integration: fix compat check for CNI DNS test\n * cache: don’t link blobonly based on chainid\n * do not mount secrets that are optional and missing from solve opts\n * SOURCE_DATE_EPOCH: drop timezone\n * sbom: create tmp directory for scanner image\n * progress: keep color enabled with NO_COLOR empty\n * hack: remove azblob_test\n * integration: basic azblob cache test\n * test: add proxy build args when existed\n * vendor: github.com/docker/cli v23.0.0-rc.3\n * vendor: github.com/docker/docker v23.0.0-rc.3\n * vendor: golang.org/x/net v0.5.0\n * vendor: golang.org/x/text v0.6.0\n * vendor: golang.org/x/sys v0.4.0\n * Dockerfile: CNI plugins v1.2.0\n * Dockerfile: CONTAINERD_VERSION=v1.7.0-beta.3, CONTAINERD_ALT_VERSION_16=v1.6.16\n * Fix tracing listener on Windows\n * go.mod: github.com/containerd/containerd v1.7.0-beta.3\n * control: send current timestamp header with event streams\n * vendor: update containerd to v1.6.16-0.1709cfe273d9\n * buildctl: add ref-file to get history record for a build\n * client: make sure ref is configurable for the history API\n * history: save completed steps with cache stats\n * history: fix exporter key not being passed\n * history: fix logs and traces are saving on canceled builds\n * hack: add correct entrypoint to shell script\n * ci: use moby/buildkit:latest in build action\n * dockerfile: add testReproSourceDateEpoch\n * Fix cache cannot reuse lazy layers\n * Correct manifests_prefix documentation for S3 cache\n * Use golang.org/x/sys/windows instead of syscall\n * dockerfile: release frontend for i386 platform\n * Add get-user-info utility\n * optimize --dry-run flag\n * fix(tracing): spelling of OTEL_TRACES_EXPORTER value\n * Propagate sshforward send side connection close\n * buildctl: add `buildctl debug histories, buildctl prune-histories`\n * dockerfile: fix panic on warnings with multi-platform\n * vendor: github.com/docker/cli v23.0.0-rc.2\n * vendor: github.com/docker/docker v23.0.0-rc.2\n * vendor: github.com/containerd/containerd v1.6.15\n * cache: add registry.insecure option to registry exporter\n * Make local cache non-lazy\n * docs/build-repro.md: add the SOURCE_DATE_EPOCH section\n * docs: clarified build argument example by changing the variable name\n * azblob cache: account_name attribute\n * docs: master -> 0.11\n * ci: fix dockerd workflow with latest changes from moby\n * integration: set mirrors and entitlements with dockerd worker\n * github: update CI to buildkit version\n * exporter: ensure spdx order prioritizes primary sbom\n * hack: remove s3_test\n * integration: basic s3 cache test\n * integration: add runCmd and randomString utils\n * integration: expose backend logs in sandbox interface\n * azblob_test: pin busybox to avoid \"Illegal instruction\" error\n * docs: add nerdctl container buildkitd address docs\n * feat: add namespace support for nerdctl container\n * ci: add ci to check README toc\n * testutil: pin busybox and alpine used in releases\n * exporter: allow configuring inline attestations for image exporters\n * exporter: force enabling inline attestations for image export\n * docs: change semicolons to double ampersands\n * llbsolver: fix panic when requesting provenance on nil result\n * vendor: update fsutil to fb43384\n * attestation: only supplement file data for the core scan\n * docs: add index page for attestations\n * docs: move attestation docs to dedicated directory\n * docs: rename slsa.md to slsa-provenance.md\n * docs: tidy up json examples for slsa definitions\n * docs: add cross-linking between slsa pages\n * Flakiness in azblob test job\n * vendor: update spdx/tools-golang to d6f58551be3f\n * feat: add nerdctl-container support for client\n * docs: slsa review updates\n * docs: moved slsa definitions to a separate page\n * docs: slsa editorial fixes\n * docs: add filename to provenance attestation\n * docs: update hermetic field after it was moved in implementation\n * docs: update provenance docs\n * docs: add slsa provenance documentation\n * progress: fix clean context cancelling\n * fix: updated_at -> updated-at\n * Solve panic due to concurrent access to ExportSpans\n * feat: allow ignoring remote cache-export error if failing\n * add cache stats to the build history API\n * vendor: github.com/docker/cli v23.0.0-rc.1\n * vendor: github.com/docker/docker v23.0.0-rc.1\n * vendor: github.com/containerd/containerd v1.6.14\n * frontend: fix testMultiStageImplicitFrom to account for busybox changes\n * sshforward: skip conn close on stream CloseSend.\n * chore: update buildkitd.toml docs with mirror path example\n * feat: handle mirror url with path\n * provenance: fix the order of the build steps\n * provenance: move hermetic field into a correct struct\n * add possibility to override filename for provenance\n * Fix typo in CapExecMountBindReadWriteNoOutput.\n * Use SkipOutput instead of -1 for output indexes to clarify semantics.\n * fix indentation for in-toto and traces\n * attestation: forbid provenance attestations from frontend\n * attestation: validate attestations before unbundling as well\n * exporter: make attestation validation public\n * result: change reason types to strings\n * attestations: ignore spdx parse errors\n * attestations: propogate metadata through unbundling\n * gateway: add addition check to prevent content func from being forwarded\n * ociindex: add utility method for getting a single manifest from the index\n * ociindex: refactor to hide implementation internally\n * cache: test gha cache exporter\n * containerdexecutor: add network namespace callback\n * frontend/dockerfile: BFlags.Parse(): use strings.Cut()\n * frontend/dockerfile: parseExtraHosts(): use strings.Cut()\n * frontend/dockerfile: parseMount() use strings.Cut(), and some minor cleanup\n * frontend/dockerfile: move check for cache-sharing\n * frontend/dockerfile: provide suggestions for mount share mode\n * frontend/dockerfile: define types for enums\n * frontend/dockerfile/shell: use strings.Equalfold\n * frontend/dockerfile/parser: remove redundant concat\n * frontend/dockerfile: parseBuildStageName(): pre-compile regex\n * frontend/dockerfile: remove isSSHMountsSupported, isSecretMountsSupported\n * docs: Enable rootless for stargz-snapshotter\n * executor/oci: GetResolvConf(): simplify handling of resolv.conf\n","id":"SUSE-SU-2025:20107-1","modified":"2025-02-03T09:18:59Z","published":"2025-02-03T09:18:59Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202520107-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1219267"},{"type":"REPORT","url":"https://bugzilla.suse.com/1219268"},{"type":"REPORT","url":"https://bugzilla.suse.com/1219438"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-23651"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-23652"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-23653"}],"related":["CVE-2024-23651","CVE-2024-23652","CVE-2024-23653"],"summary":"Security update for buildkit","upstream":["CVE-2024-23651","CVE-2024-23652","CVE-2024-23653"]}