SUSE-SU-2025:20107-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2025/suse-su-202520107-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:20107-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2025:20107-1
Upstream
Related
Published
2025-02-03T09:18:59Z
Modified
2026-03-23T04:48:10.800357Z
Summary
Security update for buildkit
Details

This update for buildkit fixes the following issues:

  • Update to version 0.12.5:

    • update runc to v1.1.12
    • exec: add extra validation for submount sources (fixes CVE-2024-23651, bsc#1219267)
    • oci: fix error handling on submount calls
    • executor: recheck mount stub path within root after container run (fixes CVE-2024-23652, bsc#1219268)
    • llbsolver: make sure interactive container API validates entitlements (fixes CVE-2024-23653, bsc#1219438)
    • gateway: pass executor with build and not access worker directly
    • pb: add extra validation to protobuf types
    • sourcepolicy: add validations for nil values
    • exporter: add validation for platforms key value
    • exporter: add validation for invalid platorm
    • exporter: validate null config metadata from gateway
    • ci: disable push if not upstream repo
    • hack: use git context only for upstream repo
    • hack/test: allow ALPINE_VERSION to be set from env
    • hack: align syntax
    • vendor: github.com/cyphar/filepath-securejoin v0.2.4
    • tracing: allow the Resource to be set externally

  • Update to version 0.12.4:

    • Fix possible concurrent map access on remote cache export
    • Fix hang on debug server listener
    • Fix possible deadlock in History API under high number of parallel builds
    • Fix possible panic on handling deleted records in History API
    • Fix possible data corruption in zstd library

  • Update to version 0.12.3:

    • Fix possible duplicate source files in provenance attestation for chained builds
    • Fix possible negative step time in progressbar for step shared with other build request
    • Fix properly closing history and cache DB on shutdown to avoid corruption
    • Fix incorrect error handling for invalid HTTP source URLs
    • Fix fallback cases for ambiguous insecure configuration provided for registry used as push target.
    • Fix possible data race with parallel image config resolves
    • Fix regression in v0.12 for clients waiting on buildkitd to become available
    • Fix Cgroup NS handling for hosts supporting only CgroupV1

  • Update to version 0.12.2:

    • Fix possible discarded network error when exporting result to client
    • Avoid unnecessary memory allocations when writing build progress

  • Update to version 0.12.1:

    • executor: fix resource sampler goroutine leak
    • [v0.11] make tracing socket forward error non-fatal
    • integration: missing env var to check feature compat
    • test: update pinned busybox image to 1.36
    • test: update pinned alpine image to 3.18
    • vendor: github.com/docker/docker 8e51b8b59cb8 (master, v25.0.0-dev)
    • executor/resource: stub out NewSysSampler on Windows
    • vendor: github.com/docker/cli v24.0.4
    • testutil: move CheckContainerdVersion to a separate package
    • llbsolver: fix policy rule ordering
    • filesync: fix backward compatibility with encoding + and %
    • hack: allow to set GO_VERSION during tests
    • test: always disable tls for dockerd worker
    • buildctl: set max backoff delay to 1 second
    • contenthash: data race
    • filesync: escape special query characters
    • applier: add hack to support docker zstd layers
    • Fix various nits
    • pullprogress data race
    • use sampler lock instead
    • Fix ResolveImageConfig to evaluate source policy
    • sampler data race fix
    • update cgroup parent test to work with cgroupns
    • Revert "specify a ResponseHeaderTimeout value"
    • oci: make sure cgroupns is enabled if supported
    • bash lint fix
    • rename BUILDFLAGS to GOBUILDFLAGS
    • allow ENOTSUP for PSI cgroup files
    • containerimage: use platform matcher to detect platform to unpack
    • exporter: silently skip unpacking unknown reference
    • improve error handling in ReadFile
    • dockerfile: arg for controlling go build flags
    • dockerfile: arg to enable go race detection
    • Add support for health start interval
    • Re-vendor moby/moby
    • filesync: mark if options have been encoded to detect old versions
    • dockerfile: heredoc should use 0644 permissions
    • docs: update README to reference OpenTelemetry instead of OpenTracing
    • gateway: restore original filename in ReadFile error message
    • Dockerfile: update containerd to v1.7.2
    • Use system.ToSlash() instead of filepath.ToSlash()
    • Revert most changes to client/llb
    • Remove Architecture
    • Default to linux in client
    • Ensure we use proper path separators
    • Set default platform
    • Add nil pointer check in dispatchWorkdir
    • Remove nil pointer check and extra NormalizePath
    • Rename variable, remove superfluous check
    • Use current OS as a default
    • Handle file paths base on target platform
    • exporter: unlazy references in parallel
    • exporter: simplify unlazy references to reduce duplication
    • exporter: allow unpack on multi-platform images
    • tests: add unpack to scratch export test
    • overlay: set whiteout timestamps to 1970-01-01 (not to SOURCEDATEEPOCH)
    • dockerfile: graduate ADD --checksum=<checksum> from labs
    • dockerfile: graduate ADD <git ref> from labs
    • dockerfile: mod-outdated target to check modules updates
    • dockerfile: use xx in dnsname stage
    • dockerfile: install musl-dev to fix compilation issue
    • dockerfile: update Alpine to 3.18
    • vendor: update fsutil to 36ef4d8
    • export(local): split opt
    • buildctl: Provide --wait option
    • containerimage: support SOURCEDATEEPOCH for CreatedAt
    • move flightcontrol to use generics
    • containerimage: keep layer labels for exported images
    • shell: start shell from cmd, not entrypoint
    • sbom: propogate image-resolve-mode for generator image
    • client: add extra debug to tests
    • handle missing provenance for non-evaluated result
    • tests: add provenance test for duplicate platform
    • tests: add provenance test for when context directory does not exist
    • forward: make BridgeClient public for lint
    • gateway: enable named contexts for gateway frontend
    • vendor: update vt100 with resize panic fix
    • docs: dockerfile: remove "known issues" related to AuFS
    • docs: add running instruction to CONTRIBUTING.md
    • tests: add worker close method to interface
    • add and check for gateway.exec.secretenv cap
    • move Secretenv from Meta to InitMessage
    • support passing SecretEnv to gateway containers
    • Add comment, update from review
    • Fix issue with digest merge (inconsistent graph state)
    • docs: add helper commands section to CONTRIBUTING.md
    • docs: update CONTRIBUTING.md whitespace formatting
    • integration: fix not deleting dockerd workdir
    • remove uses of deprecated ResolverOptions.Client
    • filesync: fix handling non-ascii in file paths
    • tests: add test for unicode filenames
    • Adding more docs to client/llb
    • Add special case for rw bind mounts
    • vendor: github.com/docker/cli v24.0.2
    • vendor: github.com/docker/docker v24.0.2
    • progressui: fix index printing on partial rows
    • gateway: wrap ExecProcessServer Send calls with a mutex
    • resources: make maxsamples configurable
    • llbsolver: add systemusage samples to provenance attestation
    • resources: store sys cpu usage per step
    • resources: add sampler for periodic stat reads
    • resources: CNI network usage sampling support
    • resources: add build step resource tracking via cgroups
    • solver: lock before using actives
    • Emulate "bind" mounts using the bind filter
    • Fix mount layers on host
    • llbsolver: set temporary lease in Commit context
    • Update containerd dependency
    • exporter: Add exptypes with Common exporter keys
    • exporter/image/exptypes: Make strongly typed
    • solver: move AddBuildConfig into llbsolver package
    • tests: add test to check url format for image loaded from oci layout
    • solver: mark locally loaded images as such
    • solver: merge local and remote images into single list
    • purl: allow RefToPURL to take a type parameter
    • tests: don't use purl code to test itself
    • Use linux as a default for inputOS
    • Add path handling functions
    • response to comments
    • containerimage: Export option keys
    • vendor: update spdx/tools-golang to v0.5.1
    • exporter: remove non dist options from tar exporter
    • exporter: move fs opt parsing to method
    • tests: fixup attestation tar to not panic when file not found
    • git: set umask without reexec
    • add language property for sourcemap
    • dockerfile/docs: add set -ex to heredoc #3870
    • authprovider: fix a bug where registry-1.docker.io auth was always a cache miss
    • response to comments
    • tracing: fix buildx tracing delegation
    • Update continuity and fsutil
    • cache: add a few more fields to ref trace logs.
    • vendor: github.com/containerd/go-runc v1.1.0
    • provenance: fix possible empty digest access
    • vendor: fix broken vendoring
    • dockerfile: bump up nerdctl to v1.4.0
    • bump nydus-snapshotter dependence to v0.8.2
    • vendor: github.com/docker/cli v24.0.1
    • vendor: github.com/docker/docker v24.0.1
    • vendor: github.com/containerd/containerd v1.7.1
    • vendor: github.com/Microsoft/hcsshim v0.10.0-rc.8
    • vendor: github.com/Microsoft/go-winio v0.6.1
    • vendor: golang.org/x/sys v0.7.0
    • vendor: github.com/containerd/typeurl/v2 v2.1.1
    • chore: bump spdx tools
    • Fix typo in attestation-storage.md
    • vendor: github.com/docker/cli v24.0.0
    • vendor: github.com/docker/docker v24.0.0
    • vendor: github.com/opencontainers/runc v1.1.7
    • vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.2
    • vendor: github.com/klauspost/compress v1.16.3
    • Dockerfile: CONTAINERD_VERSION=v1.7.1
    • Dockerfile: CONTAINERDALTVERSION_16=v1.6.21
    • Dockerfile: RUNC_VERSION=v1.1.7
    • session: avoid logging healthcheck error on canceled connection
    • session: fix run and close synchronization
    • testutil: update ReadImages to fallback to reading manifest
    • Add trace logs for cache leaks.
    • Add some doc strings for LLB functions
    • attestations: move containerd media type warnings
    • update generated proto files
    • attestations: replace intoto media type with vendored const
    • nydus: bump nydus versions in Dockerfile and doc
    • feedback changes for moby/buildkit #2251
    • testutil: expose underlying docker address for supported workers
    • testutil: expose integration workers as public
    • remove type aliases for leasemanager/contentstore
    • llbsolver: move history blobs to a separate namespace
    • build(deps): bump github.com/docker/distribution
    • added import/export support for OCI compatible image manifest version of cache manifest (opt-in on export, inferred on import) moby/buildkit #2251
    • llb: carry platform from inputs for merge/diff
    • llb: don't include platform in fileop
    • control: fix possible deadlock on network error
    • exporter/containerimage: remove redundant type for var declaration
    • Fix not to set the value on empty vertex
    • Fix to import as digest
    • cache: always release ref when getting size in usage.
    • Drop unneeded variable
    • ssh: add fallback to ensure conn is closed in all cases.
    • vendor: github.com/opencontainers/image-spec v1.1.0-rc3
    • vendor: github.com/docker/cli v23.0.5
    • vendor: github.com/docker/docker v23.0.5
    • nydus: update nydus-snapshotter dependency to v0.8.0
    • progressui: fix possible zero prefix numbers in logs
    • llbsolver: send active event only to current client
    • llbsolver: send delete status event
    • llbsolver: filter out records marked deleted from list responses
    • Add Windows service support
    • docs: fixup build repro doc with updated policy format
    • test: use appropriate snapshotter service to walk snapshots
    • overlay: use function to check for overlay-based mounts
    • Update uses of Image platform fields in OCI image-spec
    • allow setting user agent products
    • Bump up golangci-lint to v1.52.2
    • chore: tidy up duplicated imports
    • solver: Release unused refs in LoadWithParents
    • Avoid panic on parallel walking on DefinitionOp
    • solver: skip sbom post processor if result is nil
    • vendor: github.com/docker/docker v23.0.4
    • vendor: github.com/docker/cli v23.0.4
    • vendor: golang.org/x/time v0.3.0
    • vendor: github.com/docker/cli v23.0.2
    • vendor: github.com/docker/docker v23.0.2
    • test: don't hang if a process doesn't run
    • ci: put worker name first for better UX in actions
    • go.mod: remove github.com/kr/pretty
    • Revert "Problem: can't use anonymous S3 credentials"
    • go.mod: bump up runc to v1.1.6
    • go.mod: Bump up stargz-snapshotter to v0.14.3
    • dockerfile: bump up stargz-snapshotter to v0.14.3
    • dockerfile: bump up runc to v1.1.6
    • buildkitd: add grpc reflection
    • Bump up nerdctl to 1.3.0
    • Bump up containerd 1.6.20
    • Fix gzip decoding of HTTP sources.
    • ci: update runner os to ubuntu 22.04
    • Fix bearer token expiration check (fixes #3779)
    • docs: update buildkitd.toml with new field info
    • buildkitd: allow durations for gc config
    • buildkitd: allow multiple units for gc config
    • dockerui: expose context detection functions as public
    • Prevent overflow of runc exit code.
    • Upgrade to latest go-runc.
    • runc worker: fix sigkill handling
    • Dockerfile: RUNC_VERSION=v1.1.5
    • client: add client opts to enable system certificates
    • Make ClientOpts type safe
    • build(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5
    • fileop: create new fileOpSolver instance per Exec call
    • Provide CacheManager to Controller instead of CacheKeyManager.
    • http: ensure HEAD and GET requests have same headers
    • docs: add auto-generated sections to buildctl.md
    • client: allow grpc dial option passthrough
    • cni: simplify netns creation
    • add Bass to list of LLB languages
    • llbsolver: fix sorting of history records
    • llbsolver: Fix performance of recomputeDigests
    • solve: use comparables instead of reflection in result struct
    • vendor: github.com/docker/cli v23.0.1
    • vendor: github.com/docker/docker v23.0.1
    • client: create oci-layout file in StoreIndex
    • ci: output annotations for failures
    • test: set mod vendor
    • test: use gotestsum to generate reports
    • fix gateway exec tty cleanup on context.Canceled
    • fix process termination handling for runc exec
    • Register builds before recording build history
    • docs(dockerfile): minimal Dockerfile version support for chmod
    • Update builder.md to document newly supported --chmod features in both ADD and COPY statements.
    • use bklog.G(ctx) instead of logrus directly
    • integration: missing mergeDiff compat check
    • chore: translateLegacySolveRequest does not need to return error checking.
    • integration: split feature compat check for subtests
    • integration: missing feature compat check for cache
    • dockerfile: fix reproducible digest test for non-amd64
    • integration: add FeatureMergeDiff compat
    • integration: add FeatureCacheBackend* compat
    • integration: enforce features compat through env vars
    • ci: upstream docs conformance validation
    • dockerfile(docs): fix liquid syntax
    • Problem: can't use anonymous S3 credentials
    • hack: remove buildcifirst_pass script
    • hack: binaries and cross bake targets
    • go.mod: update to go 1.20
    • Dockerfile: CONTAINERD_VERSION=v1.7.0
    • go.mod: github.com/containerd/containerd v1.7.0
    • Add Namespace to list of buildkit users.
    • remove buildinfo
    • buildinfo: add BUILDKIT_BUILDINFO build arg
    • buildinfo: mark as deprecated
    • docs: deprecated features page
    • rootless: guide for Bottlerocket OS (sysctl -w user.max_user_namespaces=N)
    • rootless: fix up unprivileged mount opts
    • Dockerfile: CONTAINERDVERSION=v1.7.0-rc.3, CONTAINERDALTVERSION16=v1.6.19
    • go.mod: github.com/containerd/containerd v1.7.0-rc.3
    • version: add "v" prefix to version for tagging convention consistency
    • remove context name validation from kubepod connhelper
    • gateway: add hostname option to NewContainer API
    • fix error message typo
    • provenance: ensure URLs are redacted before written
    • test/client: Close buildkit client
    • docs: missing security policy markdown file
    • diffapply: do chown before xattrs
    • Add test for merge of files with capabilities.
    • fix a possible panic on cache
    • Update cmd/buildkitd/main_windows.go
    • ci(validate): use bake
    • hack: shfmt bake target
    • hack: generated-files bake target
    • hack: doctoc bake target
    • hack: lint bake target
    • hack: authors Dockerfile and bake target
    • hack: bake definition with vendor targets
    • Fix buildkitd panic when frontend input is nil.
    • ci: trigger workflows on push to release branches
    • build(deps): bump golang.org/x/net from 0.5.0 to 0.7.0
    • ci: create GitHub Release for frontend as well
    • ci: make release depends on image job
    • lint: fix issues with go 1.20
    • remove deprecated golangci-lint linters
    • update golangci-lint to v1.51.1
    • update to go 1.20
    • Allow DefinitionOp to track sources
    • specify a ResponseHeaderTimeout value
    • Ensures that the primary GID is also included in the additional GIDs
    • ci: fix missing TESTFLAGS env var in test-os workflow
    • Dockerfile: update containerd to v1.7.0-beta.4, v1.6.18
    • go.mod: github.com/containerd/containerd v1.7.0-beta.4
    • ci: update softprops/action-gh-release to v0.1.15
    • ci: remove unused vars in dockerd workflow
    • ci: split cross job
    • Dockerfile: remove binaries-linux-helper stage
    • ci: rename unclear env vars
    • readme: fix and update badges
    • ci: rename build workflow to buildkit
    • ci: reusable test workflow
    • ci: move test-os to a dedicated workflow
    • ci: move frontend integration tests and build to a dedicated workflow
    • stargz-snapshotter: graduate from experimental
    • Bump up stargz-snapshotter to v0.14.1
    • set osversion in index descriptor from base image
    • progress: solve status description
    • ci: update buildx to latest
    • Dockerfile: update xx to 1.2.1
    • integration: make sure registry directory exists
    • gha: avoid range requests with too big offset
    • ci: merge test-nydus job in test one
    • ci: remove branch restriction on pull request event
    • client: add tests for layerID in comment field
    • exporter: fix sbom supplement core detection
    • exporter: fix supplement sboms on empty scratch layer
    • exporter: fix file layer finder whiteout detection
    • exporter: canonicalize sbom file paths during search
    • Add platform tracing socket paths and mounts
    • integration: log dockerd cmd
    • integration: set custom flags for dockerd worker
    • remotecache: proper exporter naming for gha, s3 and azblob
    • remotecache: explicit names for registry and local
    • exporter: use compression.ParseAttributes func
    • remotecache: mutualize compression parsing attrs
    • lex: add support for optional colon in variable expansion
    • test: rework TestProcessWithMatches to use a matrix
    • dockerfile: update to use dockerui pkg
    • dockerui: separate docker frontend params to reusable package
    • cache: add fallback for snapshotID
    • exporter: remove wrappers for oci data types
    • vendor: github.com/docker/cli v23.0.0
    • vendor: github.com/docker/docker v23.0.0
    • hack: do not cache some stages on release
    • hack: do not set attest flags when exporting to docker
    • git: override the locale to ensure consistent output
    • fix support for empty git ref with subdir
    • gitutil: use subtests
    • source: more tests cases for git identifier
    • source: use subtests cases for git identifier
    • otel: bump dependencies to v1.11.2/v0.37.0
    • hack: treat unset variables as an error
    • frontend: fix typo in release script
    • ci: create matrix for building frontend image
    • inline cache: fix blob indexes by uncompressed digest
    • Skip configuring cache exporter if it is nil.
    • docs: update syntax for labs channel in examples
    • integration: remove wrong compat condition
    • integration: fix compat check for CNI DNS test
    • cache: don’t link blobonly based on chainid
    • do not mount secrets that are optional and missing from solve opts
    • SOURCEDATEEPOCH: drop timezone
    • sbom: create tmp directory for scanner image
    • progress: keep color enabled with NO_COLOR empty
    • hack: remove azblob_test
    • integration: basic azblob cache test
    • test: add proxy build args when existed
    • vendor: github.com/docker/cli v23.0.0-rc.3
    • vendor: github.com/docker/docker v23.0.0-rc.3
    • vendor: golang.org/x/net v0.5.0
    • vendor: golang.org/x/text v0.6.0
    • vendor: golang.org/x/sys v0.4.0
    • Dockerfile: CNI plugins v1.2.0
    • Dockerfile: CONTAINERDVERSION=v1.7.0-beta.3, CONTAINERDALTVERSION16=v1.6.16
    • Fix tracing listener on Windows
    • go.mod: github.com/containerd/containerd v1.7.0-beta.3
    • control: send current timestamp header with event streams
    • vendor: update containerd to v1.6.16-0.1709cfe273d9
    • buildctl: add ref-file to get history record for a build
    • client: make sure ref is configurable for the history API
    • history: save completed steps with cache stats
    • history: fix exporter key not being passed
    • history: fix logs and traces are saving on canceled builds
    • hack: add correct entrypoint to shell script
    • ci: use moby/buildkit:latest in build action
    • dockerfile: add testReproSourceDateEpoch
    • Fix cache cannot reuse lazy layers
    • Correct manifests_prefix documentation for S3 cache
    • Use golang.org/x/sys/windows instead of syscall
    • dockerfile: release frontend for i386 platform
    • Add get-user-info utility
    • optimize --dry-run flag
    • fix(tracing): spelling of OTELTRACESEXPORTER value
    • Propagate sshforward send side connection close
    • buildctl: add buildctl debug histories, buildctl prune-histories
    • dockerfile: fix panic on warnings with multi-platform
    • vendor: github.com/docker/cli v23.0.0-rc.2
    • vendor: github.com/docker/docker v23.0.0-rc.2
    • vendor: github.com/containerd/containerd v1.6.15
    • cache: add registry.insecure option to registry exporter
    • Make local cache non-lazy
    • docs/build-repro.md: add the SOURCEDATEEPOCH section
    • docs: clarified build argument example by changing the variable name
    • azblob cache: account_name attribute
    • docs: master -> 0.11
    • ci: fix dockerd workflow with latest changes from moby
    • integration: set mirrors and entitlements with dockerd worker
    • github: update CI to buildkit version
    • exporter: ensure spdx order prioritizes primary sbom
    • hack: remove s3_test
    • integration: basic s3 cache test
    • integration: add runCmd and randomString utils
    • integration: expose backend logs in sandbox interface
    • azblob_test: pin busybox to avoid "Illegal instruction" error
    • docs: add nerdctl container buildkitd address docs
    • feat: add namespace support for nerdctl container
    • ci: add ci to check README toc
    • testutil: pin busybox and alpine used in releases
    • exporter: allow configuring inline attestations for image exporters
    • exporter: force enabling inline attestations for image export
    • docs: change semicolons to double ampersands
    • llbsolver: fix panic when requesting provenance on nil result
    • vendor: update fsutil to fb43384
    • attestation: only supplement file data for the core scan
    • docs: add index page for attestations
    • docs: move attestation docs to dedicated directory
    • docs: rename slsa.md to slsa-provenance.md
    • docs: tidy up json examples for slsa definitions
    • docs: add cross-linking between slsa pages
    • Flakiness in azblob test job
    • vendor: update spdx/tools-golang to d6f58551be3f
    • feat: add nerdctl-container support for client
    • docs: slsa review updates
    • docs: moved slsa definitions to a separate page
    • docs: slsa editorial fixes
    • docs: add filename to provenance attestation
    • docs: update hermetic field after it was moved in implementation
    • docs: update provenance docs
    • docs: add slsa provenance documentation
    • progress: fix clean context cancelling
    • fix: updated_at -> updated-at
    • Solve panic due to concurrent access to ExportSpans
    • feat: allow ignoring remote cache-export error if failing
    • add cache stats to the build history API
    • vendor: github.com/docker/cli v23.0.0-rc.1
    • vendor: github.com/docker/docker v23.0.0-rc.1
    • vendor: github.com/containerd/containerd v1.6.14
    • frontend: fix testMultiStageImplicitFrom to account for busybox changes
    • sshforward: skip conn close on stream CloseSend.
    • chore: update buildkitd.toml docs with mirror path example
    • feat: handle mirror url with path
    • provenance: fix the order of the build steps
    • provenance: move hermetic field into a correct struct
    • add possibility to override filename for provenance
    • Fix typo in CapExecMountBindReadWriteNoOutput.
    • Use SkipOutput instead of -1 for output indexes to clarify semantics.
    • fix indentation for in-toto and traces
    • attestation: forbid provenance attestations from frontend
    • attestation: validate attestations before unbundling as well
    • exporter: make attestation validation public
    • result: change reason types to strings
    • attestations: ignore spdx parse errors
    • attestations: propogate metadata through unbundling
    • gateway: add addition check to prevent content func from being forwarded
    • ociindex: add utility method for getting a single manifest from the index
    • ociindex: refactor to hide implementation internally
    • cache: test gha cache exporter
    • containerdexecutor: add network namespace callback
    • frontend/dockerfile: BFlags.Parse(): use strings.Cut()
    • frontend/dockerfile: parseExtraHosts(): use strings.Cut()
    • frontend/dockerfile: parseMount() use strings.Cut(), and some minor cleanup
    • frontend/dockerfile: move check for cache-sharing
    • frontend/dockerfile: provide suggestions for mount share mode
    • frontend/dockerfile: define types for enums
    • frontend/dockerfile/shell: use strings.Equalfold
    • frontend/dockerfile/parser: remove redundant concat
    • frontend/dockerfile: parseBuildStageName(): pre-compile regex
    • frontend/dockerfile: remove isSSHMountsSupported, isSecretMountsSupported
    • docs: Enable rootless for stargz-snapshotter
    • executor/oci: GetResolvConf(): simplify handling of resolv.conf
References

Affected packages

SUSE:Linux Micro 6.0 / buildkit

Package

Name
buildkit
Purl
pkg:rpm/suse/buildkit&distro=SUSE%20Linux%20Micro%206.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.12.5-1.1

Ecosystem specific 

{
    "binaries": [
        {
            "buildkit": "0.12.5-1.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:20107-1.json"