docker: update to 28.5.2 for runc security fixes #7

Merged

sbelikov merged 2 commits from update-docker-28.5.2 into niceos-5.2 2026-05-02 14:37:58 +03:00

Conversation 0 Commits 2 Files changed 1 +89 -11

sbelikov commented 2026-05-02 14:00:57 +03:00

Owner

Copy link

Upstream moby/moby v28.5.2 is a security-driven maintenance release.

Highlights:

• fixes CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 in runc;
• updates runc to v1.3.3 and Go runtime to 1.24.9;
• changes rootless behavior so dockerd-rootless.sh tries pasta (passt) when slirp4netns is not installed.

NiceOS assessment:

• risk level: high;
• decision: manual review before merge;
• main compatibility concern is the rootless behavior change and the critical container-escape fix path through runc.

Required validation:

• rebuild in a clean mock/chroot environment;
• run docker daemon and CLI smoke tests;
• test rootless startup and fallback behavior;
• verify package metadata, source tarballs, and file manifests.

References:

• https://github.com/moby/moby/releases/tag/v28.5.2
• https://github.com/moby/moby/compare/v28.3.3...v28.5.2
• https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
• https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
• https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm

Upstream moby/moby v28.5.2 is a security-driven maintenance release. Highlights: - fixes CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 in runc; - updates runc to v1.3.3 and Go runtime to 1.24.9; - changes rootless behavior so dockerd-rootless.sh tries pasta (passt) when slirp4netns is not installed. NiceOS assessment: - risk level: high; - decision: manual review before merge; - main compatibility concern is the rootless behavior change and the critical container-escape fix path through runc. Required validation: - rebuild in a clean mock/chroot environment; - run docker daemon and CLI smoke tests; - test rootless startup and fallback behavior; - verify package metadata, source tarballs, and file manifests. References: - https://github.com/moby/moby/releases/tag/v28.5.2 - https://github.com/moby/moby/compare/v28.3.3...v28.5.2 - https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2 - https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r - https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm

sbelikov added 1 commit 2026-05-02 14:00:57 +03:00

docker: update to 28.5.2 (runc security fixes) 53f985853a

sbelikov added 1 commit 2026-05-02 14:37:34 +03:00

fixes 2a14e75127

sbelikov merged commit 5767c32381 into niceos-5.2 2026-05-02 14:37:58 +03:00

sbelikov referenced this pull request from a commit 2026-05-02 14:37:59 +03:00

Merge pull request 'docker: update to 28.5.2 for runc security fixes' (#7) from update-docker-28.5.2 into niceos-5.2

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

ai-summary

Issue contains local NiceSOFT AI generated preliminary analysis

  

bot

Created by automation

  

needs-build

Needs build verification

  

needs-triage

Needs maintainer triage

  

priority/high

High priority

  

security-release

Release notes mention security fixes or CVE

  

update/major

Major update

  

update/minor

Minor update

  

upstream-update

New upstream version is available

  

upstream/github

GitHub upstream

No labels

ai-summary

bot

needs-build

needs-triage

priority/high

security-release

update/major

update/minor

upstream-update

upstream/github

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

rpms/docker!7

No description provided.