From 292ce79fe52c94d67a83f10d76e8bae038544fea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Wed, 5 Nov 2025 11:41:11 +0100 Subject: [PATCH 1/4] engine: 28.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Paweł Gronowski --- content/manuals/engine/release-notes/28.md | 34 ++++++++++++++++++++++ hugo.yaml | 4 +-- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/content/manuals/engine/release-notes/28.md b/content/manuals/engine/release-notes/28.md index 00667f4079e..3b33b015a53 100644 --- a/content/manuals/engine/release-notes/28.md +++ b/content/manuals/engine/release-notes/28.md @@ -27,6 +27,40 @@ For more information about: - Deprecated and removed features, see [Deprecated Engine Features](../deprecated.md). - Changes to the Engine API, see [Engine API version history](/reference/api/engine/version-history.md). +## 28.5.2 + +{{< release-date date="2025-11-05" >}} + +For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: + +- [docker/cli, 28.5.2 milestone](https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A28.5.2) +- [moby/moby, 28.5.2 milestone](https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A28.5.2) + +> [!CAUTION] +> This release contains fixes for three high-severity security vulnerabilities in runc: +> - [CVE-2025-31133](https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2) +> - [CVE-2025-52565](https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r) +> - [CVE-2025-52881](https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm) +> +> All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary `/proc` files. + +### Bug fixes and enhancements + +- dockerd-rootless.sh: if slirp4netns is not installed, try using pasta (passt). [moby/moby#51162](https://github.com/moby/moby/pull/51162) + +### Packaging updates + +- Update BuildKit to [v0.25.2](https://github.com/moby/buildkit/releases/tag/v0.25.2). [moby/moby#51398](https://github.com/moby/moby/pull/51398) +- Update Go runtime to [1.24.9](https://go.dev/doc/devel/release#go1.24.9). [moby/moby#51387](https://github.com/moby/moby/pull/51387), [docker/cli#6613](https://github.com/docker/cli/pull/6613) +- Update runc to [v1.3.3](https://github.com/opencontainers/runc/releases/tag/v1.3.3). [moby/moby#51394](https://github.com/moby/moby/pull/51394) + +### Deprecations + +- Go-SDK: cli/command/image/build: deprecate `DefaultDockerfileName`, `DetectArchiveReader`, `WriteTempDockerfile`, `ResolveAndValidateContextPath`. These utilities were only used internally and will be removed in the next release. [docker/cli#6610](https://github.com/docker/cli/pull/6610) +- Go-SDK: cli/command/image/build: deprecate IsArchive utility. [docker/cli#6560](https://github.com/docker/cli/pull/6560) +- Go-SDK: opts: deprecate `ValidateMACAddress`. [docker/cli#6560](https://github.com/docker/cli/pull/6560) +- Go-SDK: opts: deprecate ListOpts.Delete(). [docker/cli#6560](https://github.com/docker/cli/pull/6560) + ## 28.5.1 {{< release-date date="2025-10-08" >}} diff --git a/hugo.yaml b/hugo.yaml index 7ec919b599e..65e2f3a3d93 100644 --- a/hugo.yaml +++ b/hugo.yaml @@ -135,10 +135,10 @@ params: # Latest version of the Docker Engine API latest_engine_api_version: "1.51" # Latest version of Docker Engine - docker_ce_version: "28.5.1" + docker_ce_version: "28.5.2" # Previous version of the Docker Engine # (Used to show e.g., "latest" and "latest"-1 in engine install examples - docker_ce_version_prev: "28.5.0" + docker_ce_version_prev: "28.5.1" # Latest Docker Compose version compose_version: "v2.40.3" # Latest BuildKit version From 426040e86489ba75d9fbd60da769aedf2910e498 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Wed, 5 Nov 2025 16:41:43 +0100 Subject: [PATCH 2/4] engine: Update version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Paweł Gronowski --- content/reference/api/engine/_index.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/reference/api/engine/_index.md b/content/reference/api/engine/_index.md index f917ca9d834..e7857679d85 100644 --- a/content/reference/api/engine/_index.md +++ b/content/reference/api/engine/_index.md @@ -73,21 +73,21 @@ To see the highest version of the API your Docker daemon and client support, use ```console $ docker version Client: Docker Engine - Community - Version: 28.5.1 + Version: 28.5.2 API version: 1.51 - Go version: go1.24.8 - Git commit: e180ab8 - Built: Wed Oct 8 12:18:19 2025 + Go version: go1.25.3 + Git commit: ecc6942 + Built: Wed Nov 5 14:44:01 2025 OS/Arch: linux/arm64 Context: default Server: Docker Engine - Community Engine: - Version: 28.5.1 + Version: 28.5.2 API version: 1.51 (minimum version 1.24) - Go version: go1.24.8 - Git commit: f8215cc - Built: Wed Oct 8 12:18:19 2025 + Go version: go1.25.3 + Git commit: 89c5e8f + Built: Wed Nov 5 14:44:01 2025 OS/Arch: linux/arm64 ... ``` From aa3538cf2ab384a8ed47866b18a3e01dbc6e3993 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Wed, 5 Nov 2025 16:51:23 +0100 Subject: [PATCH 3/4] vendor: github.com/moby/moby v28.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit full diff: https://github.com/moby/moby/compare/v28.5.1...v28.5.2 Signed-off-by: Paweł Gronowski --- _vendor/github.com/moby/moby/docs/api/v1.42.yaml | 8 -------- _vendor/github.com/moby/moby/docs/api/v1.43.yaml | 8 -------- _vendor/github.com/moby/moby/docs/api/v1.44.yaml | 8 -------- _vendor/github.com/moby/moby/docs/api/v1.45.yaml | 8 -------- _vendor/github.com/moby/moby/docs/api/v1.46.yaml | 8 -------- _vendor/github.com/moby/moby/docs/api/v1.47.yaml | 8 -------- _vendor/github.com/moby/moby/docs/api/v1.48.yaml | 8 -------- _vendor/github.com/moby/moby/docs/api/v1.49.yaml | 8 -------- _vendor/github.com/moby/moby/docs/api/v1.50.yaml | 8 -------- _vendor/github.com/moby/moby/docs/api/v1.51.yaml | 8 -------- _vendor/modules.txt | 2 +- go.mod | 4 ++-- go.sum | 2 ++ 13 files changed, 5 insertions(+), 83 deletions(-) diff --git a/_vendor/github.com/moby/moby/docs/api/v1.42.yaml b/_vendor/github.com/moby/moby/docs/api/v1.42.yaml index 361dcf7c4a2..c013c3d9f5b 100644 --- a/_vendor/github.com/moby/moby/docs/api/v1.42.yaml +++ b/_vendor/github.com/moby/moby/docs/api/v1.42.yaml @@ -2619,14 +2619,6 @@ definitions: description: | Unique ID of the build cache record. example: "ndlpt0hhvkqcdfkputsk4cq9c" - Parent: - description: | - ID of the parent build cache record. - - > **Deprecated**: This field is deprecated, and omitted if empty. - type: "string" - x-nullable: true - example: "" Parents: description: | List of parent build cache record IDs. diff --git a/_vendor/github.com/moby/moby/docs/api/v1.43.yaml b/_vendor/github.com/moby/moby/docs/api/v1.43.yaml index a37f7bd923d..6b8d0ecf0e8 100644 --- a/_vendor/github.com/moby/moby/docs/api/v1.43.yaml +++ b/_vendor/github.com/moby/moby/docs/api/v1.43.yaml @@ -2650,14 +2650,6 @@ definitions: description: | Unique ID of the build cache record. example: "ndlpt0hhvkqcdfkputsk4cq9c" - Parent: - description: | - ID of the parent build cache record. - - > **Deprecated**: This field is deprecated, and omitted if empty. - type: "string" - x-nullable: true - example: "" Parents: description: | List of parent build cache record IDs. diff --git a/_vendor/github.com/moby/moby/docs/api/v1.44.yaml b/_vendor/github.com/moby/moby/docs/api/v1.44.yaml index 031a43c0eba..cfeda5ee2d4 100644 --- a/_vendor/github.com/moby/moby/docs/api/v1.44.yaml +++ b/_vendor/github.com/moby/moby/docs/api/v1.44.yaml @@ -2661,14 +2661,6 @@ definitions: description: | Unique ID of the build cache record. example: "ndlpt0hhvkqcdfkputsk4cq9c" - Parent: - description: | - ID of the parent build cache record. - - > **Deprecated**: This field is deprecated, and omitted if empty. - type: "string" - x-nullable: true - example: "" Parents: description: | List of parent build cache record IDs. diff --git a/_vendor/github.com/moby/moby/docs/api/v1.45.yaml b/_vendor/github.com/moby/moby/docs/api/v1.45.yaml index 764a33644fb..e594fd162f9 100644 --- a/_vendor/github.com/moby/moby/docs/api/v1.45.yaml +++ b/_vendor/github.com/moby/moby/docs/api/v1.45.yaml @@ -2647,14 +2647,6 @@ definitions: description: | Unique ID of the build cache record. example: "ndlpt0hhvkqcdfkputsk4cq9c" - Parent: - description: | - ID of the parent build cache record. - - > **Deprecated**: This field is deprecated, and omitted if empty. - type: "string" - x-nullable: true - example: "" Parents: description: | List of parent build cache record IDs. diff --git a/_vendor/github.com/moby/moby/docs/api/v1.46.yaml b/_vendor/github.com/moby/moby/docs/api/v1.46.yaml index 8aa45ecb145..8c8fdc148d3 100644 --- a/_vendor/github.com/moby/moby/docs/api/v1.46.yaml +++ b/_vendor/github.com/moby/moby/docs/api/v1.46.yaml @@ -2693,14 +2693,6 @@ definitions: description: | Unique ID of the build cache record. example: "ndlpt0hhvkqcdfkputsk4cq9c" - Parent: - description: | - ID of the parent build cache record. - - > **Deprecated**: This field is deprecated, and omitted if empty. - type: "string" - x-nullable: true - example: "" Parents: description: | List of parent build cache record IDs. diff --git a/_vendor/github.com/moby/moby/docs/api/v1.47.yaml b/_vendor/github.com/moby/moby/docs/api/v1.47.yaml index 4407ed54bef..480f3132ea8 100644 --- a/_vendor/github.com/moby/moby/docs/api/v1.47.yaml +++ b/_vendor/github.com/moby/moby/docs/api/v1.47.yaml @@ -2711,14 +2711,6 @@ definitions: description: | Unique ID of the build cache record. example: "ndlpt0hhvkqcdfkputsk4cq9c" - Parent: - description: | - ID of the parent build cache record. - - > **Deprecated**: This field is deprecated, and omitted if empty. - type: "string" - x-nullable: true - example: "" Parents: description: | List of parent build cache record IDs. diff --git a/_vendor/github.com/moby/moby/docs/api/v1.48.yaml b/_vendor/github.com/moby/moby/docs/api/v1.48.yaml index fb0324c05a7..a31b2597659 100644 --- a/_vendor/github.com/moby/moby/docs/api/v1.48.yaml +++ b/_vendor/github.com/moby/moby/docs/api/v1.48.yaml @@ -2812,14 +2812,6 @@ definitions: description: | Unique ID of the build cache record. example: "ndlpt0hhvkqcdfkputsk4cq9c" - Parent: - description: | - ID of the parent build cache record. - - > **Deprecated**: This field is deprecated, and omitted if empty. - type: "string" - x-nullable: true - example: "" Parents: description: | List of parent build cache record IDs. diff --git a/_vendor/github.com/moby/moby/docs/api/v1.49.yaml b/_vendor/github.com/moby/moby/docs/api/v1.49.yaml index 7cbfddca3e3..4643b52cba2 100644 --- a/_vendor/github.com/moby/moby/docs/api/v1.49.yaml +++ b/_vendor/github.com/moby/moby/docs/api/v1.49.yaml @@ -2812,14 +2812,6 @@ definitions: description: | Unique ID of the build cache record. example: "ndlpt0hhvkqcdfkputsk4cq9c" - Parent: - description: | - ID of the parent build cache record. - - > **Deprecated**: This field is deprecated, and omitted if empty. - type: "string" - x-nullable: true - example: "" Parents: description: | List of parent build cache record IDs. diff --git a/_vendor/github.com/moby/moby/docs/api/v1.50.yaml b/_vendor/github.com/moby/moby/docs/api/v1.50.yaml index b6eebed665a..764b42d61f2 100644 --- a/_vendor/github.com/moby/moby/docs/api/v1.50.yaml +++ b/_vendor/github.com/moby/moby/docs/api/v1.50.yaml @@ -2644,14 +2644,6 @@ definitions: description: | Unique ID of the build cache record. example: "ndlpt0hhvkqcdfkputsk4cq9c" - Parent: - description: | - ID of the parent build cache record. - - > **Deprecated**: This field is deprecated, and omitted if empty. - type: "string" - x-nullable: true - example: "" Parents: description: | List of parent build cache record IDs. diff --git a/_vendor/github.com/moby/moby/docs/api/v1.51.yaml b/_vendor/github.com/moby/moby/docs/api/v1.51.yaml index 6ca2c2b0863..feb42e808ad 100644 --- a/_vendor/github.com/moby/moby/docs/api/v1.51.yaml +++ b/_vendor/github.com/moby/moby/docs/api/v1.51.yaml @@ -2653,14 +2653,6 @@ definitions: description: | Unique ID of the build cache record. example: "ndlpt0hhvkqcdfkputsk4cq9c" - Parent: - description: | - ID of the parent build cache record. - - > **Deprecated**: This field is deprecated, and omitted if empty. - type: "string" - x-nullable: true - example: "" Parents: description: | List of parent build cache record IDs. diff --git a/_vendor/modules.txt b/_vendor/modules.txt index e1bd0a90343..09a29f0856b 100644 --- a/_vendor/modules.txt +++ b/_vendor/modules.txt @@ -1,4 +1,4 @@ -# github.com/moby/moby v28.5.1+incompatible +# github.com/moby/moby v28.5.2+incompatible # github.com/moby/buildkit v0.25.1 # github.com/docker/buildx v0.29.1 # github.com/docker/cli v28.5.1+incompatible diff --git a/go.mod b/go.mod index 70b0803bb34..f6bc7c482aa 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/docker/model-runner/cmd/cli v0.1.44 // indirect github.com/docker/scout-cli v1.18.4 // indirect github.com/moby/buildkit v0.25.1 // indirect - github.com/moby/moby v28.5.1+incompatible // indirect; see "replace" rule at the bottom for actual version + github.com/moby/moby v28.5.2+incompatible // indirect; see "replace" rule at the bottom for actual version ) replace ( @@ -21,5 +21,5 @@ replace ( github.com/docker/model-runner/cmd/cli => github.com/docker/model-runner/cmd/cli v0.1.44 github.com/docker/scout-cli => github.com/docker/scout-cli v1.18.4 github.com/moby/buildkit => github.com/moby/buildkit v0.25.1 - github.com/moby/moby => github.com/moby/moby v28.5.1+incompatible + github.com/moby/moby => github.com/moby/moby v28.5.2+incompatible ) diff --git a/go.sum b/go.sum index 8d315b087f9..002139574e5 100644 --- a/go.sum +++ b/go.sum @@ -14,3 +14,5 @@ github.com/moby/buildkit v0.25.1 h1:j7IlVkeNbEo+ZLoxdudYCHpmTsbwKvhgc/6UJ/mY/o8= github.com/moby/buildkit v0.25.1/go.mod h1:phM8sdqnvgK2y1dPDnbwI6veUCXHOZ6KFSl6E164tkc= github.com/moby/moby v28.5.1+incompatible h1:JD8lBdCDBF2oiHWLqIRofPqI8qvkppRjMJ6EnwrhvX0= github.com/moby/moby v28.5.1+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc= +github.com/moby/moby v28.5.2+incompatible h1:hIn6qcenb3JY1E3STwqEbBvJ8bha+u1LpqjX4CBvNCk= +github.com/moby/moby v28.5.2+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc= From 12de368ff4d0bf831beb7f68b6cedf3fe5656b98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Wed, 5 Nov 2025 16:51:41 +0100 Subject: [PATCH 4/4] vendor: github.com/docker/cli v28.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit full diff: https://github.com/docker/cli/compare/v28.5.1...v28.5.2 Signed-off-by: Paweł Gronowski --- _vendor/modules.txt | 2 +- go.mod | 4 ++-- go.sum | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/_vendor/modules.txt b/_vendor/modules.txt index 09a29f0856b..217f9105b5c 100644 --- a/_vendor/modules.txt +++ b/_vendor/modules.txt @@ -1,7 +1,7 @@ # github.com/moby/moby v28.5.2+incompatible # github.com/moby/buildkit v0.25.1 # github.com/docker/buildx v0.29.1 -# github.com/docker/cli v28.5.1+incompatible +# github.com/docker/cli v28.5.2+incompatible # github.com/docker/compose/v2 v2.40.3 # github.com/docker/model-runner/cmd/cli v0.1.44 # github.com/docker/mcp-gateway v0.22.0 diff --git a/go.mod b/go.mod index f6bc7c482aa..25fd5f1fc10 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.24.9 require ( github.com/docker/buildx v0.29.1 // indirect - github.com/docker/cli v28.5.1+incompatible // indirect; see "replace" rule at the bottom for actual version + github.com/docker/cli v28.5.2+incompatible // indirect; see "replace" rule at the bottom for actual version github.com/docker/compose/v2 v2.40.3 // indirect github.com/docker/mcp-gateway v0.22.0 // indirect github.com/docker/model-runner/cmd/cli v0.1.44 // indirect @@ -15,7 +15,7 @@ require ( replace ( github.com/docker/buildx => github.com/docker/buildx v0.29.1 - github.com/docker/cli => github.com/docker/cli v28.5.1+incompatible + github.com/docker/cli => github.com/docker/cli v28.5.2+incompatible github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.40.3 github.com/docker/mcp-gateway => github.com/docker/mcp-gateway v0.22.0 github.com/docker/model-runner/cmd/cli => github.com/docker/model-runner/cmd/cli v0.1.44 diff --git a/go.sum b/go.sum index 002139574e5..95eaa80ad73 100644 --- a/go.sum +++ b/go.sum @@ -2,6 +2,8 @@ github.com/docker/buildx v0.29.1 h1:58hxM5Z4mnNje3G5NKfULT9xCr8ooM8XFtlfUK9bKaA= github.com/docker/buildx v0.29.1/go.mod h1:J4EFv6oxlPiV1MjO0VyJx2u5tLM7ImDEl9zyB8d4wPI= github.com/docker/cli v28.5.1+incompatible h1:ESutzBALAD6qyCLqbQSEf1a/U8Ybms5agw59yGVc+yY= github.com/docker/cli v28.5.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v28.5.2+incompatible h1:XmG99IHcBmIAoC1PPg9eLBZPlTrNUAijsHLm8PjhBlg= +github.com/docker/cli v28.5.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/compose/v2 v2.40.3 h1:XeYkQu1svDtyfZPv5nTwFryQ25ZJMkIlc4pz9HalMPI= github.com/docker/compose/v2 v2.40.3/go.mod h1:iNY1tvoHTyN3C3QHCuWAgj3OjR2T6mGkk/qxfbBF/4M= github.com/docker/mcp-gateway v0.22.0 h1:l4t+HRNHxR7Jn545KDeXaeiEEhkCDBeWMTyuCaXVH7A=