Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-1802: Docker Desktop release notes

In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected.

CVE
#sql#vulnerability#web#mac#windows#apple#microsoft#amazon#ubuntu#linux#debian#ddos#apache#memcached#js#git#kubernetes#intel#rce#perl#nginx#vmware#log4j#amd#auth#ssh#rpm#docker#sap#ssl

This page contains information about the new features, improvements, known issues, and bug fixes in Docker Desktop releases.

Note

The information below is applicable to all platforms, unless stated otherwise.

Take a look at the Docker Public Roadmap to see what’s coming next.

For frequently asked questions about Docker Desktop releases, see FAQs

4.18.0

2023-04-03

Download Docker Desktop

Windows

Download file

Checksum: SHA-256 7b17e26d7c2d0245ba9f2526e20349e113819cfb47d1f3e8dbd3cc8ea8ccf6b7

Mac with Intel chip

Download file

Checksum: SHA-256 2e099af08e17666228282b970992160fa423ce8f5fa9e36b79495a1960803091

Mac with Apple chip

Download file

Checksum: SHA-256 2ae4b2ec556c107f969e51b72ad1920fefa38dbd0d8e3db64815c26b9f2b126d

Linux DEB

Download file

Checksum: SHA-256 d579f653b5223a3c24234992203283c5a6da28146702f8899964e08b8ba45198

Linux RPM

Download file

Checksum: SHA-256 4d64ea1c9e9da66ca0a37820135926eb4bbcdf658cafdbe87497aae384bf65c7

Linux Arch (experimental)

Download file

Checksum: SHA-256 0d6f8c54457f89cfaba3222ab4754caa8df547a0050aa8749d679609bad9456d

New

  • Initial beta release of docker init as per the roadmap.
  • Added a new Learning Center tab to help users get started with Docker.
  • Added an experimental file-watch command to Docker Compose that automatically updates your running Compose services as you edit and save your code.

Upgrades

  • Buildx v0.10.4
  • Compose 2.17.2
  • Containerd v1.6.18, which includes fixes for CVE-2023-25153 and CVE-2023-25173.
  • Docker Engine v20.10.24, which contains fixes for CVE-2023-28841, CVE-2023-28840, and CVE-2023-28842.

Bug fixes and enhancements****For all platforms

  • Docker Scout CLI can now compare two images and display packages and vulnerabilities differences. This command is in Early Access and might change in the future.
  • Docker Scout CLI now displays base image update and remediation recommendations using docker scout recommendations. It also displays a short overview of an image using docker scout quickview commands.
  • You can now search for extensions direct from the Marketplace, as well as using Global Search.
  • Fixed a bug where docker buildx container builders would lose access to the network after 24hrs.
  • Reduced how often users are prompted for feedback on Docker Desktop.
  • Removed minimum VM swap size.
  • Added support for subdomain match, CIDR match, . and _. in HTTP proxy exclude lists.
  • Fixed a bug in the transparent TLS proxy when the Server Name Indication field is not set.
  • Fixed a grammatical error in Docker Desktop engine status message.

For Windows

  • Fixed a bug where docker run --gpus=all hangs. Fixes docker/for-win#13324.
  • Fixed a bug where Registry Access Management policy updates were not downloaded.
  • Docker Desktop now allows Windows containers to work when BitLocker is enabled on C:.
  • Docker Desktop with the WSL backend no longer requires the com.docker.service privileged service to run permanently. For more information see Permission requirements for Windows.

For Mac

  • Fixed a performance issue where attributes stored on the host would not be cached for VirtioFS users.
  • The first time Docker Desktop for Mac is launched, the user is presented with an installation window to confirm or adjust the configuration that requires privileged access. For more information see Permission requirements for Mac.
  • Added the Advanced tab in Settings, where users can adjust the settings which require privileged access.

For Linux

  • Fixed a bug where the VM networking crashes after 24h. docker/for-linux#131

Security****For all platforms

  • Fixed a security issue with the Artifactory Integration where it would fall back to sending registry credentials over plain HTTP if HTTPS check failed. Only users who have Access experimental features enabled are affected. Fixes docker/for-win#13344.

For Mac

  • Removed the com.apple.security.cs.allow-dyld-environment-variables and com.apple.security.cs.disable-library-validation entitlements which allow an arbitrary dynamic library to be loaded with Docker Desktop via the DYLD_INSERT_LIBRARIES environment variable.

Known Issues

  • Uninstalling Docker Desktop on Mac from the Troubleshoot page might trigger an unexpected fatal error popup.

4.17.1

2023-03-20

Download Docker Desktop

Windows

Checksums

  • Windows: SHA-256 2ea284648a5f708428f3a06bb8e1eb68cbeba6689b53c53d7ca24043a8f34800

Bug fixes and enhancements****For Windows

  • Docker Desktop now allows Windows containers to work when BitLocker is enabled on C:
  • Fixed a bug where docker buildx container builders would lose access to the network after 24hrs.
  • Fixed a bug where Registry Access Management policy updates were not downloaded.
  • Improved debug information to better characterise failures under WSL 2.

Known Issues

  • Running containers with --gpus on Windows with the WSL 2 backend does not work. This will be fixed in future releases. See docker/for-win/13324.

4.17.0

2023-02-27

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 69ea659b0ca0e160a1de9bd63dc5697f5eb89fff1d33484fb8ef9793e43d0d45
  • Mac Intel: SHA-256 eb0531122a62859ce7b029e943fdad365603a916e6c15c107514c1e4a818d7ef
  • Mac Arm: SHA-256 5e01465d93dfe18d7678a96705e7c26bb654b6766f06373b5cffbf77c641bccc
  • Linux DEB: SHA-256 6828d35ae02763255790de6690909935a1f7c951373179ac0efd6c6b578b5219
  • Linux RPM: SHA-256 7973c5bf41bdc78ca39ba64f93c6e4a33263d8dbfc604651bf1562bfeeea26f7
  • Linux Arch: SHA-256 c783ce942c84f899d1f576d01d34fd4de3cefa0a1d577eda2bc5c4ceaec6cfdb

New

  • Docker Desktop now ships with Docker Scout. Pull and view analysis for images from Docker Hub and Artifactory repositories, get base image updates and recommended tags and digests, and filter your images on vulnerability information. To learn more, see Docker Scout.
  • docker scan has been replaced by docker scout. See Docker Scout CLI, for more information.
  • You can now discover extensions that have been autonomously published in the Extensions Marketplace. For more information on self-published extensions, see Marketplace Extensions.
  • Container File Explorer is available as an experimental feature. Debug the filesystem within your containers straight from the GUI.
  • You can now search for volumes in Global Search.

Upgrades

  • Containerd v1.6.18, which includes fixes for CVE-2023-25153 and CVE-2023-25173.
  • Docker Engine v20.10.23.
  • Go 1.19.5

Bug fixes and enhancements****For all platforms

  • Fixed a bug where diagnostic gathering could hang waiting for a subprocess to exit.
  • Prevented the transparent HTTP proxy from mangling requests too much. Fixes Tailscale extension login, see tailscale/docker-extension#49.
  • Fixed a bug in the transparent TLS proxy where the Server Name Indication field is not set.
  • Added support for subdomain match, CIDR match, . and *. in HTTP proxy exclude lists.
  • Ensured HTTP proxy settings are respected when uploading diagnostics.
  • Fixed fatal error when fetching credentials from the credential helper.
  • Fixed fatal error related to concurrent logging.
  • Improved the UI for Extension actions in the Marketplace.
  • Added new filters in the Extensions Marketplace. You can now filter extensions by category and reviewed status.
  • Added a way to report a malicious extension to Docker.
  • Updated Dev Environments to v0.2.2 with initial set up reliability & security fixes.
  • Added a whalecome survey for new users only.
  • The confirmation dialogs on the troubleshooting page are now consistent in style with other similar dialogs.
  • Fixed fatal error caused by resetting the Kubernetes cluster before it has started.
  • Implemented docker import for the containerd integration.
  • Fixed image tagging with an existing tag with the containerd integration.
  • Implemented the dangling filter on images for the containerd integration.
  • Fixed docker ps failing with containers whose images are no longer present with the containerd integration.

For Mac

  • Fixed download of Registry Access Management policy on systems where the privileged helper tool com.docker.vmnetd is not installed.
  • Fixed a bug where com.docker.vmnetd could not be installed if /Library/PrivilegedHelperTools does not exist.
  • Fixed a bug where the “system” proxy would not handle “autoproxy” / “pac file” configurations.
  • Fixed a bug where vmnetd installation fails to read Info.Plist on case-sensitive file systems. The actual filename is Info.plist. Fixes docker/for-mac#6677.
  • Fixed a bug where user is prompted to create the docker socket symlink on every startup. Fixes docker/for-mac#6634.
  • Fixed a bug that caused the Start Docker Desktop when you log in setting not to work. Fixes docker/for-mac#6723.
  • Fixed UDP connection tracking and host.docker.internal. Fixes docker/for-mac#6699.
  • Improved kubectl symlink logic to respect existing binaries in /usr/local/bin. Fixes docker/for-mac#6328.
  • Docker Desktop now automatically installs Rosetta when you opt-in to use it but have not already installed it.

For Windows

  • Added statical linking of WSL integration tools against musl so there is no need to install alpine-pkg-glibc in user distros.
  • Added support for running under cgroupv2 on WSL 2. This is activated by adding kernelCommandLine = systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all to your %USERPROFILE%.wslconfig file in the [wsl2] section.
  • Fixed an issue that caused Docker Desktop to get stuck in the “starting” phase when in WSL 2 mode (introduced in 4.16).
  • Fixed Docker Desktop failing to start the WSL 2 backend when file system compression or encryption is enabled on %LOCALAPPDATA%.
  • Fixed Docker Desktop failing to report a missing or outdated (incapable of running WSL version 2 distros) WSL installation when starting.
  • Fixed a bug where opening in Visual Studio Code fails if the target path has a space.
  • Fixed a bug that causes ~/.docker/context corruption and the error message “unexpected end of JSON input”. You can also remove ~/.docker/context to work around this problem.
  • Ensured the credential helper used in WSL 2 is properly signed. Related to docker/for-win#10247.
  • Fixed an issue that caused WSL integration agents to be terminated erroneously. Related to docker/for-win#13202.
  • Fixed corrupt contexts on start. Fixes docker/for-win#13180 and docker/for-win#12561.

For Linux

  • Added Docker Buildx plugin for Docker Desktop for Linux.
  • Changed compression algorithm to xz for RPM and Arch Linux distribution.
  • Fixed a bug that caused leftover files to be left in the root directory of the Debian package. Fixes docker/for-linux#123.

Security****For all platforms

  • Fixed CVE-2023-0628, which allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking a user to open a crafted malicious docker-desktop:// URL.
  • Fixed CVE-2023-0629, which allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions by setting the Docker host to docker.raw.sock, or npipe:////.pipe/docker_engine_linux on Windows, via the -H (–host) CLI flag or the DOCKER_HOST environment variable and launch containers without the additional hardening features provided by ECI. This does not affect already running containers, nor containers launched through the usual approach (without Docker’s raw socket).

4.16.3

2023-01-30

Download Docker Desktop

Windows

Checksums

  • Windows: SHA-256 5f6db3cf5a2084fc7c584c90792f38a0caac91c4eed4f8653dde7bb8148517f1

Bug fixes and enhancements****For Windows

  • Fixed Docker Desktop failing to start the WSL 2 backend when file system compression or encryption is enabled on %LOCALAPPDATA%. Fixes docker/for-win#13184.
  • Fixed Docker Desktop failing to report a missing or outdated WSL installation when starting. Fixes docker/for-win#13184.

4.16.2

2023-01-19

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 20e4ba05b573610506b57a7f216115458019d2c002f18ef6d50a2419b7db545b
  • Mac Intel: SHA-256 22eecb8ea07f10892d81cde07d614fb8b342163106133a75c4280a8e28787643
  • Mac Arm: SHA-256 838eabe6cc42fe7e4be2cdb4d73924c61fc7982366dac2a9467793845851cb2e
  • Linux DEB: SHA-256 fa3023eb16c24dcbdc5f12021340e874d8399863e96c1a58091c9a41fd50fe58
  • Linux RPM: SHA-256 7f54f29a971b9ba456e7aef777d747867d7e4eccb7a2b47aa9092c99a990f8d5
  • Linux Arch: SHA-256 05e94709974e711bf81aa16845ebba976f8236a371432594c87a68ecf9a21d0f

Bug fixes and enhancements****For all platforms

  • Fixed an issue where docker build and docker tag commands produced an image already exists error if the containerd integration feature is enabled.
  • Fixed a regression introduced with Docker Desktop 4.16 breaking networking from containers with target platform linux/386 on amd64 systems. Fixes docker/for-mac/6689.

For Mac

  • Fixed the capitalization of Info.plist which caused vmnetd to break on case-sensitive file systems. Fixes docker/for-mac/6677.

For Windows

  • Fixed a regression introduced with Docker Desktop 4.16 causing it to get stuck in the “starting” phase when in WSL2 mode. Fixes docker/for-win/13165

4.16.1

2023-01-13

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 8260a2fbd3cf7e9050ed7348e5c528314df82f1c460c70919afd0e5f95913f14
  • Mac Intel: SHA-256 b6d8720e2ceb64a6102c5efba53e2adf441c60508457aeb8cc1fd7c30cd7b28f
  • Mac Arm: SHA-256 327725664ac86d34ee3b311b09eace0075492f7ff3e0e384015171769f75bff4
  • Linux DEB: SHA-256 8400f9b1bab837b1d2a12597ec74ece859a5e53f5244cd101c72d3b384ac44b4
  • Linux RPM: SHA-256 0d2074f6a6fa66300810168ea5c572f81616753c698bc5246a89ad374beaec22
  • Linux Arch: SHA-256 11344e66c76ed6ce66b8b077dd86870fc5d63cdcd96941d664de9b65e2123baf

Bug fixes and enhancements****For all platforms

  • Fixed sudo inside a container failing with a security related error for some images. Fixes docker/for-mac/6675 and docker/for-win/13161.

4.16.0

2023-01-12

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 f02fcd23410f9304bde7cd0b415731614adfd2e70bbb09f669a068c88ddd84f2
  • Mac Intel: SHA-256 4fa95e90b6c39400943b263ae5aa1bb6db5b26043dd0148c4e37d3033a754d33
  • Mac Arm: SHA-256 3101934a3b062b373a22fd994d743fa6a08fa805695839e6b63bc2d28ebcf59a
  • Linux DEB: SHA-256 102b79efd90be5ff72fb6ba4bb385621f4e6ab23c19b14d19d525c10f20bdfdd
  • Linux RPM: SHA-256 5145cc5073d4a0b998ebd65b96c5a46bd2d99a1572d5be8cff502a77b2c58c01
  • Linux Arch: SHA-256 ab4af236b435489d49553b63f25a18c098677dd9abc176531cdcc3d67831461e

New

  • Extensions have moved from Beta to GA.
  • Quick Search has moved from experimental to GA.
  • Extensions are now included in Quick Search.
  • Analyzing large images is now up to 4x faster.
  • New local images view has moved from experimental to GA.
  • New Beta feature for MacOS 13, Rosetta for Linux, has been added for faster emulation of Intel-based images on Apple Silicon.

Upgrades

  • Compose v2.15.1
  • Containerd v1.6.14
  • Docker Engine v20.10.22
  • Buildx v0.10.0
  • Docker Scan v0.23.0
  • Go 1.19.4

Bug fixes and enhancements****For all platforms

  • Fixed docker build --quiet not outputting the image identifier with the containerd integration.
  • Fixed image inspect not showing image labels with the containerd integration.
  • Increased the contrast between running and stopped container icons to make it easier for colorblind people to scan the containers list.
  • Fixed a bug where the user is prompted for new HTTP proxy credentials repeatedly until Docker Desktop is restarted.
  • Added a diagnostics command com.docker.diagnose login to check HTTP proxy configuration.
  • Fixed actions on compose stack not working properly. Fixes docker/for-mac#6566.
  • Fixed the Docker dashboard trying at startup to get disk usage information and display an error banner before the engine was running.
  • Added an informational banner with instructions on how to opt-out of experimental feature access next to all experimental features.
  • Docker Desktop now supports downloading Kubernetes images via an HTTP proxy.
  • Fixed tooltips to not block action buttons. Fixes docker/for-mac#6516.
  • Fixed the blank “An error occurred” container list on the Container view.

For Mac

  • Minimum OS version to install or update Docker Desktop on macOS is now macOS Big Sur (version 11) or later.
  • Fixed the Docker engine not starting when Enhanced Container Isolation is enabled if the legacy osxfs implementation is used for file sharing.
  • Fixed files created on VirtioFS having the executable bit set. Fixes docker/for-mac#6614.
  • Added back a way to uninstall Docker Desktop from the command line. Fixes docker/for-mac#6598.
  • Fixed hardcoded /usr/bin/kill. Fixes docker/for-mac#6589.
  • Fixed truncation (for example with the truncate command) of very large files (> 38GB) shared on VirtioFS with an incorrect size.
  • Changed the disk image size in Settings to use the decimal system (base 10) to coincide with how Finder displays disk capacity.
  • Fixed Docker crash under network load. Fixes docker/for-mac#6530.
  • Fixed an issue causing Docker to prompt the user to install the /var/run/docker.sock symlink after every reboot.
  • Ensured the Login Item which installs the /var/run/docker.sock symlink is signed.
  • Fixed bug where $HOME/.docker was removed on factory reset.

For Windows

  • Fixed docker build hanging while printing “load metadata for”. Fixes docker/for-win#10247.
  • Fixed typo in diagnose.exe output Fixes docker/for-win#13107.
  • Added support for running under cgroupv2 on WSL 2. This is activated by adding kernelCommandLine = systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all to your %USERPROFILE%.wslconfig file in the [wsl2] section.

Known Issues

  • Calling sudo inside a container fails with a security related error for some images. See docker/for-mac/6675 and docker/for-win/13161.

4.15.0

2022-12-01

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 04dbd937971f1940e22f1edab9cad90722268b3f98feb77140535e1ac64606a8
  • Mac Intel: SHA-256 bee41d646916e579b16b7fae014e2fb5e5e7b5dbaf7c1949821fd311d3ce430b
  • Mac Arm: SHA-256 fc8609d57fb8c8264122f581c0f66497e46e171f8027d85d90213527d6226362
  • Linux DEB: SHA-256 744266c6adef23e0823facded844f3b879fd0a988f8604f9b620d7585f249cf9
  • Linux RPM: SHA-256 84e206c3e4742d37c7ef7d3d7440c5a085e1a4a77da2c628d133324a3f77f891
  • Linux Arch: SHA-256 43156553268ccc8cb11eef08ac375c90af60ccdc65ae407bdf100ff2e50c6867

New

  • Substantial performance improvements for macOS users with the option of enabling the new VirtioFS file sharing technology. Available for macOS 12.5 and above.
  • Docker Desktop for Mac no longer needs to install the privileged helper process com.docker.vmnetd on install or on the first run. For more information see Permission requirements for Mac.
  • Added WebAssembly capabilities. Use with the containerd integration.
  • Improved the descriptions for beta and experimental settings to clearly explain the differences and how people can access them.
  • Available disk space of VM now displays in the footer of Docker Dashboard for Mac and Linux.
  • A disk space warning now displays in the footer if available space is below 3GB.
  • Changes to Docker Desktop’s interface as we become more ADA accessible and visually unified.
  • Added a Build tab inside Extensions which contains all the necessary resources to build an extension.
  • Added the ability to share extensions more easily, either with docker extension share CLI or with the share button in the extensions Manage tab.
  • Extensions in the Marketplace now display the number of installs. You can also sort extensions by the number of installs.
  • Dev Environments allow cloning a Git repository to a local bind mount, so you can use any local editor or IDE.
  • More Dev Environments improvements: custom names, better private repo support, improved port handling.

Upgrades

  • Compose v2.13.0
  • Containerd v1.6.10
  • Docker Hub Tool v0.4.5
  • Docker Scan v0.22.0

Bug fixes and enhancements****For all platforms

  • Containers are now restored on restart with the containerd integration.
  • Fixed listing multi-platform images with the containerd integration.
  • Better handling of dangling images with the containerd integration.
  • Implement “reference” filter for images with the containerd integration.
  • Added support for selecting upstream HTTP/HTTPS proxies automatically via proxy.pac in containers, docker pull etc.
  • Fixed regressions when parsing image references on pull. Fixes docker/for-win#13053, docker/for-mac#6560, and docker/for-mac#6540.

For Mac

  • Improved the performance of docker pull.

For Windows

  • Fixed an issue where the system HTTP proxies were not used when Docker starts and the developer logs in.
  • When Docker Desktop is using “system” proxies and if the Windows settings change, Docker Desktop now uses the new Windows settings without a restart.

For Linux

  • Fixed hot-reload issue on Linux. Fixes docker/desktop-linux#30.
  • Disabled tray icon animations on Linux which fixes crashes for some users.

4.14.1

2022-11-17

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 1e6d8fadff3393110029eeda2e40344e6a99a90ec69dab0b92327e79afef30c6
  • Mac Intel: SHA-256 c70534abce8e288178fdff9fa89d110a93257b008e1e69c69465f6b41d26155f
  • Mac Arm: SHA-256 d244fb20ffb94d0ea3837c0b55555f983881405d22fce1e187ced39efbb188a1
  • Linux DEB: SHA-256 97698848c1ac1f1b8a6144c497f113cd2ca9e6c3399de7af981d12d1957da1de
  • Linux RPM: SHA-256 4393c1ff4da3adac51dbe735d3a498167c59efc9d67d11f3a5c8aac3b629e59c
  • Linux Arch: SHA-256 992c0f599234ea88f0af731bff3de3ba35a76366164eae6b755aaf41ef098b24

Bug fixes and enhancements****For all platforms

  • Fixed container DNS lookups when using Registry Access Management.

For Mac

  • Fixed an issue preventing the Analyze Image button on the Images tab from working.
  • Fixed a bug causing symlinks to not be created for the user if /usr/local/lib doesn’t already exist. Fixes docker/for-mac#6569

4.14.0

2022-11-10

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 7e2d34cb7573b81cc067ff9e979e44675d46eb6a26801031c27f83bbf93dfc3b
  • Mac Intel: SHA-256 f554d67e1189efdc5e85e4c28bc4b82a979914016bfb5cc83cde719d557ce062
  • Mac Arm: SHA-256 38be55c1dc0686e17c761c4953892ff21ffc5cddef19171e428ca2c0224f3b95
  • Linux DEB: SHA-256 5b9e701a907a901c77f2093e54a41b5d706e97e39a30416d5c1519a77f024240
  • Linux RPM: SHA-256 505f503636acf842cf5228d21d30f95d8e5d0f111feb9a1448f21d80c8169e93
  • Linux Arch: SHA-256 8bcf97f361f02e9a7ba3fb2bab4b0905d51d75f7b2ef918c31d946a2a1ab201d

New

  • Set Virtualization framework as the default hypervisor for macOS >= 12.5.
  • Migrate previous install to Virtualization framework hypervisor for macOS >= 12.5.
  • The Enhanced Container Isolation feature, available to Docker Business users, can now be enabled from the General Settings.

Updates

  • Docker Engine v20.10.21, which contains mitigations against a Git vulnerability, tracked in CVE-2022-39253, and updates the handling of image:tag@digest image references.
  • Docker Compose v2.12.2
  • Containerd v1.6.9
  • Go 1.19.3

Bug fixes and enhancements****For all platforms

  • Docker Desktop now requires an internal network subnet of size /24. If you were previously using a /28, it is automatically expanded to /24. If you experience networking issues, check to see if you have a clash between the Docker subnet and your infrastructure. Fixes docker/for-win#13025.
  • Fixed an issue that prevents users from creating Dev Environments when the Git URL has upper-case characters.
  • Fix the vpnkit.exe is not running error reported in diagnostics.
  • Reverted qemu to 6.2.0 to fix errors like PR_SET_CHILD_SUBREAPER is unavailable when running emulated amd64 code.
  • Enabled contextIsolation and sandbox mode inside Extensions. Now Extensions run in a separate context and this limits the harm that malicious code can cause by limiting access to most system resources.
  • Included unpigz to allow parallel decompression of pulled images.
  • Fixed issues related to performing actions on selected containers. Fixes https://github.com/docker/for-win/issues/13005
  • Added functionality that allows you to display timestamps for your container or project view.
  • Fixed a possible segfault when interrupting docker pull with Control+C.
  • Increased the default DHCP lease time to avoid the VM’s network glitching and dropping connections every two hours.
  • Removed the infinite spinner on the containers list. Fixes https://github.com/docker/for-mac/issues/6486
  • Fixed bug which showed incorrect values on used space in Settings.
  • Fixed a bug that caused Kubernetes not to start with the containerd integration.
  • Fixed a bug that caused kind not to start with the containerd integration.
  • Fixed a bug that caused Dev Environments to not work with the containerd integration.
  • Implemented docker diff in the containerd integration.
  • Implemented docker run —-platform in the containerd integration.
  • Fixed a bug that caused insecure registries not to work with the containerd integration.

For Mac

  • Fixed a startup failure for users of Virtualization framework.
  • Re-added the /var/run/docker.sock on Mac by default, to increase compatibility with tooling like tilt and docker-py.
  • Fixed an issue that prevented the creation of Dev Environments on new Mac installs (error “Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?”).

For Windows

  • Re-added DockerCli.exe -SharedDrives. Fixes docker/for-win#5625.
  • Docker Desktop now allows Docker to function on machines where PowerShell is disabled.
  • Fixed an issue where Compose v2 was not always enabled by default on Windows.
  • Docker Desktop now deletes the C:\Program Files\Docker folder at uninstall.

Known Issues

  • For some users on Mac OS there is a known issue with the installer that prevents the installation of a new helper tool needed for the experimental vulnerability and package discovery feature in Docker Desktop. To fix this, a symlink is needed that can be created with the following command: sudo ln -s /Applications/Docker.app/Contents/Resources/bin/docker-index /usr/local/bin/docker-index

4.13.1

2022-10-31

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 11bb799f85668f368e3071ac17067ebbe575349d1ccfb7c28a5dc1f872ced54e
  • Mac Intel: SHA-256 9147ca38d46c59a758ac53560814c91c4deda9b0c4c63adfa3df76f37bacbf00
  • Mac Arm: SHA-256 21a2bd82ade4b4776d3a4c28524e114733f172e9cd4f1da2193487db217c319f
  • Linux DEB: SHA-256 1be90be14b53bc555d3bc16e4b9454d9dff0286b90c4b864cfdbb2e0cdbd2a56
  • Linux RPM: SHA-256 49516e246d61d2f8da6753408e3c42c5a71d06de155aaea584135e34dde3af33
  • Linux Arch: SHA-256 7fb7ef0fdcb762df2298dcd2578d3c749cccd554e3c652ba7a4648ce815ca140

Updates

  • Docker Compose v2.12.1

Bug fixes and enhancements****For all platforms

  • Fixed a possible segfault when interrupting docker pull with Control+C or CMD+C.
  • Increased the default DHCP lease time to avoid the VM’s network glitching and dropping connections every two hours.
  • Reverted Qemu to 6.2.0 to fix errors like PR_SET_CHILD_SUBREAPER is unavailable when running emulated amd64 code.

For Mac

  • Added back the /var/run/docker.sock symlink on Mac by default, to increase compatibility with tooling like tilt and docker-py. Fixes docker/for-mac#6529.
  • Fixed an issue preventing the creation of Dev Environments on new Mac installs and causing error “Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?”)

For Windows

  • Docker Desktop now functions on machines where PowerShell is disabled.

4.13.0

2022-10-19

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 2452d4c9e315d36ad4cade724c962dd18515b8e2f0c2e7f66290648e0319d72b
  • Mac Intel: SHA-256 5a9e7b810bc9937a0945f9cbbb7ec00c2c5c386b5897c59c1c93187eaf0f2081
  • Mac Arm: SHA-256 f33037ef7b02946d5714012398848654bd7a759ee729b0346acc46a8e73a76ed
  • Linux DEB: SHA-256 aa1d4ee1c2c72bf7be05c88d33d8f1f6344ab4e6d9de52f50367d9e799641102
  • Linux RPM: SHA-256 6f70246d11d06f123b8011eeafb7b0a161d60764719b44b817a49dee7da4a06e
  • Linux Arch: SHA-256 8aa42c18d643b5dc333cbea096f9585d89b912344a26fc9ea902f30d2c5140d8

New

  • Two new security features have been introduced for Docker Business users, Settings Management and Enhanced Container Isolation. Read more about Docker Desktop’s new Hardened Docker Desktop security model.
  • Added the new Dev Environments CLI docker dev, so you can create, list, and run Dev Envs via command line. Now it’s easier to integrate Dev Envs into custom scripts.
  • Docker Desktop can now be installed to any drive and folder using the --installation-dir. Partially addresses docker/roadmap#94.

Updates

  • Docker Scan v0.21.0
  • Go 1.19.2 to address CVE-2022-2879, CVE-2022-2880 and CVE-2022-41715
  • Updated Docker Engine and Docker CLI to v20.10.20, which contain mitigations against a Git vulnerability, tracked in CVE-2022-39253, and updated handling of image:tag@digest image references, as well as a fix for CVE-2022-36109.
  • Docker Credential Helpers v0.7.0
  • Docker Compose v2.12.0
  • Kubernetes v1.25.2
  • Qemu 7.0.0 used for cpu emulation, inside the Docker Desktop VM.
  • Linux kernel 5.15.49

Bug fixes and enhancements****For all platforms

  • Docker Desktop now allows the use of TLS when talking to HTTP and HTTPS proxies to encrypt proxy usernames and passwords.
  • Docker Desktop now stores HTTP and HTTPS proxy passwords in the OS credential store.
  • If Docker Desktop detects that the HTTP or HTTPS proxy password has changed then it will prompt developers for the new password.
  • The Bypass proxy settings for these hosts and domains setting now handles domain names correctly for HTTPS.
  • The Remote Repositories view and Tip of the Day now works with HTTP and HTTPS proxies which require authentication
  • We’ve introduced dark launch for features that are in early stages of the product development lifecycle. Users that are opted in can opt out at any time in the settings under the “beta features” section.
  • Added categories to the Extensions Marketplace.
  • Added an indicator in the whale menu and on the Extension tab on when extension updates are available.
  • Fixed failing uninstalls of extensions with image names that do not have a namespace, as in ‘my-extension’.
  • Show port mapping explicitly in the Container tab.
  • Changed the refresh rate for disk usage information for images to happen automatically once a day.
  • Made the tab style consistent for the Container and Volume tabs.
  • Fixed Grpcfuse filesharing mode enablement in Settings. Fixes docker/for-mac#6467
  • Virtualization Framework and VirtioFS are disabled for users running macOS < 12.5.
  • Ports on the Containers tab are now clickable.
  • The Extensions SDK now allows ddClient.extension.vm.cli.exec, ddClient.extension.host.cli.exec, ddClient.docker.cli.exec to accept a different working directory and pass environment variables through the options parameters.
  • Added a small improvement to navigate to the Extensions Marketplace when clicking on Extensions in the sidebar.
  • Added a badge to identify new extensions in the Marketplace.
  • Fixed kubernetes not starting with the containerd integration.
  • Fixed kind not starting with the containerd integration.
  • Fixed dev environments not working with the containerd integration.
  • Implemented docker diff in the containerd integration.
  • Implemented docker run —-platform in the containerd integration.
  • Fixed insecure registries not working with the containerd integration.
  • Fixed a bug that showed incorrect values on used space in Settings.
  • Docker Desktop now installs credential helpers from Github releases. See docker/for-win#10247, docker/for-win#12995.
  • Fixed an issue where users were logged out of Docker Desktop after 7 days.

For Mac

  • Added Hide, Hide others, Show all menu items for Docker Desktop. See docker/for-mac#6446.
  • Fixed a bug which caused the application to be deleted when running the install utility from the installed application. Fixes docker/for-mac#6442.
  • By default Docker will not create the /var/run/docker.sock symlink on the host and use the docker-desktop CLI context instead.

For Linux

  • Fixed a bug that prevented pushing images from the Dashboard

4.12.0

2022-09-01

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 996a4c5fff5b80b707ecfc0121d7ebe70d96c0bd568f058fd96f32cdec0c10cf
  • Mac Intel: SHA-256 41085009458ba1741c6a86c414190780ff3b288879aa27821fc4a985d229653c
  • Mac Arm: SHA-256 7eb63b4819cd1f87c61d5e8f54613692e07fb203d81bcf8d66f5de55489d3b81
  • Linux DEB: SHA-256 4407023db032219d6ac6031f81da6389ab192d3d06084ee6dad1ba4f4c64a4fe
  • Linux RPM: SHA-256 05e91f2a9763089acdfe710140893cb096bec955bcd99279bbe3aea035d09bc5
  • Linux Arch: SHA-256 7c6b43c8ab140c755e6c8ce4ec494b3f5c4f3b0c1ab3cee8bfd0b6864f795d8a

New

  • Added the ability to use containerd for pulling and storing images. This is an experimental feature.
  • Docker Desktop now runs untagged images. Fixes docker/for-mac#6425.
  • Added search capabilities to Docker Extension’s Marketplace. Fixes docker/roadmap#346.
  • Added the ability to zoom in, out or set Docker Desktop to Actual Size. This is done by using keyboard shortcuts ⌘ + / CTRL +, ⌘ - / CTRL -, ⌘ 0 / CTRL 0 on Mac and Windows respectively, or through the View menu on Mac.
  • Added compose stop button if any related container is stoppable.
  • Individual compose containers are now deletable from the Container view.
  • Removed the workaround for virtiofsd <-> qemu protocol mismatch on Fedora 35, as it is no longer needed. Fedora 35 users should upgrade the qemu package to the most recent version (qemu-6.1.0-15.fc35 as of the time of writing).
  • Implemented an integrated terminal for containers.
  • Added a tooltip to display the link address for all external links by default.

Updates

  • Docker Compose v2.10.2
  • Docker Scan v0.19.0
  • Kubernetes v1.25.0
  • Go 1.19
  • cri-dockerd v0.2.5
  • Buildx v0.9.1
  • containerd v1.6.8
  • containerd v1.6.7
  • runc v1.1.4
  • runc v1.1.3

Security****For all platforms

  • Fix RCE via query parameters in the message-box route in the Electron client.
  • Fix RCE via extension description/changelog which could be abused by a malicious extension.

For Windows

  • Fixed a bypass for the --no-windows-containers installation flag which was introduced in version 4.11. This flag allows administrators to disable the use of Windows containers.
  • Fixed the argument injection to the Docker Desktop installer which may result in local privilege escalation.

Bug fixes and minor enhancements****For all platforms

  • Compose V2 is now enabled after factory reset.
  • Compose V2 is now enabled by default on new installations of Docker Desktop.
  • Precedence order of environment variables in Compose is more consistent, and clearly documented.
  • Upgraded kernel to 5.10.124.
  • Improved overall performance issues caused by calculating disk size. Related to docker/for-win#9401.
  • Docker Desktop now prevents users on ARM macs without Rosetta installed from switching back to Compose V1, which has only intel binaries.
  • Changed the default sort order to descending for volume size and the Created column, along with the container’s Started column.
  • Re-organized container row actions by keeping only the start/stop and delete actions visible at all times, while allowing access to the rest via the row menu item.
  • The Quickstart guide now runs every command immediately.
  • Defined the sort order for container/compose Status column to running > some running > paused > some paused > exited > some exited > created.
  • Fixed issues with the image list appearing empty in Docker Desktop even though there are images. Related to docker/for-win#12693 and docker/for-mac#6347.
  • Defined what images are “in use” based on whether or not system containers are displayed. If system containers related to Kubernetes and Extensions are not displayed, the related images are not defined as “in use.”
  • Fixed a bug that made Docker clients in some languages hang on docker exec. Fixes https://github.com/apocas/dockerode/issues/534.
  • A failed spawned command when building an extension no longer causes Docker Desktop to unexpectedly quit.
  • Fixed a bug that caused extensions to be displayed as disabled in the left menu when they are not.
  • Fixed docker login to private registries when Registry Access Management is enabled and access to Docker Hub is blocked.
  • Fixed a bug where Docker Desktop fails to start the Kubernetes cluster if the current cluster metadata is not stored in the .kube/config file.
  • Updated the tooltips in Docker Desktop and MUI theme package to align with the overall system design.
  • Copied terminal contents do not contain non-breaking spaces anymore.

For Mac

  • Minimum version to install or update Docker Desktop on macOS is now 10.15. Fixes docker/for-mac#6007.
  • Fixed a bug where the Tray menu incorrectly displays “Download will start soon…” after downloading the update. Fixes some issue reported in for-mac/issues#5677
  • Fixed a bug that didn’t restart Docker Desktop after applying an update.
  • Fixed a bug that caused the connection to Docker to be lost when the computer sleeps if a user is using virtualization.framework and restrictive firewall software.
  • Fixed a bug that caused Docker Desktop to run in the background even after a user had quit the application. Fixes [https://github.com/docker/for-mac/issues/6440]
  • Disabled both Virtualization Framework and VirtioFS for users running macOS < 12.5

For Windows

  • Fixed a bug where versions displayed during an update could be incorrect. Fixes for-win/issues#12822.

4.11.1

2022-08-05

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 8af32948447ddab655455542f6a12c8d752642a2bd451e2a48f76398cfd872b0
  • Mac Intel: SHA-256 b2f4ad8fea37dfb7d9147f169a9ceab71d7d0d12ff912057c60b58c0e91aed35
  • Mac Arm: SHA-256 a7d84117bef83764cb9bf275cd01b8ba0c43f08dbfe4d4a7d4f05549cdd81f54
  • Linux DEB: SHA-256 8877443ded0dee19b1bacaa608bd81d4bb216b59ff5fc12c89489e9ac5b00e0f
  • Linux RPM: SHA-256 a4a12071cdb4c3a845711eec13b97b838ae088f85f81cb5dd0db51aa6b050ed5
  • Linux Arch: SHA-256 66bdf3b4eb3cd29e190cf660ede53d3e854a4ec823c2ea04a4a02a175203f880

Bug fixes and enhancements****For all platforms

  • Fixed regression preventing VM system locations (e.g. /var/lib/docker) from being bind mounted for-mac/issues#6433

For Windows

  • Fixed docker login to private registries from WSL2 distro docker/for-win#12871

4.11.0

2022-07-28

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 48ca8cabe67aee94a934b4c0f97a5001e89cb66bbbf824924fbc8bed6a8c90d3
  • Mac Intel: SHA-256 295694d7c2df05e37ac0d27fe8be5af6295b1edc6fa00a00a47134a14d5d0b34
  • Mac Arm: SHA-256 9824103e3d5a7d01a4d7d8086210157e1cc02217cb9edd82fe4bf2d16c138c44
  • Linux DEB: SHA-256 a0dc8ac97cc21e5a13a9e316cac11d85b7c248fd0c166b22a2ab239d17d43d9f
  • Linux RPM: SHA-256 eb077737298827092b283d3c85edacd128ecd993e987aa30d8081e2306401774
  • Linux Arch: SHA-256 a85fd5e83d5b613ef43d335c0ab0af4600aeb8a92921b617cb7a555826e361de

New

  • Docker Desktop is now fully supported for Docker Business customers inside VMware ESXi and Azure VMs. For more information, see Run Docker Desktop inside a VM or VDI environment
  • Added two new extensions (vcluster and PGAdmin4) to the Extensions Marketplace.
  • The ability to sort extensions has been added to the Extensions Marketplace.
  • Fixed a bug that caused some users to be asked for feedback too frequently. You’ll now only be asked for feedback twice a year.
  • Added custom theme settings for Docker Desktop. This allows you to specify dark or light mode for Docker Desktop independent of your device settings. Fixes docker/for-win#12747
  • Added a new flag for Windows installer. --no-windows-containers disables the Windows containers integration.
  • Added a new flag for Mac install command. --user <username> sets up Docker Desktop for a specific user, preventing them from needing an admin password on first run.

Updates

  • Docker Compose v2.7.0
  • Docker Compose “Cloud Integrations” v1.0.28
  • Kubernetes v1.24.2
  • Go 1.18.4

Bug fixes and enhancements****For all platforms

  • Added the Container / Compose icon as well as the exposed port(s) / exit code to the Containers screen.
  • Updated the Docker theme palette colour values to match our design system.
  • Improved an error message from docker login if Registry Access Management is blocking the Docker engine’s access to Docker Hub.
  • Increased throughput between the Host and Docker. For example increasing performance of docker cp.
  • Collecting diagnostics takes less time to complete.
  • Selecting or deselecting a compose app on the containers overview now selects/deselects all its containers.
  • Tag names on the container overview image column are visible.
  • Added search decorations to the terminal’s scrollbar so that matches outside the viewport are visible.
  • Fixed an issue with search which doesn’t work well on containers page docker/for-win#12828.
  • Fixed an issue which caused infinite loading on the Volume screen docker/for-win#12789.
  • Fixed a problem in the Container UI where resizing or hiding columns didn’t work. Fixes docker/for-mac#6391.
  • Fixed a bug where the state of installing, updating, or uninstalling multiple extensions at once was lost when leaving the Marketplace screen.
  • Fixed an issue where the compose version in the about page would only get updated from v2 to v1 after restarting Docker Desktop.
  • Fixed an issue where users cannot see the log view because their underlying hardware didn’t support WebGL2 rendering. Fixes docker/for-win#12825.
  • Fixed a bug where the UI for Containers and Images got out of sync.
  • Fixed a startup race when the experimental virtualization framework is enabled.

For Mac

  • Fixed an issue executing Compose commands from the UI. Fixes docker/for-mac#6400.

For Windows

  • Fixed horizontal resizing issue. Fixes docker/for-win#12816.
  • If an HTTP/HTTPS proxy is configured in the UI, then it automatically sends traffic from image builds and running containers to the proxy. This avoids the need to separately configure environment variables in each container or build.
  • Added the --backend=windows installer option to set Windows containers as the default backend.

For Linux

  • Fixed bug related to setting up file shares with spaces in their path.

4.10.1

2022-07-05

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 fe430d19d41cc56fd9a4cd2e22fc0e3522bed910c219208345918c77bbbd2a65
  • Mac Intel: SHA-256 8be8e5245d6a8dbf7b8cb580fb7d99f04cc143c95323695c0d9be4f85dd60b0e
  • Mac Arm: SHA-256 b3d4ef222325bde321045f3b8d946c849cd2812e9ad52a801000a95edb8af57b
  • Linux DEB: SHA-256 9363bc584478c5c7654004bacb51429c275b58a868ef43c3bc6249d5844ec5be
  • Linux RPM: SHA-256 92371d1a1ae4b57921721da95dc0252aefa4c79eb12208760c800ac07c0ae1d2
  • Linux Arch: SHA-256 799af244b05e8b08f03b6e0dbbc1dfcc027ff49f15506b3c460e0f9bae06ca5d

Bug fixes and enhancements****For Windows

  • Fixed a bug where actions in the UI failed with Compose apps that were created from WSL. Fixes docker/for-win#12806.

For Mac

  • Fixed a bug where the install command failed because paths were not initialized. Fixes docker/for-mac#6384.

4.10.0

2022-06-30

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Checksums

  • Windows: SHA-256 10615f4425e59eef7a22ce79ec13e41057df278547aa81c9fe4d623a848e80d8
  • Mac Intel: SHA-256 07bfe00296b724e4e772e268217bc8169a8b23ad98e6da419b13ebfe31b54643
  • Mac Arm: SHA-256 c9d2e72e5438726ab5a94c227d9130a65719f8fd09b877860ca2dcd86cfc188e
  • Linux DEB: SHA-256 c5f10b3d902b4ea10c8f75c17ba174e8838fc75889f76bc27abcab6afaf1969c
  • Linux RPM: SHA-256 a8ad3f8d4e93dfb6f28559f7dc84b7652e651fd6a49506e18958f1e69b51d9be
  • Linux Arch: SHA-256 37131c48df6436c1066c41ec0beda039e726e33bee689f751648c473f4abd96e

New

  • You can now add environment variables before running an image in Docker Desktop.
  • Added features to make it easier to work with a container’s logs, such as regular expression search and the ability to clear container logs while the container is still running.
  • Implemented feedback on the containers table. Added ports and separated container and image names.
  • Added two new extensions, Ddosify and Lacework, to the Extensions Marketplace.

Removed

  • Removed Homepage while working on a new design. You can provide feedback here.

Updates

  • Docker Engine v20.10.17
  • Docker Compose v2.6.1
  • Kubernetes v1.24.1
  • cri-dockerd to v0.2.1
  • CNI plugins to v1.1.1
  • containerd to v1.6.6
  • runc to v1.1.2
  • Go 1.18.3

Bug fixes and enhancements****For all platforms

  • Added additional bulk actions for starting/pausing/stopping selected containers in the Containers tab.
  • Added pause and restart actions for compose projects in the Containers tab.
  • Added icons and exposed ports or exit code information in the Containers tab.
  • External URLs can now refer to extension details in the Extension Marketplace using links such as docker-desktop://extensions/marketplace?extensionId=docker/logs-explorer-extension.
  • The expanded or collapsed state of the Compose apps is now persisted.
  • docker extension CLI commands are available with Docker Desktop by default.
  • Increased the size of the screenshots displayed in the Extension marketplace.
  • Fixed a bug where a Docker extension fails to load if its backend container(s) are stopped. Fixes docker/extensions-sdk#16.
  • Fixed a bug where the image search field is cleared without a reason. Fixes docker/for-win#12738.
  • Fixed a bug where the license agreement does not display and silently blocks Docker Desktop startup.
  • Fixed the displayed image and tag for unpublished extensions to actually display the ones from the installed unpublished extension.
  • Fixed the duplicate footer on the Support screen.
  • Dev Environments can be created from a subdirectory in a GitHub repository.
  • Removed the error message if the tips of the day cannot be loaded when using Docker Desktop offline. Fixes docker/for-mac#6366.

For Mac

  • Fixed a bug with location of bash completion files on macOS. Fixes docker/for-mac#6343.
  • Fixed a bug where Docker Desktop does not start if the username is longer than 25 characters. Fixes docker/for-mac#6122.
  • Fixed a bug where Docker Desktop was not starting due to invalid system proxy configuration. Fixes some issues reported in docker/for-mac#6289.
  • Fixed a bug where Docker Desktop failed to start when the experimental virtualization framework is enabled.
  • Fixed a bug where the tray icon still displayed after uninstalling Docker Desktop.

For Windows

  • Fixed a bug which caused high CPU usage on Hyper-V. Fixes docker/for-win#12780.
  • Fixed a bug where Docker Desktop for Windows would fail to start. Fixes docker/for-win#12784.
  • Fixed the --backend=wsl-2 installer flag which did not set the backend to WSL 2. Fixes docker/for-win#12746.

For Linux

  • Fixed a bug when settings cannot be applied more than once.
  • Fixed Compose version displayed in the About screen.

Known Issues

  • Occasionally the Docker engine will restart during a docker system prune. This is a known issue in the version of buildkit used in the current engine and will be fixed in future releases.

4.9.1

2022-06-16

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Bug fixes and enhancements****For all platforms

  • Fixed blank dashboard screen. Fixes docker/for-win#12759.

4.9.0

2022-06-02

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

New

  • Added additional guides on the homepage for: Elasticsearch, MariaDB, Memcached, MySQL, RabbitMQ and Ubuntu.
  • Added a footer to the Docker Dashboard with general information about the Docker Desktop update status and Docker Engine statistics
  • Re-designed the containers table, adding:
    • A button to copy a container ID to the clipboard
    • A pause button for each container
    • Column resizing for the containers table
    • Persistence of sorting and resizing for the containers table
    • Bulk deletion for the containers table

Updates

  • Compose v2.6.0
  • Docker Engine v20.10.16
  • containerd v1.6.4
  • runc v1.1.1
  • Go 1.18.2

Bug fixes and enhancements****For all platforms

  • Fixed an issue which caused Docker Desktop to hang if you quit the app whilst Docker Desktop was paused.
  • Fixed the Kubernetes cluster not resetting properly after the PKI expires.
  • Fixed an issue where the Extensions Marketplace was not using the defined http proxies.
  • Improved the logs search functionality in Docker Dashboard to allow spaces.
  • Middle-button mouse clicks on buttons in the Dashboard now behave as a left-button click instead of opening a blank window.

For Mac

  • Fixed an issue to avoid creating /opt/containerd/bin and /opt/containerd/lib on the host if /opt has been added to the file sharing directories list.

For Windows

  • Fixed a bug in the WSL 2 integration where if a file or directory is bind-mounted to a container, and the container exits, then the file or directory is replaced with the other type of object with the same name. For example, if a file is replaced with a directory or a directory with a file, any attempts to bind-mount the new object fails.
  • Fixed a bug where the Tray icon and Dashboard UI didn’t show up and Docker Desktop didn’t fully start. Fixes docker/for-win#12622.

Known issues****For Linux

  • Changing ownership rights for files in bind mounts fails. This is due to the way we have implemented file sharing between the host and VM within which the Docker Engine runs. We aim to resolve this issue in the next release.

4.8.2

2022-05-18

Download Docker Desktop

Windows| Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

Updates

  • Compose v2.5.1

Bug fixes and minor enahancements

  • Fixed an issue with manual proxy settings which caused problems when pulling images. Fixes docker/for-win#12714 and docker/for-mac#6315.
  • Fixed high CPU usage when extensions are disabled. Fixes docker/for-mac#6310.
  • Docker Desktop now redacts HTTP proxy passwords in log files and diagnostics.

Known issues****For Linux

  • Changing ownership rights for files in bind mounts fails. This is due to the way we have implemented file sharing between the host and VM within which the Docker Engine runs. We aim to resolve this issue in the next release.

4.8.1

2022-05-09

Download Docker Desktop

Windows| Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

New

  • Released Docker Desktop for Linux.
  • Beta release of Docker Extensions and Extensions SDK.
  • Created a Docker Homepage where you can run popular images and discover how to use them.
  • Compose V2 is now GA

Bug fixes and enhancements

  • Fixed a bug that caused the Kubernetes cluster to be deleted when updating Docker Desktop.

Known issues****For Linux

  • Changing ownership rights for files in bind mounts fails. This is due to the way we have implemented file sharing between the host and VM within which the Docker Engine runs. We aim to resolve this issue in the next release.

4.8.0

2022-05-06

Download Docker Desktop

Windows| Mac with Intel chip | Mac with Apple chip | Debian | RPM | Arch package

New

  • Released Docker Desktop for Linux.
  • Beta release of Docker Extensions and Extensions SDK.
  • Created a Docker Homepage where you can run popular images and discover how to use them.
  • Compose V2 is now GA

Updates

  • Compose v2.5.0
  • Go 1.18.1
  • Kubernetes 1.24

Bug fixes and minor enhancements****For all platforms

  • Introduced reading system proxy. You no longer need to manually configure proxies unless it differs from your OS level proxy.
  • Fixed a bug that showed Remote Repositories in the Dashboard when running behind a proxy.
  • Fixed vpnkit establishing and blocking the client connection even if the server is gone. See docker/for-mac#6235
  • Made improvements on the Volume tab in Docker Desktop:
    • Volume size is displayed.
    • Columns can be resized, hidden and reordered.
    • A columns sort order and hidden state is persisted, even after Docker Desktop restarts.
    • Row selection is persisted when switching between tabs, even after Docker Desktop restarts.
  • Fixed a bug in the Dev Environments tab that did not add a scroll when more items were added to the screen.
  • Standardised the header title and action in the Dashboard.
  • Added support for downloading Registry Access Management policies through HTTP proxies.
  • Fixed an issue related to empty remote repositories when the machine is in sleep mode for an extended period of time.
  • Fixed a bug where dangling images were not selected in the cleanup process if their name was not marked as “<none>” but their tag is.
  • Improved the error message when docker pull fails because an HTTP proxy is required.
  • Added the ability to clear the search bar easily in Docker Desktop.
  • Renamed the “Containers / Apps” tab to “Containers”.
  • Fixed a silent crash in the Docker Desktop installer when C:\ProgramData\DockerDesktop is a file or a symlink.
  • Fixed a bug where an image with no namespace, for example docker pull <private registry>/image, would be erroneously blocked by Registry Access Management unless access to Docker Hub was enabled in settings.

For Mac

  • Docker Desktop’s icon now matches Big Sur Style guide. See docker/for-mac#5536
  • Fixed a problem with duplicate Dock icons and Dock icon not working as expected. Fixes docker/for-mac#6189.
  • Improved support for the Cmd+Q shortcut.

For Windows

  • Improved support for the Ctrl+W shortcut.

Known issues****For all platforms

  • Currently, if you are running a Kubernetes cluster, it will be deleted when you upgrade to Docker Desktop 4.8.0. We aim to fix this in the next release.

For Linux

  • Changing ownership rights for files in bind mounts fails. This is due to the way we have implemented file sharing between the host and VM within which the Docker Engine runs. We aim to resolve this issue in the next release.

4.7.1

2022-04-19

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

Bug fixes and enhancements****For all platforms

  • Fixed a crash on the Quick Start Guide final screen.

For Windows

  • Fixed a bug where update was failing with a symlink error. Fixes docker/for-win#12650.
  • Fixed a bug that prevented using Windows container mode. Fixes docker/for-win#12652.

4.7.0

2022-04-07

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

New

  • IT Administrators can now install Docker Desktop remotely using the command line.
  • Add the Docker Software Bill of Materials (SBOM) CLI plugin. The new CLI plugin enables users to generate SBOMs for Docker images. For more information, see Docker SBOM.
  • Use cri-dockerd for new Kubernetes clusters instead of dockershim. The change is transparent from the user’s point of view and Kubernetes containers run on the Docker Engine as before. cri-dockerd allows Kubernetes to manage Docker containers using the standard Container Runtime Interface, the same interface used to control other container runtimes. For more information, see The Future of Dockershim is cri-dockerd.

Updates

  • Docker Engine v20.10.14
  • Compose v2.4.1
  • Buildx 0.8.2
  • containerd v1.5.11
  • Go 1.18

Security

  • Update Docker Engine to v20.10.14 to address CVE-2022-24769
  • Update containerd to v1.5.11 to address CVE-2022-24769

Bug fixes and enahncements****For all platforms

  • Fixed a bug where the Registry Access Management policy was never refreshed after a failure.
  • Logs and terminals in the UI now respect your OS theme in light and dark mode.
  • Easily clean up many volumes at once via multi-select checkboxes.
  • Improved login feedback.

For Mac

  • Fixed an issue that sometimes caused Docker Desktop to display a blank white screen. Fixes docker/for-mac#6134.
  • Fixed a problem where gettimeofday() performance drops after waking from sleep when using Hyperkit. Fixes docker/for-mac#3455.
  • Fixed an issue that caused Docker Desktop to become unresponsive during startup when osxfs is used for file sharing.

For Windows

  • Fixed volume title. Fixes docker/for-win#12616.
  • Fixed a bug in the WSL 2 integration that caused Docker commands to stop working after restarting Docker Desktop or after switching to Windows containers.

4.6.1

2022-03-22

Download Docker Desktop

Windows| Mac with Intel chip | Mac with Apple chip

Updates

  • Buildx 0.8.1

Bug fixes and enahncements

  • Prevented spinning in vpnkit-forwarder filling the logs with error messages.
  • Fixed diagnostics upload when there is no HTTP proxy set. Fixes docker/for-mac#6234.
  • Removed a false positive “vm is not running” error from self-diagnose. Fixes docker/for-mac#6233.

4.6.0

2022-03-14

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

New****For all platforms

  • The Docker Dashboard Volume Management feature now offers the ability to efficiently clean up volumes using multi-select checkboxes.

For Mac

  • Docker Desktop 4.6.0 gives macOS users the option of enabling a new experimental file sharing technology called VirtioFS. During testing VirtioFS has been shown to drastically reduce the time taken to sync changes between the host and VM, leading to substantial performance improvements. For more information, see VirtioFS.

Updates****For all platforms

  • Docker Engine v20.10.13
  • Compose v2.3.3
  • Buildx 0.8.0
  • containerd v1.4.13
  • runc v1.0.3
  • Go 1.17.8
  • Linux kernel 5.10.104

Security****For all platforms

  • Fixed CVE-2022-0847, aka “Dirty Pipe”, an issue that could enable attackers to modify files in container images on the host, from inside a container. If using the WSL 2 backend, you must update WSL 2 by running wsl --update.

For Windows

  • Fixed CVE-2022-26659, which could allow an attacker to overwrite any administrator writable file on the system during the installation or the update of Docker Desktop.

For Mac

  • Qemu 6.2.0

Bug fixes and enhancements****For all platforms

  • Fixed uploading diagnostics when an HTTPS proxy is set.
  • Made checking for updates from the systray menu open the Software updates settings section.

For Mac

  • Fixed the systray menu not displaying all menu items after starting Docker Desktop. Fixes docker/for-mac#6192.
  • Fixed a regression about Docker Desktop not starting in background anymore. Fixes docker/for-mac#6167.
  • Fixed missing Docker Desktop Dock icon. Fixes docker/for-mac#6173.
  • Used speed up block device access when using the experimental virtualization.framework. See benchmarks.
  • Increased default VM memory allocation to half of physical memory (min 2 GB, max 8 GB) for better out-of-the-box performances.

For Windows

  • Fixed the UI stuck in starting state forever although Docker Desktop is working fine from the command line.
  • Fixed missing Docker Desktop systray icon docker/for-win#12573
  • Fixed Registry Access Management under WSL 2 with latest 5.10.60.1 kernel.
  • Fixed a UI crash when selecting the containers of a Compose application started from a WSL 2 environment. Fixes docker/for-win#12567.
  • Fixed copying text from terminal in Quick Start Guide. Fixes docker/for-win#12444.

Known issues****For Mac

  • After enabling VirtioFS, containers with processes running with different Unix user IDs may experience caching issues. For example if a process running as root queries a file and another process running as user nginx tries to access the same file immediately, the nginx process will get a “Permission Denied” error.

4.5.1

2022-02-15

Download Docker Desktop

Windows

Bug fixes and enhancements****For Windows

  • Fixed an issue that caused new installations to default to the Hyper-V backend instead of WSL 2.
  • Fixed a crash in the Docker Dashboard which would make the systray menu disappear.

If you are running Docker Desktop on Windows Home, installing 4.5.1 will switch it back to WSL 2 automatically. If you are running another version of Windows, and you want Docker Desktop to use the WSL 2 backend, you must manually switch by enabling the Use the WSL 2 based engine option in the Settings > General section. Alternatively, you can edit the Docker Desktop settings file located at %APPDATA%\Docker\settings.json and manually switch the value of the wslEngineEnabled field to true.

4.5.0

2022-02-10

Download Docker Desktop

Mac with Intel chip | Mac with Apple chip

New

  • Docker Desktop 4.5.0 introduces a new version of the Docker menu which creates a consistent user experience across all operating systems. For more information, see the blog post New Docker Menu & Improved Release Highlights with Docker Desktop 4.5
  • The ‘docker version’ output now displays the version of Docker Desktop installed on the machine.

Updates

  • Amazon ECR Credential Helper v0.6.0

Security****For Mac

  • Fixed CVE-2021-44719 where Docker Desktop could be used to access any user file on the host from a container, bypassing the allowed list of shared folders.

For Windows

  • Fixed CVE-2022-23774 where Docker Desktop allows attackers to move arbitrary files.

Bug fixes and enhancements****For all platforms

  • Fixed an issue where Docker Desktop incorrectly prompted users to sign in after they quit Docker Desktop and start the application.
  • Increased the filesystem watch (inotify) limits by setting fs.inotify.max_user_watches=1048576 and fs.inotify.max_user_instances=8192 in Linux. Fixes docker/for-mac#6071.

For Mac

  • Fixed an issue that caused the VM to become unresponsive during startup when using osxfs and when no host directories are shared with the VM.
  • Fixed an issue that didn’t allow users to stop a Docker Compose application using Docker Dashboard if the application was started in a different version of Docker Compose. For example, if the user started a Docker Compose application in V1 and then switched to Docker Compose V2, attempts to stop the Docker Compose application would fail.
  • Fixed an issue where Docker Desktop incorrectly prompted users to sign in after they quit Docker Desktop and start the application.
  • Fixed an issue where the About Docker Desktop window wasn’t working anymore.
  • Limit the number of CPUs to 8 on Mac M1 to fix the startup problem. Fixes docker/for-mac#6063.

For Windows

  • Fixed an issue related to compose app started with version 2, but the dashboard only deals with version 1

Known issues****For Windows

Installing Docker Desktop 4.5.0 from scratch has a bug which defaults Docker Desktop to use the Hyper-V backend instead of WSL 2. This means, Windows Home users will not be able to start Docker Desktop as WSL 2 is the only supported backend. To work around this issue, you must uninstall 4.5.0 from your machine and then download and install Docker Desktop 4.5.1 or a higher version. Alternatively, you can edit the Docker Desktop settings.json file located at %APPDATA%\Docker\settings.json and manually switch the value of the wslEngineEnabled field to true.

4.4.4

2022-01-24

Download Docker Desktop

Windows

Bug fixes and enhancements****For Windows

  • Fixed logging in from WSL 2. Fixes docker/for-win#12500.

Known issues****For Windows

  • Clicking Proceed to Desktop after signing in through the browser, sometimes does not bring the Dashboard to the front.
  • After logging in, when the Dashboard receives focus, it sometimes stays in the foreground even when clicking a background window. As a workaround you need to click the Dashboard before clicking another application window.
  • The tips of the week show on top of the mandatory login dialog when an organization restriction is enabled via a registry.json file.

4.4.3

2022-01-14

Download Docker Desktop

Windows

Bug fixes and enhancements****For Windows

  • Disabled Dashboard shortcuts to prevent capturing them even when minimized or un-focussed. Fixes docker/for-win#12495.

Known issues****For Windows

  • Clicking Proceed to Desktop after signing in through the browser, sometimes does not bring the Dashboard to the front.
  • After logging in, when the Dashboard receives focus, it sometimes stays in the foreground even when clicking a background window. As a workaround you need to click the Dashboard before clicking another application window.
  • The tips of the week show on top of the mandatory login dialog when an organization restriction is enabled via a registry.json file.

4.4.2

22-01-13

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

New

  • Easy, Secure sign in with Auth0 and Single Sign-on
    • Single Sign-on: Users with a Docker Business subscription can now configure SSO to authenticate using their identity providers (IdPs) to access Docker. For more information, see Single Sign-on.
    • Signing in to Docker Desktop now takes you through the browser so that you get all the benefits of auto-filling from password managers.

Upgrades

  • Docker Engine v20.10.12
  • Compose v2.2.3
  • Kubernetes 1.22.5
  • docker scan v0.16.0

Security

  • Fixed CVE-2021-45449 that affects users currently on Docker Desktop version 4.3.0 or 4.3.1.

Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user’s machine during login. This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the user’s local files.

Bug fixes and enhancements****For all platforms

  • Docker Desktop displays an error if registry.json contains more than one organization in the allowedOrgs field. If you are using multiple organizations for different groups of developers, you must provision a separate registry.json file for each group.
  • Fixed a regression in Compose that reverted the container name separator from - to _. Fixes docker/compose-switch.

For Mac

  • Fixed the memory statistics for containers in the Dashboard. Fixes docker/for-mac/#4774.
  • Added a deprecated option to settings.json: "deprecatedCgroupv1": true, which switches the Linux environment back to cgroups v1. If your software requires cgroups v1, you should update it to be compatible with cgroups v2. Although cgroups v1 should continue to work, it is likely that some future features will depend on cgroups v2. It is also possible that some Linux kernel bugs will only be fixed with cgroups v2.
  • Fixed an issue where putting the machine to Sleep mode after pausing Docker Desktop results in Docker Desktop not being able to resume from pause after the machine comes out of Sleep mode. Fixes for-mac#6058.

For Windows

  • Doing a Reset to factory defaults no longer shuts down Docker Desktop.

Known issues****For all platforms

  • The tips of the week show on top of the mandatory login dialog when an organization restriction is enabled via a registry.json file.

For Windows

  • Clicking Proceed to Desktop after logging in in the browser, sometimes does not bring the Dashboard to the front.
  • After logging in, when the Dashboard receives focus, it sometimes stays in the foreground even when clicking a background window. As a workaround you need to click the Dashboard before clicking another application window.
  • When the Dashboard is open, even if it does not have focus or is minimized, it will still catch keyboard shortcuts (e.g. ctrl-r for Restart)

4.3.2

2021-12-21

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

Security

  • Fixed CVE-2021-45449 that affects users currently on Docker Desktop version 4.3.0 or 4.3.1.

Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user’s machine during login. This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the user’s local files.

Upgrades

docker scan v0.14.0

Security

Log4j 2 CVE-2021-44228: We have updated the docker scan CLI plugin. This new version of docker scan is able to detect Log4j 2 CVE-2021-44228 and Log4j 2 CVE-2021-45046

For more information, read the blog post Apache Log4j 2 CVE-2021-44228.

4.3.1

2021-12-11

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

Upgrades

docker scan v0.11.0

Security

Log4j 2 CVE-2021-44228: We have updated the docker scan CLI plugin for you. Older versions of docker scan in Docker Desktop 4.3.0 and earlier versions are not able to detect Log4j 2 CVE-2021-44228.

For more information, read the blog post Apache Log4j 2 CVE-2021-44228.

4.3.0

2021-12-02

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

Upgrades

  • Docker Engine v20.10.11
  • containerd v1.4.12
  • Buildx 0.7.1
  • Compose v2.2.1
  • Kubernetes 1.22.4
  • Docker Hub Tool v0.4.4
  • Go 1.17.3

Bug fixes and minor changes****For all platforms

  • Added a self-diagnose warning if the host lacks Internet connectivity.
  • Fixed an issue which prevented users from saving files from a volume using the Save As option in the Volumes UI. Fixes docker/for-win#12407.
  • Docker Desktop now uses cgroupv2. If you need to run systemd in a container then:
    • Ensure your version of systemd supports cgroupv2. It must be at least systemd 247. Consider upgrading any centos:7 images to centos:8.
    • Containers running systemd need the following options: --privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw.

For Mac

  • Docker Desktop on Apple silicon no longer requires Rosetta 2, with the exception of three optional command line tools.

For Windows

  • Fixed an issue that caused Docker Desktop to fail during startup if the home directory path contains a character used in regular expressions. Fixes docker/for-win#12374.

Known issue

Docker Dashboard incorrectly displays the container memory usage as zero on Hyper-V based machines. You can use the docker stats command on the command line as a workaround to view the actual memory usage. See docker/for-mac#6076.

Deprecation

  • The following internal DNS names are deprecated and will be removed from a future release: docker-for-desktop, docker-desktop, docker.for.mac.host.internal, docker.for.mac.localhost, docker.for.mac.gateway.internal. You must now use host.docker.internal, vm.docker.internal, and gateway.docker.internal.
  • Removed: Custom RBAC rules have been removed from Docker Desktop as it gives cluster-admin privileges to all Service Accounts. Fixes docker/for-mac/#4774.

4.2.0

2021-11-09

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

New

Pause/Resume: You can now pause your Docker Desktop session when you are not actively using it and save CPU resources on your machine.

  • Ships Docker Public Roadmap#226

Software Updates: The option to turn off automatic check for updates is now available for users on all Docker subscriptions, including Docker Personal and Docker Pro. All update-related settings have been moved to the Software Updates section.

  • Ships Docker Public Roadmap#228

Window management: The Docker Dashboard window size and position persists when you close and reopen Docker Desktop.

Upgrades

  • Docker Engine v20.10.10
  • containerd v1.4.11
  • runc v1.0.2
  • Go 1.17.2
  • Compose v2.1.1
  • docker-scan 0.9.0

Bug fixes and minor changes****For all platforms

  • Improved: Self-diagnose now also checks for overlap between host IPs and docker networks.
  • Fixed the position of the indicator that displays the availability of an update on the Docker Dashboard.

For Mac

  • Fixed an issue that caused Docker Desktop to stop responding upon clicking Exit on the fatal error dialog.
  • Fixed a rare startup failure affecting users having a docker volume bind-mounted on top of a directory from the host. If existing, this fix will also remove manually user added DENY DELETE ACL entries on the corresponding host directory.
  • Fixed a bug where a Docker.qcow2 file would be ignored on upgrade and a fresh Docker.raw used instead, resulting in containers and images disappearing. Note that if a system has both files (due to the previous bug) then the most recently modified file will be used, to avoid recent containers and images disappearing again. To force the use of the old Docker.qcow2, delete the newer Docker.raw file. Fixes docker/for-mac#5998.
  • Fixed a bug where subprocesses could fail unexpectedly during shutdown, triggering an unexpected fatal error popup. Fixes docker/for-mac#5834.

For Windows

  • Fixed Docker Desktop sometimes hanging when clicking Exit in the fatal error dialog.
  • Fixed an issue that frequently displayed the Download update popup when an update has been downloaded but hasn’t been applied yet docker/for-win#12188.
  • Fixed installing a new update killing the application before it has time to shut down.
  • Fixed: Installation of Docker Desktop now works even with group policies preventing users to start prerequisite services (e.g. LanmanServer) docker/for-win#12291.

4.1.1

2021-10-12

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

Bug fixes and minor changes****For Mac

When upgrading from 4.1.0, the Docker menu does not change to Update and restart so you can just wait for the download to complete (icon changes) and then select Restart. This bug is fixed in 4.1.1, for future upgrades.

  • Fixed a bug where a Docker.qcow2 file would be ignored on upgrade and a fresh Docker.raw used instead, resulting in containers and images disappearing. If a system has both files (due to the previous bug), then the most recently modified file will be used to avoid recent containers and images disappearing again. To force the use of the old Docker.qcow2, delete the newer Docker.raw file. Fixes docker/for-mac#5998.
  • Fixed the update notification overlay sometimes getting out of sync between the Settings button and the Software update button in the Docker Dashboard.
  • Fixed the menu entry to install a newly downloaded Docker Desktop update. When an update is ready to install, the Restart option changes to Update and restart.

For Windows

  • Fixed a regression in WSL 2 integrations for some distros (e.g. Arch or Alpine). Fixes docker/for-win#12229
  • Fixed update notification overlay sometimes getting out of sync between the Settings button and the Software update button in the Dashboard.

4.1.0

2021-09-30

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

New

  • Software Updates: The Settings tab now includes a new section to help you manage Docker Desktop updates. The Software Updates section notifies you whenever there’s a new update and allows you to download the update or view information on what’s included in the newer version.
  • Compose V2 You can now specify whether to use Docker Compose V2 in the General settings.
  • Volume Management: Volume management is now available for users on any subscription, including Docker Personal. Ships Docker Public Roadmap#215

Upgrades

  • Compose V2
  • Buildx 0.6.3
  • Kubernetes 1.21.5
  • Go 1.17.1
  • Alpine 3.14
  • Qemu 6.1.0
  • Base distro to debian:bullseye

Bug fixes and minor changes****For Windows

  • Fixed a bug related to anti-malware software triggering, self-diagnose avoids calling the net.exe utility.
  • Fixed filesystem corruption in the WSL 2 Linux VM in self-diagnose. This can be caused by microsoft/WSL#5895.
  • Fixed SeSecurityPrivilege requirement issue. See docker/for-win#12037.
  • Fixed CLI context switch sync with UI. See docker/for-win#11721.
  • Added the key vpnKitMaxPortIdleTime to settings.json to allow the idle network connection timeout to be disabled or extended.
  • Fixed a crash on exit. See docker/for-win#12128.
  • Fixed a bug where the CLI tools would not be available in WSL 2 distros.
  • Fixed switching from Linux to Windows containers that was stuck because access rights on panic.log. See for-win#11899.

Known Issues****For Windows

Docker Desktop may fail to start when upgrading to 4.1.0 on some WSL-based distributions such as ArchWSL. See docker/for-win#12229

4.0.1

2021-09-13

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

Upgrades

  • Compose V2 RC3
    • Compose v2 is now hosted on github.com/docker/compose.
    • Fixed go panic on downscale using compose up --scale.
    • Fixed a race condition in compose run --rm while capturing exit code.

Bug fixes and minor changes****For all platforms

  • Fixed a bug where copy-paste was not available in the Docker Dashboard.

For Windows

  • Fixed a bug where Docker Desktop would not start correctly with the Hyper-V engine. See docker/for-win#11963

4.0.0

2021-08-31

Download Docker Desktop

Windows | Mac with Intel chip | Mac with Apple chip

New

Docker has announced updates and extensions to the product subscriptions to increase productivity, collaboration, and added security for our developers and businesses.

The updated Docker Subscription Service Agreement includes a change to the terms for Docker Desktop.

  • Docker Desktop remains free for small businesses (fewer than 250 employees AND less than $10 million in annual revenue), personal use, education, and non-commercial open source projects.
  • It requires a paid subscription (Pro, Team, or Business), for as little as $5 a month, for professional use in larger enterprises.
  • The effective date of these terms is August 31, 2021. There is a grace period until January 31, 2022 for those that will require a paid subscription to use Docker Desktop.
  • The Docker Pro and Docker Team subscriptions now include commercial use of Docker Desktop.
  • The existing Docker Free subscription has been renamed Docker Personal.
  • No changes to Docker Engine or any other upstream open source Docker or Moby project.

To understand how these changes affect you, read the FAQs. For more information, see Docker subscription overview.

Upgrades

  • Compose V2 RC2
    • Fixed project name to be case-insensitive for compose down. See docker/compose-cli#2023
    • Fixed non-normalized project name.
    • Fixed port merging on partial reference.
  • Kubernetes 1.21.4

Bug fixes and minor changes****For Mac

  • Fixed a bug where SSH was not available for builds from git URL. Fixes for-mac#5902

For Windows

  • Fixed a bug where the CLI tools would not be available in WSL 2 distros.
  • Fixed a bug when switching from Linux to Windows containers due to access rights on panic.log. for-win#11899

Related news

Gentoo Linux Security Advisory 202409-29

Gentoo Linux Security Advisory 202409-29 - Multiple vulnerabilities have been discovered in Docker, the worst of which could result in denial of service. Versions greater than or equal to 25.0.4 are affected.

Gentoo Linux Security Advisory 202408-01

Gentoo Linux Security Advisory 202408-1 - Multiple vulnerabilities have been discovered in containerd, the worst of which could lead to privilege escalation. Versions greater than or equal to 1.6.19 are affected.

Pakistani Hackers Use DISGOMOJI Malware in Indian Government Cyber Attacks

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024. Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems. "It is a modified version of the public project

Gentoo Linux Security Advisory 202401-31

Gentoo Linux Security Advisory 202401-31 - Multiple vulnerabilities have been found in containerd, the worst of which could result in privilege escalation. Versions greater than or equal to 1.6.14 are affected.

CVE-2023-43074: DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability

Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.

Red Hat Security Advisory 2023-5314-01

Red Hat Security Advisory 2023-5314-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. “Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized

RHSA-2023:4671: Red Hat Security Advisory: OpenShift Container Platform 4.12.30 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.30 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplemen...

CVE-2023-33953: Security Bulletins

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...

RHSA-2023:4488: Red Hat Security Advisory: Red Hat OpenShift support for Windows Containers 6.0.1[security update]

The components for Red Hat OpenShift support for Windows Containers 6.0.1 are now available. This product release includes bug fixes and security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject...

Red Hat Security Advisory 2023-4226-01

Red Hat Security Advisory 2023-4226-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.6.

RHSA-2023:4226: Red Hat Security Advisory: OpenShift Container Platform 4.13.6 bug fix and security update

Red Hat OpenShift Container Platform release 4.13.6 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number...

Red Hat Security Advisory 2023-4025-01

Red Hat Security Advisory 2023-4025-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2023-4003-01

Red Hat Security Advisory 2023-4003-01 - As a Kubernetes user, I cannot connect easily connect services from one cluster with services on another cluster. Red Hat Application Interconnect enables me to create a service network and it allows geographically distributed services to connect as if they were all running in the same site. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice USN-6202-1

Ubuntu Security Notice 6202-1 - David Korczynski and Adam Korczynski discovered that containerd incorrectly processed certain images with large files. An attacker could possibly use this issue to cause containerd to crash, resulting in a denial of service. It was discovered that containerd incorrectly set up supplementary groups inside a container. An attacker with direct access to the container could possibly use this issue to obtain sensitive information or execute code with higher privileges.

CVE-2023-32463: DSA-2023-200: Security Update for Dell VxRail for Multiple Third-Party Component Vulnerabilities

Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

Red Hat Security Advisory 2023-3664-01

Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.

Red Hat Security Advisory 2023-3644-01

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

Red Hat Security Advisory 2023-3645-01

Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3624-01

Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

RHSA-2023:3537: Red Hat Security Advisory: OpenShift Container Platform 4.13.3 bug fix and security update

Red Hat OpenShift Container Platform release 4.13.3 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number...

RHSA-2023:3455: Red Hat Security Advisory: Release of OpenShift Serverless 1.29.0

OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...

RHSA-2023:3450: Red Hat Security Advisory: OpenShift Serverless Client kn 1.29.0 release

OpenShift Serverless 1.29.0 has been released. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of serv...

RHSA-2023:0584: Red Hat Security Advisory: Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 security update

Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...

Red Hat Security Advisory 2023-3205-01

Red Hat Security Advisory 2023-3205-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.13.0 images. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1326-01

Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.

RHSA-2023:1326: Red Hat Security Advisory: OpenShift Container Platform 4.13.0 security update

Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...

Red Hat Security Advisory 2023-2029-01

Red Hat Security Advisory 2023-2029-01 - The OpenShift Security Profiles Operator v0.7.0 is now available. Issues addressed include a denial of service vulnerability.

RHSA-2023:2029: Red Hat Security Advisory: OpenShift Security Profiles Operator bug fix update

An updated Security Profiles Operator image that fixes various bugs is now available for the Red Hat OpenShift Enterprise 4 catalog.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0475: A flaw was found in the HashiCorp go-getter package. Affected versions of the HashiCorp go-getter package are vulnerable to a denial of service via a malicious compressed archive. * CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases. This issue can allow access to sensitive information o...

Red Hat Security Advisory 2023-1372-01

Red Hat Security Advisory 2023-1372-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2023-2204-01

Red Hat Security Advisory 2023-2204-01 - Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.

RHSA-2023:2319: Red Hat Security Advisory: git security and bug fix update

An update for git is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24765: A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository. * CVE-2022-29187: A vu...

Red Hat Security Advisory 2023-2107-01

Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.

RHSA-2023:2107: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.9 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...

Red Hat Security Advisory 2023-2041-01

Red Hat Security Advisory 2023-2041-01 - Migration Toolkit for Applications 6.1.0 Images. Issues addressed include denial of service, privilege escalation, server-side request forgery, and traversal vulnerabilities.

Ubuntu Security Notice USN-6038-1

Ubuntu Security Notice 6038-1 - It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting into a denial of service.

CVE-2023-28842: Encrypted overlay network with a single endpoint is unauthenticated

Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an o...

CVE-2023-28842: Encrypted overlay network with a single endpoint is unauthenticated

Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an o...

CVE-2023-28842: Encrypted overlay network with a single endpoint is unauthenticated

Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an o...

GHSA-232p-vwff-86mp: moby/moby's dockerd daemon encrypted overlay network may be unauthenticated

[Moby](https://mobyproject.org/) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of [SwarmKit](https://github.com/moby/swarmkit) and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of [VXLAN](https://en.wikipedia.org/wiki/Virtual_Extensible_LAN), which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VX...

GHSA-33pg-m6jh-5237: moby/moby's dockerd daemon encrypted overlay network traffic may be unencrypted

[Moby](https://mobyproject.org/) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of [SwarmKit](https://github.com/moby/swarmkit) and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of [VXLAN](https://en.wikipedia.org/wiki/Virtual_Extensible_LAN), which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VX...

GHSA-6wrf-mxfj-pf5p: moby/moby's dockerd daemon encrypted overlay network with a single endpoint is unauthenticated

[Moby](https://mobyproject.org/) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of [SwarmKit](https://github.com/moby/swarmkit) and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of [VXLAN](https://en.wikipedia.org/wiki/Virtual_Extensible_LAN), which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VX...

Red Hat Security Advisory 2023-1529-01

Red Hat Security Advisory 2023-1529-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring. Issues addressed include a denial of service vulnerability.

RHSA-2023:1529: Red Hat Security Advisory: Service Telemetry Framework 1.5 security update

An update is now available for Service Telemetry Framework 1.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-23772: A flaw was found in the big package of the math library in golang. The Rat....

Ubuntu Security Notice USN-5686-4

Ubuntu Security Notice 5686-4 - USN-5686-1 fixed several vulnerabilities in Git. This update provides the corresponding fix for CVE-2022-39253 on Ubuntu 16.04 ESM. Cory Snider discovered that Git incorrectly handled certain symbolic links. An attacker could possibly use this issue to cause an unexpected behaviour.

CVE-2023-22490: GitHub: CVE-2023-22490 mingit Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** This vulnerability could disclose sensitive information on the victim's file system as well as achieve data exfiltration.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

RHSA-2023:1174: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.2 security and bug fix update

OpenShift API for Data Protection (OADP) 1.1.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic. * CVE-2022...

Red Hat Security Advisory 2023-1042-01

Red Hat Security Advisory 2023-1042-01 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates.

Red Hat Security Advisory 2023-1079-01

Red Hat Security Advisory 2023-1079-01 - An update for osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2 (Train).

Red Hat Security Advisory 2023-1079-01

Red Hat Security Advisory 2023-1079-01 - An update for osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2 (Train).

RHSA-2023:1042: Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift (with security updates)

Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-1962: A flaw was found in the golang standard library, go/par...

RHSA-2023:1042: Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift (with security updates)

Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-1962: A flaw was found in the golang standard library, go/par...

CVE-2022-42797: About the security content of Xcode 14.1

An injection issue was addressed with improved input validation. This issue is fixed in Xcode 14.1. An app may be able to gain root privileges.

Red Hat Security Advisory 2023-0774-01

Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.

RHSA-2023:0774: Red Hat Security Advisory: OpenShift Container Platform 4.11.28 security update

Red Hat OpenShift Container Platform release 4.11.28 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issu...

Red Hat Security Advisory 2023-0769-01

Red Hat Security Advisory 2023-0769-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

RHSA-2023:0769: Red Hat Security Advisory: OpenShift Container Platform 4.12.4 security update

Red Hat OpenShift Container Platform release 4.12.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total numb...

CVE-2023-25153: Release containerd 1.5.18 · containerd/containerd

containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

CVE-2023-25153: Release containerd 1.5.18 · containerd/containerd

containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

CVE-2023-25173: CVE-2022-2995 - GitHub Advisory Database

containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container ent...

GHSA-259w-8hf6-59c2: OCI image importer memory exhaustion in github.com/containerd/containerd

### Impact When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. ### Patches This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ### Credits The containerd project would like to thank [David Korczynski](https://github.com/DavidKorczynski) and [Adam Korczynski](https://github.com/AdamKorcz) of ADA Logics for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md) during a security fuzzing audit sponsored by CNCF. ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/...

GHSA-hmfx-3pcx-653p: Supplementary groups are not set up properly in github.com/containerd/containerd

### Impact A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. ### Patches This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. ### Workarounds Ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-",...

Red Hat Security Advisory 2023-0709-01

Red Hat Security Advisory 2023-0709-01 - Version 1.27.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.8, 4.9, 4.10, 4.11 and 4.12. This release includes security and bug fixes, and enhancements.

Red Hat Security Advisory 2023-0709-01

Red Hat Security Advisory 2023-0709-01 - Version 1.27.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.8, 4.9, 4.10, 4.11 and 4.12. This release includes security and bug fixes, and enhancements.

RHSA-2023:0709: Red Hat Security Advisory: Release of OpenShift Serverless 1.27.0

Release of OpenShift Serverless 1.27.0 The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query para...

RHSA-2023:0693: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.7 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.7 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method. * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw a...

RHSA-2023:0631: Red Hat Security Advisory: RHSA: Submariner 0.14 - bug fix and security updates

Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go ...

CVE-2022-42950: Couchbase Alerts

An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of service.

CVE-2022-45589: Talend Security

SQL Injection vulnerability in Talend ESB Runtime 7.3.1-R2022-09-RT thru 8.0.1-R2022-10-RT when using the provisioning service.

CVE-2022-46756: DSA-2022-335: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

Red Hat Security Advisory 2023-0542-01

Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.

Red Hat Security Advisory 2023-0542-01

Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

Debian Security Advisory 5332-1

Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.

CVE-2022-38775: Security issues

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

Red Hat Security Advisory 2023-0446-01

Red Hat Security Advisory 2023-0446-01 - Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

Red Hat Security Advisory 2023-0264-01

Red Hat Security Advisory 2023-0264-01 - An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-7399-01

Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-7399-01

Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-7398-02

Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice USN-5776-1

Ubuntu Security Notice 5776-1 - It was discovered that containerd incorrectly handled memory when receiving certain faulty Exec or ExecSync commands. A remote attacker could possibly use this issue to cause a denial of service or crash containerd. It was discovered that containerd incorrectly set up inheritable file capabilities. An attacker could possibly use this issue to escalate privileges inside a container. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

Ubuntu Security Notice USN-5686-3

Ubuntu Security Notice 5686-3 - USN-5686-1 fixed vulnerabilities in Git. This update provides the corresponding updates for Ubuntu 22.10. Cory Snider discovered that Git incorrectly handled certain symbolic links. An attacker could possibly use this issue to cause an unexpected behaviour.

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-39253: Local clone optimization dereferences symbolic links by default

Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` d...

Ubuntu Security Notice USN-5686-1

Ubuntu Security Notice 5686-1 - Cory Snider discovered that Git incorrectly handled certain symbolic links. An attacker could possibly use this issue to cause an unexpected behaviour. Kevin Backhouse discovered that Git incorrectly handled certain command strings. An attacker could possibly use this issue to arbitrary code execution.

CVE-2022-2879: archive/tar: unbounded memory consumption when reading headers · Issue #54853 · golang/go

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

GHSA-rc4r-wh2q-q6c4: Moby supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Users should update to this version when it is available. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly. Thanks to Steven Murdoch for reporting this issue. ---- ### Impact If an attacker has d...

CVE-2022-2990: Vulnerability in Linux containers – investigation and mitigation

An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

CVE-2022-36109: Security vulnerability relating to supplementary group permissions

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.

"As Nasty as Dirty Pipe" — 8 Year Old Linux Kernel Vulnerability Uncovered

Details of an eight-year-old security vulnerability in the Linux kernel have emerged that the researchers say is "as nasty as Dirty Pipe." Dubbed DirtyCred by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level. "DirtyCred is a kernel exploitation concept that swaps unprivileged

CVE-2022-29286: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.

CVE-2022-26657: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVE-2022-27934: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.

CVE-2022-27932: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVE-2022-26656: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.

CVE-2022-27933: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

Avos ransomware group expands with new attack arsenal

By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Avos ransomware group expands with new attack arsenal

By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Security vulnerabilities: 5 times that organizations got hacked

In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses. The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.

CVE-2022-33915: ALAS-2022-1601

Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.

CVE-2022-29862: Security - OPC Foundation

An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.

CVE-2022-31761: June

Configuration defects in the secure OS module. Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-23712: Security issues

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

CVE-2022-23712: Security issues

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

Red Hat Security Advisory 2022-1357-01

Red Hat Security Advisory 2022-1357-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.10.

EnemyBot Puts Enterprises in the Crosshairs With Raft of '1-Day' Bugs

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

Red Hat Security Advisory 2022-2265-01

Red Hat Security Advisory 2022-2265-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.58.

RHSA-2022:2265: Red Hat Security Advisory: OpenShift Container Platform 4.6.58 security and extras update

Red Hat OpenShift Container Platform release 4.6.58 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24769: moby: Default inheritable capabilities for linux container should be empty

CVE-2021-44719: Redirecting…

Docker Desktop 4.3.0 has Incorrect Access Control.

Red Hat Security Advisory 2022-1699-01

Red Hat Security Advisory 2022-1699-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.50.

RHSA-2022:1699: Red Hat Security Advisory: OpenShift Container Platform 4.7.50 security update

Red Hat OpenShift Container Platform release 4.7.50 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24769: moby: Default inheritable capabilities for linux container should be empty

RHEA-2022:1596: Red Hat Enhancement Advisory: OpenShift Virtualization 4.9.4 Images

Red Hat OpenShift Virtualization release 4.9.4 is now available with updates to packages and images that fix several bugs and add enhancements.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-36221: golang: net/http/httputil: panic due to racy read of persistConn after handler panic * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close fd 0 on ForkExec error

CVE-2022-24769: Merge pull request from GHSA-2mm7-x5h6-5pvq · moby/moby@2bbc786

Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directl...

CVE-2022-0847: Invalid Bug ID

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

CVE-2021-44548: Solr™ Security News

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.

CVE-2021-45046: security - CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

CVE-2020-35198: Wind River

An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

CVE-2020-35198: Wind River

An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907