Package "docker-doc"

  docker.io-app (29.1.3-0ubuntu4.1) resolute-security; urgency=medium

  * SECURITY UPDATE: BuildKit path traversal
    - debian/patches/CVE-2026-33747_1.patch: Validate container IDs centrally
      in engine/vendor/.../buildkit/executor/containerdexecutor/executor.go,
      engine/vendor/.../buildkit/executor/containerid.go,
      engine/vendor/.../buildkit/executor/runcexecutor/executor.go.
    - debian/patches/CVE-2026-33747_2.patch: Sanitize downloaded filenames in
      engine/vendor/.../buildkit/source/http/source.go.
    - debian/patches/CVE-2026-33747_3.patch: Use os.Root for saved file
      operations in engine/vendor/.../buildkit/source/http/source.go.
    - CVE-2026-33747
  * SECURITY UPDATE: BuildKit path traversal
    - debian/patches/CVE-2026-33748_1.patch: Harden ref arg handling in
      engine/vendor/.../buildkit/source/git/source.go.
    - debian/patches/CVE-2026-33748_2.patch: Normalize and validate subdir
      paths in engine/vendor/.../buildkit/client/llb/source.go,
      engine/vendor/.../buildkit/source/git/identifier.go,
      engine/vendor/.../buildkit/source/git/source.go,
      engine/vendor/.../buildkit/util/gitutil/git_url.go.
    - CVE-2026-33748

 -- Edwin Jiang <email address hidden> Wed, 29 Apr 2026 12:40:20 -0400