Moby is an open source container framework that is a key component of
Docker Engine, Docker Desktop, and other distributions of container tooling
or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces,
including those belonging to networks where --ipv6=false. An container
with an ipvlan or macvlan interface will normally be configured to
share an external network link with the host machine. Because of this
direct access, (1) Containers may be able to communicate with other hosts
on the local network over link-local IPv6 addresses, (2) if router
advertisements are being broadcast over the local network, containers may
get SLAAC-assigned addresses, and (3) the interface will be a member of
IPv6 multicast groups. This means interfaces in IPv4-only networks present
an unexpectedly and unnecessarily increased attack surface. The issue is
patched in 26.0.2. To completely disable IPv6 in a container, use
--sysctl=net.ipv6.conf.all.disable_ipv6=1 in the docker create or
docker run command. Or, in the service configuration of a compose file.
Notes
| Author |
Note |
| alexmurray |
Traditionally the docker.io source package contained both the library and docker application. However, in releases that contain the docker.io-app source package, the docker.io source package contains only the library whilst the docker application itself is contained in the docker.io-app package. |
| sbeattie |
docker packages contain an embedded copy of github:moby/buildkit |
Ubuntu.comUB:CVE-2024-32473
