What has changed in 1.12.3

The 1.12.3 patch release updates runc to version 1.1.12, buildkitd to 0.12.5, and nerdctl to 1.7.3 to fix a number of CVEs:

• CVE-2024-21626 Several container breakouts due to internally leaked fds (high)
• CVE-2024-23650 Possible panic when incorrect parameters sent from frontend (moderate)
• CVE-2024-23651 Possible race condition with accessing subpaths from cache mounts (high)
• CVE-2024-23652 Possible host system access from mount stub cleaner (high)
• CVE-2024-23653 Interactive containers API does not validate entitlements check (high)

All these CVEs can only be exploited if the user is using malicious input in the container build process or is running container images that have already been compromised.

The following CVE is not fixed in this patch release because there is no upstream release for moby 23.* that includes the fix yet:

• CVE-2024-24557 Classic builder cache poisoning (moderate)

Note that Rancher Desktop is only affected by this CVE if the user explicitly opts out of Buildkit to use the legacy/classic builder (sets DOCKER_BUILDKIT=0). It does not apply to the default configuration.