From 23e841178a725a3b88feaa629620eaf1022babb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Mon, 18 May 2026 17:40:59 +0200 Subject: [PATCH] engine: 29.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Paweł Gronowski --- content/manuals/engine/release-notes/29.md | 26 ++++++++++++++++++++++ hugo.yaml | 4 ++-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/content/manuals/engine/release-notes/29.md b/content/manuals/engine/release-notes/29.md index 9cabb8a3c4bc..26c4dc21db0f 100644 --- a/content/manuals/engine/release-notes/29.md +++ b/content/manuals/engine/release-notes/29.md @@ -22,6 +22,32 @@ For more information about: - Deprecated and removed features, see [Deprecated Engine Features](../deprecated.md). - Changes to the Engine API, see [Engine API version history](/reference/api/engine/version-history/). +## 29.5.1 + +{{< release-date date="2026-05-18" >}} + +For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: + +- [docker/cli, 29.5.1 milestone](https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A29.5.1) +- [moby/moby, 29.5.1 milestone](https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A29.5.1) + +### Security + +This release includes fixes for multiple security vulnerabilities affecting Docker Engine. + +- **CVE-2026-41567** Fix a vulnerability in `docker cp` where archive decompression binaries (e.g. `xz`, `unpigz`) were resolved via `PATH` inside the container filesystem while running as host root, allowing a malicious container to execute arbitrary binaries with host root privileges. + [GHSA-x86f-5xw2-fm2r](https://github.com/moby/moby/security/advisories/GHSA-x86f-5xw2-fm2r) + +- **CVE-2026-41568** Fix a TOCTOU vulnerability in `docker cp` that allowed a container process to create files or directories at arbitrary locations on the host filesystem. + [GHSA-vp62-88p7-qqf5](https://github.com/moby/moby/security/advisories/GHSA-vp62-88p7-qqf5) + +- **CVE-2026-42306** Fix a TOCTOU vulnerability in `docker cp` that allowed a container process to redirect a bind mount to an arbitrary location on the host filesystem. + [GHSA-rg2x-37c3-w2rh](https://github.com/moby/moby/security/advisories/GHSA-rg2x-37c3-w2rh) + +### Networking + +- Fix UDP conntrack entries not being deleted when not bound to a specific IP address. [moby/moby#52640](https://github.com/moby/moby/pull/52640) + ## 29.5.0 {{< release-date date="2026-05-14" >}} diff --git a/hugo.yaml b/hugo.yaml index 71a9f508655c..94b6dfd629ce 100644 --- a/hugo.yaml +++ b/hugo.yaml @@ -154,10 +154,10 @@ params: # Latest version of the Docker Engine API latest_engine_api_version: "1.54" # Latest version of Docker Engine - docker_ce_version: "29.5.0" + docker_ce_version: "29.5.1" # Previous version of the Docker Engine # (Used to show e.g., "latest" and "latest"-1 in engine install examples - docker_ce_version_prev: "29.4.3" + docker_ce_version_prev: "29.5.0" # Latest Docker Compose version compose_version: "v5.1.2" # Latest BuildKit version