Skip to content

Fix CVE-2025-54410: Upgrade docker/docker to v28.0.0#617

Merged
dlevy-msft-sql merged 2 commits intomainfrom
copilot/fix-cve-2025-54410-vulnerability
Jan 20, 2026
Merged

Fix CVE-2025-54410: Upgrade docker/docker to v28.0.0#617
dlevy-msft-sql merged 2 commits intomainfrom
copilot/fix-cve-2025-54410-vulnerability

Conversation

Copy link
Contributor

Copilot AI commented Jan 20, 2026
edited
Loading

Upgrades github.com/docker/docker from v27.3.1 to v28.0.0 to address CVE-2025-54410.

Changes

  • Dependency upgrade: github.com/docker/docker v27.3.1 → v28.0.0
  • API migration: Docker v28 relocated exec types to the container package:
    • types.ExecConfigcontainer.ExecOptions
    • types.ExecStartCheckcontainer.ExecStartOptions

Updated internal/container/controller.go accordingly:

// Before
response, err := c.cli.ContainerExecCreate(ctx, id, types.ExecConfig{...})
r, err := c.cli.ContainerExecAttach(ctx, response.ID, types.ExecStartCheck{})

// After  
response, err := c.cli.ContainerExecCreate(ctx, id, container.ExecOptions{...})
r, err := c.cli.ContainerExecAttach(ctx, response.ID, container.ExecStartOptions{})

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • cloud.google.com
    • Triggering command: /update-job-proxy /update-job-proxy by/2d9c29d4361c1-V=full 92839b67d78da07e x64/pkg/tool/linux_amd64/vet /usr�� 91435/b545/_pkg_.a by/2d9c29d4361c16ac89eb51bf95fc1e9ac803cd16d5475f4492839b67d78da07e 91435/b545=> by/2d9c29d4361c1git soft/go-sqlcmd/crev-parse json 92839b67d78da07e /usr�� NHDB/SokYoUXIAbYUeOMgNHDB y fg by/4ddb2230c50b7/usr/bin/unpigz --log-format json 07e/log.json (dns block)
    • Triggering command: /update-job-proxy /update-job-proxy DROP 2 git init�� fe486d056bb33ee9--depth=1 ps /bin/git bution %H %ct %D ub.com/.insteadOblob /usr/lib/git-cor185b4288413d2a0dd0806f78c90dde719829e5ae:go.mod remo�� REDACTED REDACTED e/git /etc/ssl/certs/f/usr/sbin/iptables sed 649421f6 e/git (dns block)
  • does
    • Triggering command: /tmp/go-build97691435/b546/install.test /tmp/go-build97691435/b546/install.test -test.testlogfile=/tmp/go-build97691435/b546/testlog.txt -test.paniconexit0 -test.timeout=5m0s /tmp/go-build97691435/b440/vet.cfg TOKEN"; }; f get TOKEN"; }; f get ux_amd64/vet --gdwarf-5 nternal/test p=/opt/hostedtoo--no-pager ux_amd64/vet -W bNeRgH2yD V3yW/i3Hp_KGhK1oveth9377e60 ux_amd64/vet 89b57c4ccb510665/opt/hostedtoolcache/go/1.24.11/x64/pkg/tool/linux_amd64/vet --gdwarf2 --64 ux_amd64/vet (dns block)
  • go.googlesource.com
    • Triggering command: /update-job-proxy /update-job-proxy by/2d9c29d4361c1-V=full 92839b67d78da07e x64/pkg/tool/linux_amd64/vet /usr�� 91435/b545/_pkg_.a by/2d9c29d4361c16ac89eb51bf95fc1e9ac803cd16d5475f4492839b67d78da07e 91435/b545=> by/2d9c29d4361c1git soft/go-sqlcmd/crev-parse json 92839b67d78da07e /usr�� NHDB/SokYoUXIAbYUeOMgNHDB y fg by/4ddb2230c50b7/usr/bin/unpigz --log-format json 07e/log.json (dns block)
    • Triggering command: /update-job-proxy /update-job-proxy DROP 2 git init�� fe486d056bb33ee9--depth=1 ps /bin/git bution %H %ct %D ub.com/.insteadOblob /usr/lib/git-cor185b4288413d2a0dd0806f78c90dde719829e5ae:go.mod remo�� REDACTED REDACTED e/git /etc/ssl/certs/f/usr/sbin/iptables sed 649421f6 e/git (dns block)
  • go.opentelemetry.io
    • Triggering command: /update-job-proxy /update-job-proxy by/2d9c29d4361c1-V=full 92839b67d78da07e x64/pkg/tool/linux_amd64/vet /usr�� 91435/b545/_pkg_.a by/2d9c29d4361c16ac89eb51bf95fc1e9ac803cd16d5475f4492839b67d78da07e 91435/b545=> by/2d9c29d4361c1git soft/go-sqlcmd/crev-parse json 92839b67d78da07e /usr�� NHDB/SokYoUXIAbYUeOMgNHDB y fg by/4ddb2230c50b7/usr/bin/unpigz --log-format json 07e/log.json (dns block)
    • Triggering command: /update-job-proxy /update-job-proxy DROP 2 git init�� fe486d056bb33ee9--depth=1 ps /bin/git bution %H %ct %D ub.com/.insteadOblob /usr/lib/git-cor185b4288413d2a0dd0806f78c90dde719829e5ae:go.mod remo�� REDACTED REDACTED e/git /etc/ssl/certs/f/usr/sbin/iptables sed 649421f6 e/git (dns block)
  • google.golang.org
    • Triggering command: /update-job-proxy /update-job-proxy by/2d9c29d4361c1-V=full 92839b67d78da07e x64/pkg/tool/linux_amd64/vet /usr�� 91435/b545/_pkg_.a by/2d9c29d4361c16ac89eb51bf95fc1e9ac803cd16d5475f4492839b67d78da07e 91435/b545=> by/2d9c29d4361c1git soft/go-sqlcmd/crev-parse json 92839b67d78da07e /usr�� NHDB/SokYoUXIAbYUeOMgNHDB y fg by/4ddb2230c50b7/usr/bin/unpigz --log-format json 07e/log.json (dns block)
    • Triggering command: /update-job-proxy /update-job-proxy DROP 2 git init�� fe486d056bb33ee9--depth=1 ps /bin/git bution %H %ct %D ub.com/.insteadOblob /usr/lib/git-cor185b4288413d2a0dd0806f78c90dde719829e5ae:go.mod remo�� REDACTED REDACTED e/git /etc/ssl/certs/f/usr/sbin/iptables sed 649421f6 e/git (dns block)
  • gopkg.in
    • Triggering command: /update-job-proxy /update-job-proxy by/2d9c29d4361c1-V=full 92839b67d78da07e x64/pkg/tool/linux_amd64/vet /usr�� 91435/b545/_pkg_.a by/2d9c29d4361c16ac89eb51bf95fc1e9ac803cd16d5475f4492839b67d78da07e 91435/b545=> by/2d9c29d4361c1git soft/go-sqlcmd/crev-parse json 92839b67d78da07e /usr�� NHDB/SokYoUXIAbYUeOMgNHDB y fg by/4ddb2230c50b7/usr/bin/unpigz --log-format json 07e/log.json (dns block)
    • Triggering command: /update-job-proxy /update-job-proxy DROP 2 git init�� fe486d056bb33ee9--depth=1 ps /bin/git bution %H %ct %D ub.com/.insteadOblob /usr/lib/git-cor185b4288413d2a0dd0806f78c90dde719829e5ae:go.mod remo�� REDACTED REDACTED e/git /etc/ssl/certs/f/usr/sbin/iptables sed 649421f6 e/git (dns block)
  • gotest.tools
    • Triggering command: /update-job-proxy /update-job-proxy by/2d9c29d4361c1-V=full 92839b67d78da07e x64/pkg/tool/linux_amd64/vet /usr�� 91435/b545/_pkg_.a by/2d9c29d4361c16ac89eb51bf95fc1e9ac803cd16d5475f4492839b67d78da07e 91435/b545=> by/2d9c29d4361c1git soft/go-sqlcmd/crev-parse json 92839b67d78da07e /usr�� NHDB/SokYoUXIAbYUeOMgNHDB y fg by/4ddb2230c50b7/usr/bin/unpigz --log-format json 07e/log.json (dns block)
    • Triggering command: /update-job-proxy /update-job-proxy DROP 2 git init�� fe486d056bb33ee9--depth=1 ps /bin/git bution %H %ct %D ub.com/.insteadOblob /usr/lib/git-cor185b4288413d2a0dd0806f78c90dde719829e5ae:go.mod remo�� REDACTED REDACTED e/git /etc/ssl/certs/f/usr/sbin/iptables sed 649421f6 e/git (dns block)
  • honnef.co
    • Triggering command: /update-job-proxy /update-job-proxy by/2d9c29d4361c1-V=full 92839b67d78da07e x64/pkg/tool/linux_amd64/vet /usr�� 91435/b545/_pkg_.a by/2d9c29d4361c16ac89eb51bf95fc1e9ac803cd16d5475f4492839b67d78da07e 91435/b545=> by/2d9c29d4361c1git soft/go-sqlcmd/crev-parse json 92839b67d78da07e /usr�� NHDB/SokYoUXIAbYUeOMgNHDB y fg by/4ddb2230c50b7/usr/bin/unpigz --log-format json 07e/log.json (dns block)
    • Triggering command: /update-job-proxy /update-job-proxy DROP 2 git init�� fe486d056bb33ee9--depth=1 ps /bin/git bution %H %ct %D ub.com/.insteadOblob /usr/lib/git-cor185b4288413d2a0dd0806f78c90dde719829e5ae:go.mod remo�� REDACTED REDACTED e/git /etc/ssl/certs/f/usr/sbin/iptables sed 649421f6 e/git (dns block)
  • invalid.url
    • Triggering command: /tmp/go-build97691435/b651/http.test /tmp/go-build97691435/b651/http.test -test.testlogfile=/tmp/go-build97691435/b651/testlog.txt -test.paniconexit0 -test.timeout=5m0s ctor�� 8436986/b510/_pk-s -trimpath x64/pkg/tool/lin-buildmode=exe -p m -lang=go1.24 x64/pkg/tool/lin/var/run/docker/runtime-runc/moby -o Ea4a/g42dwXYBc2b/run/containerd/io.containerd.runtime.v2.task/moby/ed0884991f65622309308b778c571/opt/hostedtoolcache/go/1.24.11/x64/pkg/tool/linux_amd64/vet .cfg ux_amd64/vet by/f486eb13e1411grep go.opentelemetry-q -lang=go1.22 ux_amd64/vet (dns block)
  • someserver
    • Triggering command: /tmp/go-build97691435/b699/sqlcmd.test /tmp/go-build97691435/b699/sqlcmd.test -test.testlogfile=/tmp/go-build97691435/b699/testlog.txt -test.paniconexit0 -test.timeout=5m0s go1.24.11 -c=4 -nolocalimports -importcfg /tmp/go-build97691435/b669/importcfg -pack /home/REDACTED/work/go-sqlcmd/go-sqlcmd/internal/output/formatter/base.go jFKYeWDdmPfF 8436�� (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Fix: CVE-2025-54410</issue_title>
<issue_description>Upgrade github.com/docker/docker from 27.3.1 to 28.0.0 or later to fix the vulnerability.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@dlevy-msft-sql
Copy link
Contributor

dlevy-msft-sql commented Jan 20, 2026

Supersedes #606

@dlevy-msft-sql
Upgrade docker/docker to v28.0.0 and update API usage
3652750 
Co-authored-by: dlevy-msft-sql <194277063+dlevy-msft-sql@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix CVE-2025-54410 by upgrading Docker version Fix CVE-2025-54410: Upgrade docker/docker to v28.0.0 Jan 20, 2026
Copilot AI requested a review from dlevy-msft-sql January 20, 2026 20:43
@dlevy-msft-sql dlevy-msft-sql marked this pull request as ready for review January 20, 2026 20:44
@dlevy-msft-sql dlevy-msft-sql added Priority: 0 Breaking things; must fix immediately Size: S Small issue (less than one week effort) Security housekeeping labels Jan 20, 2026
Copilot AI reviewed Jan 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades github.com/docker/docker from v27.3.1 to v28.0.0 to address CVE-2025-54410. The upgrade requires API migration changes due to Docker v28 relocating exec-related types from the types package to the container package.

Changes:

  • Upgraded github.com/docker/docker dependency from v27.3.1 to v28.0.0
  • Migrated exec API types: types.ExecConfigcontainer.ExecOptions and types.ExecStartCheckcontainer.ExecStartOptions
  • Removed obsolete import of github.com/docker/docker/api/types

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
go.mod Updated docker/docker dependency version to v28.0.0
go.sum Updated checksums for docker/docker v28.0.0
internal/container/controller.go Migrated exec API types to container package and removed obsolete types import

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dlevy-msft-sql dlevy-msft-sql merged commit 758fca9 into main Jan 20, 2026
13 checks passed
@dlevy-msft-sql dlevy-msft-sql mentioned this pull request Jan 21, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shueybubbles shueybubbles shueybubbles approved these changes

+1 more reviewer

@dlevy-msft-sql dlevy-msft-sql dlevy-msft-sql approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@dlevy-msft-sql dlevy-msft-sql

Copilot code review Copilot

Labels

housekeeping Priority: 0 Breaking things; must fix immediately Security Size: S Small issue (less than one week effort)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix: CVE-2025-54410

4 participants

@dlevy-msft-sql @shueybubbles