docker-moby: Update to v25.0.9

This is the latest point release of v25.0 that supports Go v1.22

Bumping moby to version v25.0.14, which comprises the following commits:

    89a48b65fc Dockerfile: update runc binary to v1.2.5
    aae4029600 update to go1.22.12
    a2802d0746 update to go1.22.11 (fix CVE-2024-45341, CVE-2024-45336)
    9281aea6ce ci: update base container to alpine20 for buildkit workflow
    b1d6fd957d gha: set arm64 GO_VERSION to 1.22.10
    7540f88434 ci: switch from jenkins to gha for arm64 build and tests
    f8d9617c43 ci(bin-image): fix bake build
    bec5e8eed1 ci: update bake-action to v6
    fcb50183e4 Dockerfile: update runc binary to v1.2.4
    20af9f77a6 Dockerfile: update containerd to v1.7.25
    7d20eee4fd Dockerfile: update runc binary to v1.2.3
    eacc3610f9 libnetwork/drivers/bridge: setupIPChains: fix defer checking wrong err
    842024e721 update xx to v1.6.1 for compatibility with alpine 3.21
    96b8a34d2b Dockerfile: update xx to v1.5.0
    5ed63409a2 Dockerfile: update xx to v1.4.0
    03885ae2c0 update to go1.22.10
    ddc8a15eb5 Dockerd rootless: make {/etc,/var/run}/cdi available
    6648f3a10e c8d/tag: Don't log a warning if the source image is not dangling
    6f497b2d51 Dockerfile: update to runc v1.2.2
    01c163d4ee Dockerfile: update containerd to v1.7.24
    708c8dc304 gha: shorter time limits for smoke, validate
    f6bcbab7a1 gha: use "ubuntu-24.04" instead of "ubuntu-latest"
    2de8143fa6 gha: dco: small tweaks to running the container
    e0857ef530 gha: dco: update ALPINE_VERSION to 3.20
    1b7b596513 gha: build (binary), build (dynbinary): limit to 20 minutes
    2e43cd5450 gha: dco: limit to 10 minutes
    bdb21cd779 integration: add wait
    911478fb28 Jenkinsfile: modprobe br_netfilter
    2278d180a7 daemon: use OwnCgroupPath in withCgroups
    a6d1d0693f vendor: github.com/golang-jwt/jwt/v4@v4.5.1
    0ed4861f9c update to go1.22.9
    2df019330c update runc binary to 1.1.14
    e6de0b8f3b update runc binary to v1.1.13
    cb56070132 volume: VolumesService.Create: fix log-level for debug logs
    480b01a532 volume/mounts: fix anonymous volume not being labeled
    f7b7ec14b8 volume/service: change some logs to use structured logs
    60eece38cd Fix: setup user chains even if there are running containers
    54ac8bbe37 cmd/dockerd: Add workaround for OTEL meter leak
    6e1af3d5d8 gha: remove stray double empty line
    0eae0850ac gha: restrict cross and bin-image to 20 minutes
    e6a2c9bebb gha: add guardrails timeouts on all jobs
    4b98bfd07d gha: buildkit: make sure expected Go version is installed
    ae548176dc update to go1.22.8
    122682205f Dockerfile: update containerd binary to v1.7.22
    9f102b3b5b Dockerfile: update containerd binary to v1.7.21 (static binaries and CI only)
    75891766e4 man: dockerd: add description for --log-format option
    3ec9003a14 Update dlv in the dev-env
    caef5cc70c Explicitly disable nvidia device injection for --gpus=0
    34471d3259 seccomp: add riscv64 mapping to seccomp_linux.go
    bec84c9c31 update to go1.22.7
    d0315c9824 golangci-lint: temporarily disable G115: integer overflow conversion
    ff546aff14 update golangci-lint to v1.60.2
    15db81eeaa update to go1.22.6
    23af4b75e9 hack/make/.binary: set CGO_LDFLAGS=-latomic for arm/v5
    da8bfd963e hack/make/.binary: set CCGO_CFLAGS=-Wno-atomic-alignment for arm/v5
    0ce4415ff2 daemon: fix non-constant format string in call (govet)
    14a48ac308 api/types: fix non-constant format string in call (govet)
    c50e7e6ca2 api/server/router: fix non-constant format string in call (govet)
    2a4ea4749d container/stream: fix non-constant format string in call (govet)
    b536253047 libnetwork/drivers/bridge: fix non-constant format string in call (govet)
    3216abd8db volume/testutils: fix non-constant format string in call (govet)
    dd5a6fdbac builder/dockerfile: parseChownFlag: fix non-constant format string in call (govet)
    0c5e131330 layer: ignore G602: slice index out of range (gosec)
    b50a85d0ed cmd/dockerd: fix non-constant format string in call (govet)
    8105391708 libnetwork: fix non-constant format string in call (govet)
    6209d5bd68 integration-cli: fix non-constant format string in call (govet)
    25cffb9dec integration-cli: DockerSwarmSuite: rm redundant Fprintf, handle errors
    21279f652e integration-cli: DockerNetworkSuite: rm redundant Fprintf, handle errors
    a27066d1ca integration-cli: use erors.New() instead of fmt.Errorf
    e88d4ea298 libnetwork: TestDNSOptions: remove redundant skip check
    613d955d38 integration-cli: remove redundant platform checks
    e962b3e06e update to go1.21.13
    33dbea3c37 vendor: github.com/Microsoft/go-winio v0.6.2
    5e46424b29 vendor: golang.org/x/tools v0.16.0
    5ca50f5c24 vendor: golang.org/x/mod v0.17.0
    a599caf7e9 update golangci-lint to v1.59.1
    89903672a7 pkg/archive: reformat code to make #nosec comment work again
    dbf6db9306 builder/remotecontext: reformat code to make #nosec comment work again
    55a4cadaa5 man: create parent directories in install recipe
    042dad56d0 man: support bringing your own go-md2man
    553d915ef4 man: build dockerd man pages using make
    c70f626351 Removed all mentions of "please" from docs and messages
    5966382473 docs: add default-network-opt daemon option
    3edc25412a docs: remove devicemapper
    65906e44b0 man/dockerd.8: assorted formatting fixes
    a298720e8f man/dockerd.8: escape asterisks and underscores
    88a3e540c9 docs: update dockerd usage output for new proxy-options
    90fc11f69a Fix styling of arguments
    182df40d13 Fix the max-concurrent-downloads and max-concurrent-uploads configs documentation
    2544c68655 docs: remove documentation about deprecated cluster-store
    be77069539 Document `--validate` daemon option
    0299ca1d73 Update man-page source MarkDown to work with go-md2man v2
    aff4659c67 docs: update for cgroup v2 and rootless
    c47231e5cf docker run: specify cgroup namespace mode with --cgroupns
    962f331e76 daemon: document --max-download-attempts option
    71f9bfe47f Update document links and title.
    017213c2b0 Allow user to specify default address pools for docker networks This is separate commit for CLI files to address PR 36054
    210f03082b Update docs and completion-scripts for deprecated features
    2f78133a0a Added docs for dockerd
    675593bb4f fix a number of minor typos
    9c291b1745 Introduce/document new IPC modes
    a23ff1bb1a docs: add documentation for dm.libdm_log_level
    c78cecd77f Restore dockerd man page
    f14cf10618 gha: set permissions to read-only by default
    0cd951e4dd api: adjust health start interval on swarm update
    d151b0f87f vendor: OTEL v0.46.1 / v1.21.0
    30f8908102 github/ci: Check if backport is opened against the expected branch
    7454d6a2e6 ci: update workflow artifacts retention
    e8ecb9c76d update containerd binary to v1.7.20
    e6cae1f237 update containerd binary to v1.7.19
    8ec448db6b update containerd binary to v1.7.18
    274310807e integration/TestDiskUsage: Make 4096 also a 'empty' value
    886e726984 Dockerfile: update containerd binary to v1.7.17 (static binaries and CI only)
    a0f0f7e77e update containerd binary to v1.7.15
    91903e81ca If url includes scheme, urlPath will drop hostname, which would not match the auth check
    ccfe0a41d4 Authz plugin security fixes for 0-length content and path validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
    d046451b34 update to go1.21.12 [part 2]
    e16a25e442 update to go1.21.12
    b1aac1b134 update to go1.21.11
    fffbe84ded Makefile: Pass PAGER/GIT_PAGER variable
    9f6600deed builder/mobyexporter: Add missing nil check
    70fe516b46 don't depend on containerd platform.Parse to return a typed error
    f7ce828e9e Fix issue where node promotion could fail
    98ddccbbfe apparmor: Allow confined runc to kill containers
    637205391b update to go1.21.10
    3d56d734db vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4
    0a2f5085ee vendor: cloud.google.com/go/logging v1.8.1
    3141ea5c8b vendor: golang.org/x/mod v0.13.0, golang.org/x/tools v0.13.0
    4f25076181 vendor: golang.org/x/sync v0.5.0
    d93cc7edc0 nil dereference fix on image history Created value
    ee5909c2d0 vendor: golang.org/x/net v0.23.0
    f37d6f5f48 vendor: golang.org/x/net v0.22.0, golang.org/x/crypto v0.21.0
    fd828b6766 go.mod: golang.org/x/sys v0.18.0
    584a30c772 awslogs: Replace depreacted WithEndpointResolver usage
    60605eb1da vendor: bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs to v1.32.0
    71b8e0339c vendor: bump github.com/aws/aws-sdk-go-v2 to v1.24.1
    08e8912d7c ci/validate-pr: Use `::error::` command to print errors
    e2e670299f Fix cases where we are wrapping a nil error
    935787c19c save: Remove platform from config descriptor
    bd19301d9e ci: Require changelog description
    50bd133ad3 update to go1.21.9
    a987bc5ad0 libnet: Don't forward to upstream resolvers on internal nw
    20c205fd3a Environment variable to override resolv.conf path.
    4be97233cc daemon: move getUnprivilegedMountFlags to internal package
    7ed7e6caf6 plugin: fix mounting /etc/hosts when running in UserNS
    81ad7062f0 rootless: fix `open /etc/docker/plugins: permission denied`
    02d4ee3f9a Makefile: generate-files: fix check for empty TMP_OUT
    478f6b097d volume: Don't decrement refcount below 0
    d250e13945 builder-next: fix missing lock in ensurelayer
    d0d85f6438 daemon: overlay2: remove world writable permission from the lower file
    0451b287dc Don't create endpoint config for MAC addr config migration
    d27fe2558d dockerd-rootless-setuptool.sh: check RootlessKit functionality
    77de535364 Dockerfile: update RootlessKit to v2.0.2
    2d347024d1 update to go1.21.8
    f66b5f642e Test DNS on Windows 'nat' networks
    fa4ea308f0 c8d/windows: Temporarily skip two failing tests
    d66e0fb7b1 Set up DNS names for Windows default network
    7a4abb8c77 ci: set codecov token
    81a83f0544 Simplify macvlan/ipvlan integration test structure
    abcd6f8a46 Run the macvlan/ipvlan integration tests
    f7be6dcba6 integration: Reset `OTEL_EXPORTER_OTLP_ENDPOINT` for sub-daemons
    10609544e5 update to go1.21.7
    be59afce2d c8d/pull: Output truncated id for `Pulling fs layer`
    97951c39fb c8d/pull: Don't emit `Downloading` with 0 progress
    2001813571 c8d/pull: Emit `Pulling fs layer`
    8e3bcf1974 pkg/streamformatter: Make `progressOutput` concurrency safe
    27f36f42a4 builder/dockerfile: ADD with best-effort xattrs
    1ae019fca2 Don't enforce new validation rules for existing networks
    c761353e7c Make 'internal' bridge networks accessible from host
    10bc347b03 ci: Update `teststat` to v0.1.25
    94137f6df5 client: fix connection-errors being shadowed by API version mismatch errors
    dd5faa9d4f ci: Make `find` for test reports more specific
    012bfd33e5 client: doRequest: make sure we return a connection-error
    3ec1946ce1 client: NegotiateAPIVersion: do not ignore (connection) errors from Ping
    200a2c3576 client: fix TestPingWithError
    70c05fe10c libcontainerd: change the digest used when restoring
    e85cef89fa api/pre-1.44: Default `ReadOnlyNonRecursive` to true
    a72294a668 mounts/validate: Don't check source exists with CreateMountpoint
    9ee331235a integration: Add container.Output utility
    5d9e13bc84 api: omit missing Created field from ImageInspect response
    bb66c3ca04 api/history: Mention empty `Created`
    fa3a64f2bc Set `Created` to `0001-01-01T00:00:00Z` on older API versions

Signed-off-by: Félix Piédallu <felix.piedallu@non.se.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

4 files changed, 2 insertions, 470 deletions

diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index dd6dac05..e66416db 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -44,7 +44,7 @@ DESCRIPTION = "Linux container runtime \
 # so we get that tag, and make it our SRCREVS:
 #
 
-SRCREV_moby = "f417435e5f6216828dec57958c490c4f8bae4f98"
+SRCREV_moby = "a926bec8fc91332410133b24f3e9e3f5add13b48"
 SRCREV_libnetwork = "3797618f9a38372e8107d8c06f6ae199e1133ae8"
 SRCREV_cli = "43987fca488a535d810c429f75743d8c7b63bf4f"
 SRCREV_FORMAT = "moby_libnetwork"
@@ -56,9 +56,6 @@ SRC_URI = "\
         file://0001-libnetwork-use-GO-instead-of-go.patch \
         file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
         file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
-        file://CVE-2024-36620.patch;patchdir=src/import \
-        file://CVE-2024-36621.patch;patchdir=src/import \
-        file://CVE-2024-29018.patch;patchdir=src/import \
         "
 
 DOCKER_COMMIT = "${SRCREV_moby}"
@@ -69,7 +66,7 @@ require docker.inc
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=4859e97a9c7780e77972d989f0823f28"
 
-DOCKER_VERSION = "25.0.3"
+DOCKER_VERSION = "25.0.9"
 PV = "${DOCKER_VERSION}+git${SRCREV_moby}"
 
 CVE_PRODUCT = "docker mobyproject:moby"
diff --git a/recipes-containers/docker/files/CVE-2024-29018.patch b/recipes-containers/docker/files/CVE-2024-29018.patch
deleted file mode 100644
index f3c800ff..00000000
--- a/recipes-containers/docker/files/CVE-2024-29018.patch
+++ /dev/null
@@ -1,344 +0,0 @@
-From 20c205fd3a0081d005958eff690e2b34df1c5e5e Mon Sep 17 00:00:00 2001
-From: Rob Murray <rob.murray@docker.com>
-Date: Tue, 19 Mar 2024 11:19:30 +0000
-Subject: [PATCH 1/2] Environment variable to override resolv.conf path.
-
-If env var DOCKER_TEST_RESOLV_CONF_PATH is set, treat it as an override
-for the 'resolv.conf' path.
-
-Added as part of resolv.conf refactoring, but needed by back-ported test
-TestInternalNetworkDNS.
-
-Signed-off-by: Rob Murray <rob.murray@docker.com>
-
-CVE: CVE-2024-29018
-Upstream-Status: Backport [https://github.com/moby/moby/commit/e63daec8672d77ac0b2b5c262ef525c7cf17fd20]
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- daemon/container_operations_unix.go       |  20 +--
- integration/networking/resolvconf_test.go | 142 ++++++++++++++++++++++
- libnetwork/endpoint.go                    |  12 +-
- libnetwork/resolver.go                    |  17 ++-
- libnetwork/sandbox_dns_unix.go            |   9 +-
- 5 files changed, 182 insertions(+), 18 deletions(-)
- create mode 100644 integration/networking/resolvconf_test.go
-
-diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index 6a23a4ca92..e9be1b4e72 100644
---- a/daemon/container_operations_unix.go
-+++ b/daemon/container_operations_unix.go
-@@ -380,6 +380,7 @@ func serviceDiscoveryOnDefaultNetwork() bool {
- 
- func setupPathsAndSandboxOptions(container *container.Container, cfg *config.Config, sboxOptions *[]libnetwork.SandboxOption) error {
-        var err error
-+       var originResolvConfPath string
- 
-        // Set the correct paths for /etc/hosts and /etc/resolv.conf, based on the
-        // networking-mode of the container. Note that containers with "container"
-@@ -393,8 +394,8 @@ func setupPathsAndSandboxOptions(container *container.Container, cfg *config.Con
-                *sboxOptions = append(
-                        *sboxOptions,
-                        libnetwork.OptionOriginHostsPath("/etc/hosts"),
--                       libnetwork.OptionOriginResolvConfPath("/etc/resolv.conf"),
-                )
-+               originResolvConfPath = "/etc/resolv.conf"
-        case container.HostConfig.NetworkMode.IsUserDefined():
-                // The container uses a user-defined network. We use the embedded DNS
-                // server for container name resolution and to act as a DNS forwarder
-@@ -407,10 +408,7 @@ func setupPathsAndSandboxOptions(container *container.Container, cfg *config.Con
-                // If systemd-resolvd is used, the "upstream" DNS servers can be found in
-                // /run/systemd/resolve/resolv.conf. We do not query those DNS servers
-                // directly, as they can be dynamically reconfigured.
--               *sboxOptions = append(
--                       *sboxOptions,
--                       libnetwork.OptionOriginResolvConfPath("/etc/resolv.conf"),
--               )
-+               originResolvConfPath = "/etc/resolv.conf"
-        default:
-                // For other situations, such as the default bridge network, container
-                // discovery / name resolution is handled through /etc/hosts, and no
-@@ -423,11 +421,15 @@ func setupPathsAndSandboxOptions(container *container.Container, cfg *config.Con
-                // DNS servers on the host can be dynamically updated.
-                //
-                // Copy the host's resolv.conf for the container (/run/systemd/resolve/resolv.conf or /etc/resolv.conf)
--               *sboxOptions = append(
--                       *sboxOptions,
--                       libnetwork.OptionOriginResolvConfPath(cfg.GetResolvConf()),
--               )
-+               originResolvConfPath = cfg.GetResolvConf()
-+       }
-+
-+       // Allow tests to point at their own resolv.conf file.
-+       if envPath := os.Getenv("DOCKER_TEST_RESOLV_CONF_PATH"); envPath != "" {
-+               log.G(context.TODO()).Infof("Using OriginResolvConfPath from env: %s", envPath)
-+               originResolvConfPath = envPath
-        }
-+       *sboxOptions = append(*sboxOptions, libnetwork.OptionOriginResolvConfPath(originResolvConfPath))
- 
-        container.HostsPath, err = container.GetRootResourcePath("hosts")
-        if err != nil {
-diff --git a/integration/networking/resolvconf_test.go b/integration/networking/resolvconf_test.go
-new file mode 100644
-index 0000000000..60c8b1bc9a
---- /dev/null
-+++ b/integration/networking/resolvconf_test.go
-@@ -0,0 +1,142 @@
-+package networking
-+
-+import (
-+       "net"
-+       "os"
-+       "testing"
-+
-+       containertypes "github.com/docker/docker/api/types/container"
-+       "github.com/docker/docker/integration/internal/container"
-+       "github.com/docker/docker/integration/internal/network"
-+       "github.com/docker/docker/testutil/daemon"
-+       "github.com/miekg/dns"
-+       "gotest.tools/v3/assert"
-+       is "gotest.tools/v3/assert/cmp"
-+       "gotest.tools/v3/skip"
-+)
-+
-+// writeTempResolvConf writes a resolv.conf that only contains a single
-+// nameserver line, with address addr.
-+// It returns the name of the temp file.
-+func writeTempResolvConf(t *testing.T, addr string) string {
-+       t.Helper()
-+       // Not using t.TempDir() here because in rootless mode, while the temporary
-+       // directory gets mode 0777, it's a subdir of an 0700 directory owned by root.
-+       // So, it's not accessible by the daemon.
-+       f, err := os.CreateTemp("", "resolv.conf")
-+       assert.NilError(t, err)
-+       t.Cleanup(func() { os.Remove(f.Name()) })
-+       err = f.Chmod(0644)
-+       assert.NilError(t, err)
-+       f.Write([]byte("nameserver " + addr + "\n"))
-+       return f.Name()
-+}
-+
-+const dnsRespAddr = "10.11.12.13"
-+
-+// startDaftDNS starts and returns a really, really daft DNS server that only
-+// responds to type-A requests, and always with address dnsRespAddr.
-+func startDaftDNS(t *testing.T, addr string) *dns.Server {
-+       serveDNS := func(w dns.ResponseWriter, query *dns.Msg) {
-+               if query.Question[0].Qtype == dns.TypeA {
-+                       resp := &dns.Msg{}
-+                       resp.SetReply(query)
-+                       answer := &dns.A{
-+                               Hdr: dns.RR_Header{
-+                                       Name:   query.Question[0].Name,
-+                                       Rrtype: dns.TypeA,
-+                                       Class:  dns.ClassINET,
-+                                       Ttl:    600,
-+                               },
-+                       }
-+                       answer.A = net.ParseIP(dnsRespAddr)
-+                       resp.Answer = append(resp.Answer, answer)
-+                       _ = w.WriteMsg(resp)
-+               }
-+       }
-+
-+       conn, err := net.ListenUDP("udp", &net.UDPAddr{
-+               IP:   net.ParseIP(addr),
-+               Port: 53,
-+       })
-+       assert.NilError(t, err)
-+
-+       server := &dns.Server{Handler: dns.HandlerFunc(serveDNS), PacketConn: conn}
-+       go func() {
-+               _ = server.ActivateAndServe()
-+       }()
-+
-+       return server
-+}
-+
-+// Check that when a container is connected to an internal network, DNS
-+// requests sent to daemon's internal DNS resolver are not forwarded to
-+// an upstream resolver listening on a localhost address.
-+// (Assumes the host does not already have a DNS server on 127.0.0.1.)
-+func TestInternalNetworkDNS(t *testing.T) {
-+       skip.If(t, testEnv.DaemonInfo.OSType == "windows", "No resolv.conf on Windows")
-+       skip.If(t, testEnv.IsRootless, "Can't use resolver on host in rootless mode")
-+       ctx := setupTest(t)
-+
-+       // Start a DNS server on the loopback interface.
-+       server := startDaftDNS(t, "127.0.0.1")
-+       defer server.Shutdown()
-+
-+       // Set up a temp resolv.conf pointing at that DNS server, and a daemon using it.
-+       tmpFileName := writeTempResolvConf(t, "127.0.0.1")
-+       d := daemon.New(t, daemon.WithEnvVars("DOCKER_TEST_RESOLV_CONF_PATH="+tmpFileName))
-+       d.StartWithBusybox(ctx, t, "--experimental", "--ip6tables")
-+       defer d.Stop(t)
-+
-+       c := d.NewClientT(t)
-+       defer c.Close()
-+
-+       intNetName := "intnet"
-+       network.CreateNoError(ctx, t, c, intNetName,
-+               network.WithDriver("bridge"),
-+               network.WithInternal(),
-+       )
-+       defer network.RemoveNoError(ctx, t, c, intNetName)
-+
-+       extNetName := "extnet"
-+       network.CreateNoError(ctx, t, c, extNetName,
-+               network.WithDriver("bridge"),
-+       )
-+       defer network.RemoveNoError(ctx, t, c, extNetName)
-+
-+       // Create a container, initially with external connectivity.
-+       // Expect the external DNS server to respond to a request from the container.
-+       ctrId := container.Run(ctx, t, c, container.WithNetworkMode(extNetName))
-+       defer c.ContainerRemove(ctx, ctrId, containertypes.RemoveOptions{Force: true})
-+       res, err := container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
-+       assert.NilError(t, err)
-+       assert.Check(t, is.Equal(res.ExitCode, 0))
-+       assert.Check(t, is.Contains(res.Stdout(), dnsRespAddr))
-+
-+       // Connect the container to the internal network as well.
-+       // External DNS should still be used.
-+       err = c.NetworkConnect(ctx, intNetName, ctrId, nil)
-+       assert.NilError(t, err)
-+       res, err = container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
-+       assert.NilError(t, err)
-+       assert.Check(t, is.Equal(res.ExitCode, 0))
-+       assert.Check(t, is.Contains(res.Stdout(), dnsRespAddr))
-+
-+       // Disconnect from the external network.
-+       // Expect no access to the external DNS.
-+       err = c.NetworkDisconnect(ctx, extNetName, ctrId, true)
-+       assert.NilError(t, err)
-+       res, err = container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
-+       assert.NilError(t, err)
-+       assert.Check(t, is.Equal(res.ExitCode, 1))
-+       assert.Check(t, is.Contains(res.Stdout(), "SERVFAIL"))
-+
-+       // Reconnect the external network.
-+       // Check that the external DNS server is used again.
-+       err = c.NetworkConnect(ctx, extNetName, ctrId, nil)
-+       assert.NilError(t, err)
-+       res, err = container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
-+       assert.NilError(t, err)
-+       assert.Check(t, is.Equal(res.ExitCode, 0))
-+       assert.Check(t, is.Contains(res.Stdout(), dnsRespAddr))
-+}
-diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go
-index d9c257dc68..3ca546a4ac 100644
---- a/libnetwork/endpoint.go
-+++ b/libnetwork/endpoint.go
-@@ -538,8 +538,13 @@ func (ep *Endpoint) sbJoin(sb *Sandbox, options ...EndpointOption) (err error) {
-                return sb.setupDefaultGW()
-        }
- 
--       moveExtConn := sb.getGatewayEndpoint() != extEp
-+       currentExtEp := sb.getGatewayEndpoint()
-+       // Enable upstream forwarding if the sandbox gained external connectivity.
-+       if sb.resolver != nil {
-+               sb.resolver.SetForwardingPolicy(currentExtEp != nil)
-+       }
- 
-+       moveExtConn := currentExtEp != extEp
-        if moveExtConn {
-                if extEp != nil {
-                        log.G(context.TODO()).Debugf("Revoking external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
-@@ -735,6 +740,11 @@ func (ep *Endpoint) sbLeave(sb *Sandbox, force bool, options ...EndpointOption)
- 
-        // New endpoint providing external connectivity for the sandbox
-        extEp = sb.getGatewayEndpoint()
-+       // Disable upstream forwarding if the sandbox lost external connectivity.
-+       if sb.resolver != nil {
-+               sb.resolver.SetForwardingPolicy(extEp != nil)
-+       }
-+
-        if moveExtConn && extEp != nil {
-                log.G(context.TODO()).Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
-                extN, err := extEp.getNetworkFromStore()
-diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go
-index 9df2154499..5d5686fc86 100644
---- a/libnetwork/resolver.go
-+++ b/libnetwork/resolver.go
-@@ -9,6 +9,7 @@ import (
-        "strconv"
-        "strings"
-        "sync"
-+       "sync/atomic"
-        "time"
- 
-        "github.com/containerd/log"
-@@ -75,7 +76,7 @@ type Resolver struct {
-        tcpListen     *net.TCPListener
-        err           error
-        listenAddress string
--       proxyDNS      bool
-+       proxyDNS      atomic.Bool
-        startCh       chan struct{}
-        logger        *log.Entry
- 
-@@ -85,15 +86,17 @@ type Resolver struct {
- 
- // NewResolver creates a new instance of the Resolver
- func NewResolver(address string, proxyDNS bool, backend DNSBackend) *Resolver {
--       return &Resolver{
-+       r := &Resolver{
-                backend:       backend,
--               proxyDNS:      proxyDNS,
-                listenAddress: address,
-                err:           fmt.Errorf("setup not done yet"),
-                startCh:       make(chan struct{}, 1),
-                fwdSem:        semaphore.NewWeighted(maxConcurrent),
-                logInverval:   rate.Sometimes{Interval: logInterval},
-        }
-+       r.proxyDNS.Store(proxyDNS)
-+
-+       return r
- }
- 
- func (r *Resolver) log(ctx context.Context) *log.Entry {
-@@ -194,6 +197,12 @@ func (r *Resolver) SetExtServers(extDNS []extDNSEntry) {
-        }
- }
- 
-+// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to
-+// external servers.
-+func (r *Resolver) SetForwardingPolicy(policy bool) {
-+       r.proxyDNS.Store(policy)
-+}
-+
- // NameServer returns the IP of the DNS resolver for the containers.
- func (r *Resolver) NameServer() string {
-        return r.listenAddress
-@@ -421,7 +430,7 @@ func (r *Resolver) serveDNS(w dns.ResponseWriter, query *dns.Msg) {
-                return
-        }
- 
--       if r.proxyDNS {
-+       if r.proxyDNS.Load() {
-                // If the user sets ndots > 0 explicitly and the query is
-                // in the root domain don't forward it out. We will return
-                // failure and let the client retry with the search domain
-diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go
-index e30f394057..9f7a1c4671 100644
---- a/libnetwork/sandbox_dns_unix.go
-+++ b/libnetwork/sandbox_dns_unix.go
-@@ -30,10 +30,11 @@ const (
- func (sb *Sandbox) startResolver(restore bool) {
-        sb.resolverOnce.Do(func() {
-                var err error
--               // The embedded resolver is always started with proxyDNS set as true, even when the sandbox is only attached to
--               // an internal network. This way, it's the driver responsibility to make sure `connect` syscall fails fast when
--               // no external connectivity is available (eg. by not setting a default gateway).
--               sb.resolver = NewResolver(resolverIPSandbox, true, sb)
-+               // The resolver is started with proxyDNS=false if the sandbox does not currently
-+               // have a gateway. So, if the Sandbox is only connected to an 'internal' network,
-+               // it will not forward DNS requests to external resolvers. The resolver's
-+               // proxyDNS setting is then updated as network Endpoints are added/removed.
-+               sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb)
-                defer func() {
-                        if err != nil {
-                                sb.resolver = nil
--- 
-2.50.1
-
diff --git a/recipes-containers/docker/files/CVE-2024-36620.patch b/recipes-containers/docker/files/CVE-2024-36620.patch
deleted file mode 100644
index 03628fb3..00000000
--- a/recipes-containers/docker/files/CVE-2024-36620.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001
-From: Christopher Petito <47751006+krissetto@users.noreply.github.com>
-Date: Fri, 19 Apr 2024 10:44:30 +0000
-Subject: [PATCH] nil dereference fix on image history Created value
-
-Issue was caused by the changes here https://github.com/moby/moby/pull/45504
-First released in v25.0.0-beta.1
-
-CVE: CVE-2024-36620
-
-Upstream-Status: Backport [https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4]
-
-Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
----
- daemon/images/image_history.go | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go
-index dcf7a906aa..e5adda8639 100644
---- a/daemon/images/image_history.go
-+++ b/daemon/images/image_history.go
-@@ -41,10 +41,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image.
-                        layer.ReleaseAndLog(i.layerStore, l)
-                        layerCounter++
-                }
-+               var created int64
-+               if h.Created != nil {
-+                       created = h.Created.Unix()
-+               }
-
-                history = append([]*image.HistoryResponseItem{{
-                        ID:        "<missing>",
--                       Created:   h.Created.Unix(),
-+                       Created:   created,
-                        CreatedBy: h.CreatedBy,
-                        Comment:   h.Comment,
-                        Size:      layerSize,
---
-2.40.0
diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch
deleted file mode 100644
index 6560f46a..00000000
--- a/recipes-containers/docker/files/CVE-2024-36621.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
-From: Tonis Tiigi <tonistiigi@gmail.com>
-Date: Wed, 6 Mar 2024 23:11:32 -0800
-Subject: [PATCH] builder-next: fix missing lock in ensurelayer
-
-When this was called concurrently from the moby image
-exporter there could be a data race where a layer was
-written to the refs map when it was already there.
-
-In that case the reference count got mixed up and on
-release only one of these layers was actually released.
-
-CVE: CVE-2024-36621
-
-Upstream-Status: Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e]
-
-Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
----
- .../builder-next/adapters/snapshot/layer.go   |  3 +++
- .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
- 2 files changed, 14 insertions(+), 8 deletions(-)
-
-diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
-index 73120ea70b..fc83058339 100644
---- a/builder/builder-next/adapters/snapshot/layer.go
-+++ b/builder/builder-next/adapters/snapshot/layer.go
-@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
- }
-
- func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
-+       s.layerCreateLocker.Lock(key)
-+       defer s.layerCreateLocker.Unlock(key)
-+
-        diffIDs, err := s.GetDiffIDs(ctx, key)
-        if err != nil {
-                return nil, err
-diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
-index a0d28ad984..510ffefb49 100644
---- a/builder/builder-next/adapters/snapshot/snapshot.go
-+++ b/builder/builder-next/adapters/snapshot/snapshot.go
-@@ -17,6 +17,7 @@ import (
-        "github.com/moby/buildkit/identity"
-        "github.com/moby/buildkit/snapshot"
-        "github.com/moby/buildkit/util/leaseutil"
-+       "github.com/moby/locker"
-        "github.com/opencontainers/go-digest"
-        "github.com/pkg/errors"
-        bolt "go.etcd.io/bbolt"
-@@ -51,10 +52,11 @@ type checksumCalculator interface {
- type snapshotter struct {
-        opt Opt
-
--       refs map[string]layer.Layer
--       db   *bolt.DB
--       mu   sync.Mutex
--       reg  graphIDRegistrar
-+       refs              map[string]layer.Layer
-+       db                *bolt.DB
-+       mu                sync.Mutex
-+       reg               graphIDRegistrar
-+       layerCreateLocker *locker.Locker
- }
-
- // NewSnapshotter creates a new snapshotter
-@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
-        }
-
-        s := &snapshotter{
--               opt:  opt,
--               db:   db,
--               refs: map[string]layer.Layer{},
--               reg:  reg,
-+               opt:               opt,
-+               db:                db,
-+               refs:              map[string]layer.Layer{},
-+               reg:               reg,
-+               layerCreateLocker: locker.New(),
-        }
-
-        slm := newLeaseManager(s, prevLM)
---
-2.40.0