Accepting request 1147713 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/1147713 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=143
2024-02-21 16:52:04 +00:00 · 2024-02-21 16:52:04 +00:00 · af5f657805
commit af5f657805
parent 6b492dc520 febbaafee6
14 changed files with 324 additions and 11940 deletions
--- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
@ -1,7 +1,7 @@
-From 678e0f470c01dcf849d42d4f3f38e97b8d7ba841 Mon Sep 17 00:00:00 2001
+From 4a5c4ff94d466dcd5d7c986478ee3c12d056208a Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
+Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets

 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@ -14,18 +14,18 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 1 file changed, 20 insertions(+), 3 deletions(-)

 diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index 290ec59a34..b7013fb89c 100644
+index 6a23a4ca92..4f2a611bbc 100644
 --- a/daemon/container_operations_unix.go
 +++ b/daemon/container_operations_unix.go
-@@ -4,6 +4,7 @@
+@@ -3,6 +3,7 @@
 package daemon // import "github.com/docker/docker/daemon"
 
 import (
 +	"bytes"
+ 	"context"
 	"fmt"
 	"os"
- 	"path/filepath"
-@@ -14,6 +15,7 @@ import (
+@@ -16,6 +17,7 @@ import (
 	"github.com/docker/docker/daemon/links"
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/libnetwork"
@ -33,7 +33,7 @@ index 290ec59a34..b7013fb89c 100644
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/process"
 	"github.com/docker/docker/pkg/stringid"
-@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -201,9 +203,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		if err != nil {
 			return errors.Wrap(err, "unable to get secret from secret store")
 		}
@ -43,7 +43,7 @@ index 290ec59a34..b7013fb89c 100644
 
 		uid, err := strconv.Atoi(s.File.UID)
 		if err != nil {
-@@ -219,6 +218,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -214,6 +213,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 			return err
 		}
 
@ -69,5 +69,5 @@ index 290ec59a34..b7013fb89c 100644
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 -- 
-2.43.0
+2.39.0

--- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -1,7 +1,7 @@
-From 4f2462c67f8aa24d08648c2494a83a10e1578079 Mon Sep 17 00:00:00 2001
+From 0b91e46d6f1515461d28d768557b63eacbcc68af Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets

 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
@ -19,10 +19,10 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 create mode 100644 daemon/suse_secrets.go

 diff --git a/daemon/start.go b/daemon/start.go
-index 2e0b9e6be8..dca0448688 100644
+index 24e72e2248..9bce0c6dff 100644
 --- a/daemon/start.go
 +++ b/daemon/start.go
-@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C
+@@ -159,6 +159,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
 		return err
 	}
 
@ -31,9 +31,9 @@ index 2e0b9e6be8..dca0448688 100644
 +		return errdefs.System(err)
 +	}
 +
- 	spec, err := daemon.createSpec(ctx, container)
+ 	spec, err := daemon.createSpec(ctx, daemonCfg, container)
 	if err != nil {
- 		return errdefs.System(err)
+ 		// Any error that occurs while creating the spec, even if it's the
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
 new file mode 100644
 index 0000000000..32b0ece91b
@ -456,5 +456,5 @@ index 0000000000..32b0ece91b
 +	return nil
 +}
 -- 
-2.43.0
+2.39.0

--- a/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+++ b/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
@ -1,7 +1,7 @@
-From 4b6edb887a878a9637e9b3f434fa3f905543e1d1 Mon Sep 17 00:00:00 2001
+From cee586793de12fc029897e897aacdf18933f8ba6 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 22 May 2023 15:44:54 +1000
-Subject: [PATCH 3/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
+Subject: [PATCH 3/5] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
 headers"

 This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
@ -16,10 +16,10 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 1 file changed, 4 insertions(+), 9 deletions(-)

 diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
-index d88efc4be2..4e976aa689 100644
+index 6aaa33cf76..7264d40364 100644
 --- a/daemon/graphdriver/btrfs/btrfs.go
 +++ b/daemon/graphdriver/btrfs/btrfs.go
-@@ -5,17 +5,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
+@@ -4,17 +4,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
 
 /*
 #include <stdlib.h>
@ -42,5 +42,5 @@ index d88efc4be2..4e976aa689 100644
 static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
     snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
 -- 
-2.43.0
+2.39.0

--- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
@ -1,7 +1,7 @@
-From a309d7e57c351a5f81a0cf9a342205ab790f60ba Mon Sep 17 00:00:00 2001
+From 99fb19fd177d211063394a56348ecd9987fd17aa Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
 start

 In the process of making docker-default reloading far less expensive,
@ -22,10 +22,10 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 3 files changed, 17 insertions(+), 6 deletions(-)

 diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
-index 6376001613..5fde21a4af 100644
+index 81e10b6cbe..e695667a19 100644
 --- a/daemon/apparmor_default.go
 +++ b/daemon/apparmor_default.go
-@@ -24,6 +24,15 @@ func DefaultApparmorProfile() string {
+@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
 	return ""
 }
 
@ -41,7 +41,7 @@ index 6376001613..5fde21a4af 100644
 func ensureDefaultAppArmorProfile() error {
 	if apparmor.HostSupports() {
 		loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
-@@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error {
+@@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error {
 		}
 
 		// Load the profile.
@ -54,10 +54,10 @@ index 6376001613..5fde21a4af 100644
 	return nil
 }
 diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
-index e3dc18b32b..9c77230562 100644
+index be4938f5b6..2b326fea58 100644
 --- a/daemon/apparmor_default_unsupported.go
 +++ b/daemon/apparmor_default_unsupported.go
-@@ -3,6 +3,10 @@
+@@ -2,6 +2,10 @@
 
 package daemon // import "github.com/docker/docker/daemon"
 
@ -69,11 +69,11 @@ index e3dc18b32b..9c77230562 100644
 	return nil
 }
 diff --git a/daemon/daemon.go b/daemon/daemon.go
-index 4d76c57988..15c95b50c4 100644
+index 05b933ca86..cced9c9a8d 100644
 --- a/daemon/daemon.go
 +++ b/daemon/daemon.go
-@@ -839,8 +839,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
- 		logrus.Warnf("Failed to configure golang's threads limit: %v", err)
+@@ -900,8 +900,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
+ 		log.G(ctx).Warnf("Failed to configure golang's threads limit: %v", err)
 	}
 
 -	// ensureDefaultAppArmorProfile does nothing if apparmor is disabled
@ -81,9 +81,9 @@ index 4d76c57988..15c95b50c4 100644
 +	// Make sure we clobber any pre-existing docker-default profile to ensure
 +	// that upgrades to the profile actually work smoothly.
 +	if err := clobberDefaultAppArmorProfile(); err != nil {
- 		logrus.Errorf(err.Error())
+ 		log.G(ctx).Errorf(err.Error())
 	}
 
 -- 
-2.43.0
+2.39.0

--- a/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+++ b/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
@ -1,7 +1,7 @@
-From e4c2b3e6b168e815ec7248aea696afe807153cb6 Mon Sep 17 00:00:00 2001
+From 079e8a9eefc639772d8849cea26727ea0918a74b Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 11 Oct 2023 21:19:12 +1100
-Subject: [PATCH 5/6] SLE12: revert "apparmor: remove version-conditionals from
+Subject: [PATCH 5/5] SLE12: revert "apparmor: remove version-conditionals from
 template"

 This reverts the following commits:
@ -17,15 +17,16 @@ apparmor_parser version is quite old.

 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 ---
- contrib/apparmor/main.go      | 16 ++++++++++++++--
- contrib/apparmor/template.go  | 16 ++++++++++++++++
- pkg/aaparser/aaparser.go      |  2 --
- profiles/apparmor/apparmor.go | 14 ++++++++++++--
- profiles/apparmor/template.go |  4 ++++
- 5 files changed, 46 insertions(+), 6 deletions(-)
+ contrib/apparmor/main.go      | 16 ++++++-
+ contrib/apparmor/template.go  | 16 +++++++
+ pkg/aaparser/aaparser.go      | 86 +++++++++++++++++++++++++++++++++++
+ profiles/apparmor/apparmor.go | 16 ++++++-
+ profiles/apparmor/template.go |  4 ++
+ 5 files changed, 134 insertions(+), 4 deletions(-)
+ create mode 100644 pkg/aaparser/aaparser.go

 diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
-index d67890d265..f4a2978b86 100644
+index 899d8378ed..93f98cbd20 100644
 --- a/contrib/apparmor/main.go
 +++ b/contrib/apparmor/main.go
@@ -6,9 +6,13 @@ import (
@ -156,24 +157,107 @@ index 58afcbe845..e6d0b6d37c 100644
     /lib/** rm,
     /usr/bin/xz rm,
 diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
-index 3d7c2c5a97..2b5a2605f9 100644
--- a/pkg/aaparser/aaparser.go
+new file mode 100644
+index 0000000000..89b48b2dba
+--- /dev/null
 +++ b/pkg/aaparser/aaparser.go
-@@ -13,8 +13,6 @@ const (
- )
- 
- // GetVersion returns the major and minor version of apparmor_parser.
-//
-// Deprecated: no longer used, and will be removed in the next release.
- func GetVersion() (int, error) {
- 	output, err := cmd("", "--version")
- 	if err != nil {
+@@ -0,0 +1,86 @@
+// Package aaparser is a convenience package interacting with `apparmor_parser`.
+package aaparser // import "github.com/docker/docker/pkg/aaparser"
+
+import (
+	"fmt"
+	"os/exec"
+	"strconv"
+	"strings"
+)
+
+const (
+	binary = "apparmor_parser"
+)
+
+// GetVersion returns the major and minor version of apparmor_parser.
+func GetVersion() (int, error) {
+	output, err := cmd("", "--version")
+	if err != nil {
+		return -1, err
+	}
+
+	return parseVersion(output)
+}
+
+// cmd runs `apparmor_parser` with the passed arguments.
+func cmd(dir string, arg ...string) (string, error) {
+	c := exec.Command(binary, arg...)
+	c.Dir = dir
+
+	output, err := c.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
+	}
+
+	return string(output), nil
+}
+
+// parseVersion takes the output from `apparmor_parser --version` and returns
+// a representation of the {major, minor, patch} version as a single number of
+// the form MMmmPPP {major, minor, patch}.
+func parseVersion(output string) (int, error) {
+	// output is in the form of the following:
+	// AppArmor parser version 2.9.1
+	// Copyright (C) 1999-2008 Novell Inc.
+	// Copyright 2009-2012 Canonical Ltd.
+
+	lines := strings.SplitN(output, "\n", 2)
+	words := strings.Split(lines[0], " ")
+	version := words[len(words)-1]
+
+	// trim "-beta1" suffix from version="3.0.0-beta1" if exists
+	version = strings.SplitN(version, "-", 2)[0]
+	// also trim "~..." suffix used historically (https://gitlab.com/apparmor/apparmor/-/commit/bca67d3d27d219d11ce8c9cc70612bd637f88c10)
+	version = strings.SplitN(version, "~", 2)[0]
+
+	// split by major minor version
+	v := strings.Split(version, ".")
+	if len(v) == 0 || len(v) > 3 {
+		return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
+	}
+
+	// Default the versions to 0.
+	var majorVersion, minorVersion, patchLevel int
+
+	majorVersion, err := strconv.Atoi(v[0])
+	if err != nil {
+		return -1, err
+	}
+
+	if len(v) > 1 {
+		minorVersion, err = strconv.Atoi(v[1])
+		if err != nil {
+			return -1, err
+		}
+	}
+	if len(v) > 2 {
+		patchLevel, err = strconv.Atoi(v[2])
+		if err != nil {
+			return -1, err
+		}
+	}
+
+	// major*10^5 + minor*10^3 + patch*10^0
+	numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
+	return numericVersion, nil
+}
 diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
-index d0f2361605..b3566b2f73 100644
+index 1edfc53002..0d23b940bd 100644
 --- a/profiles/apparmor/apparmor.go
 +++ b/profiles/apparmor/apparmor.go
-@@ -14,8 +14,10 @@ import (
- 	"github.com/docker/docker/pkg/aaparser"
+@@ -11,10 +11,14 @@ import (
+ 	"path"
+ 	"strings"
+ 	"text/template"
+
+	"github.com/docker/docker/pkg/aaparser"
 )
 
 -// profileDirectory is the file store for apparmor profiles and macros.
@ -185,7 +269,7 @@ index d0f2361605..b3566b2f73 100644
 
 // profileData holds information about the given profile for generation.
 type profileData struct {
-@@ -27,6 +29,8 @@ type profileData struct {
+@@ -26,6 +30,8 @@ type profileData struct {
 	Imports []string
 	// InnerImports defines the apparmor functions to import in the profile.
 	InnerImports []string
@ -194,7 +278,7 @@ index d0f2361605..b3566b2f73 100644
 }
 
 // generateDefault creates an apparmor profile from ProfileData.
-@@ -46,6 +50,12 @@ func (p *profileData) generateDefault(out io.Writer) error {
+@@ -45,6 +51,12 @@ func (p *profileData) generateDefault(out io.Writer) error {
 		p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
 	}
 
@ -208,10 +292,10 @@ index d0f2361605..b3566b2f73 100644
 }
 
 diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
-index 9f207e2014..626e5f6789 100644
+index cf8c34ce8a..4ebd647e14 100644
 --- a/profiles/apparmor/template.go
 +++ b/profiles/apparmor/template.go
-@@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+@@ -23,12 +23,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   capability,
   file,
   umount,
@ -226,7 +310,7 @@ index 9f207e2014..626e5f6789 100644
 
   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
   # deny write to files not in /proc/<number>/** or /proc/sys/**
-@@ -50,7 +52,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+@@ -49,7 +51,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/devices/virtual/powercap/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
@ -237,5 +321,5 @@ index 9f207e2014..626e5f6789 100644
 }
 `
 -- 
-2.43.0
+2.39.0

--- a/0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
+++ b/0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
--- a/8
+++ b/8
@ -3,16 +3,16 @@
    <param name="url">https://github.com/moby/moby.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">24.0.7_ce_%h</param>
-    <param name="revision">v24.0.7</param>
+    <param name="versionformat">25.0.3_ce_%h</param>
+    <param name="revision">v25.0.3</param>
    <param name="filename">docker</param>
  </service>
  <service name="tar_scm" mode="manual">
    <param name="url">https://github.com/docker/cli.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">24.0.7_ce</param>
-    <param name="revision">v24.0.7</param>
+    <param name="versionformat">25.0.3_ce</param>
+    <param name="revision">v25.0.3</param>
    <param name="filename">docker-cli</param>
  </service>
  <service name="recompress" mode="manual">
--- a/cli-0001-docs-include-required-tools-in-source-tree.patch
+++ b/cli-0001-docs-include-required-tools-in-source-tree.patch
--- a/docker-24.0.7_ce_311b9ff0aa93.tar.xz
+++ b/docker-24.0.7_ce_311b9ff0aa93.tar.xz
--- a/docker-25.0.3_ce_f417435e5.tar.xz
+++ b/docker-25.0.3_ce_f417435e5.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4fbef23923d6949cb83b1f2374adfd3cb1a10b9a4dc9586062d5d1d8fa46b1f0
+size 11864752
--- a/docker-cli-24.0.7_ce.tar.xz
+++ b/docker-cli-24.0.7_ce.tar.xz
--- a/docker-cli-25.0.3_ce.tar.xz
+++ b/docker-cli-25.0.3_ce.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f7e2be457177315bce7f31db577329812da085b5d63064bf3220b188e69fdd1d
+size 3856520
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Wed Feb 17 12:56:22 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Update to Docker 25.0.3-ce. See upstream changelong online at
+  <https://docs.docker.com/engine/release-notes/25.0/#2503>
+- Fixes:
+  * bsc#1219267 - CVE-2024-23651
+  * bsc#1219268 - CVE-2024-23652
+  * bsc#1219438 - CVE-2024-23653
+- Rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  * cli-0001-docs-include-required-tools-in-source-tree.patch
+- Remove upstreamed patches:
+  - 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
+
 -------------------------------------------------------------------
 Wed Feb 14 08:40:36 UTC 2024 - Dan Čermák <dcermak@suse.com>

--- a/docker.spec
+++ b/docker.spec
@ -31,9 +31,9 @@
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define real_version 24.0.7
-%define git_version 311b9ff0aa93
-%define git_commit_epoch 1698306665
+%define real_version 25.0.3
+%define git_version f417435e5
+%define git_commit_epoch 1706746344

 Name:           docker
 Version:        %{real_version}_ce
@ -72,11 +72,6 @@ Patch201:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 Patch202:       0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
 # UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
 Patch900:       cli-0001-docs-include-required-tools-in-source-tree.patch
-# bugfix for:
-# bsc#1219438: CVE-2024-23653
-# bsc#1219268: CVE-2024-23652
-# bsc#1219267: CVE-2024-23651
-Patch901:       0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@ -225,8 +220,6 @@ cp %{SOURCE130} .
 %patch -P201 -p1
 # Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
 %patch -P202 -p1
-# temporary buildkit bugfixes
-%patch -P901 -p1

 %build
 %sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf