Am Wed, Oct 29, 2025 at 06:18:09PM +0100 schrieb Nicolas Peugnet:
> I started to look at this, and from what I see in the referenced commit that
> fixes this [2]: The two features based on "annotations" where the new
> validatePathInBase() is used before creating files [line 221] and [line 245]
> are not existing prior to v2.33.0, as they have been added respectively in
> [66a4716] (since v2.34.0) and [8402888] (since v2.33.0).
>
> I would like to have another look, but IMO it can safely be restrained to a
> narrower range of versions.
>
> [line 221]
> https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6R221
> [line 245]
> https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6R245
> [66a4716]
> https://github.com/docker/compose/commit/66a47169d51ef4be5e230dda982661248b20f60a#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6L160-R167
> [8402888]
> https://github.com/docker/compose/commit/840288895e673fcccd56a7830dee30d8a75523ef#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6R184-R196
Thanks, your analysis looks correct. I've updated the Security Tracker
to reflect that oldstable and stable are not affected.
Cheers,
Moritz
