Hi, On Thu, Dec 18, 2025 at 10:33:19AM +0100, Moritz Mühlenhoff wrote: > Am Wed, Oct 29, 2025 at 06:18:09PM +0100 schrieb Nicolas Peugnet: > > I started to look at this, and from what I see in the referenced commit that > > fixes this [2]: The two features based on "annotations" where the new > > validatePathInBase() is used before creating files [line 221] and [line 245] > > are not existing prior to v2.33.0, as they have been added respectively in > > [66a4716] (since v2.34.0) and [8402888] (since v2.33.0). > > > > I would like to have another look, but IMO it can safely be restrained to a > > narrower range of versions. > > > > [line 221] > > https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6R221 > > [line 245] > > https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6R245 > > [66a4716] > > https://github.com/docker/compose/commit/66a47169d51ef4be5e230dda982661248b20f60a#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6L160-R167 > > [8402888] > > https://github.com/docker/compose/commit/840288895e673fcccd56a7830dee30d8a75523ef#diff-09dc78263fc0dc591448f89a2ddf63cf33268e6e62d8fd9e35cacfa0d90982a6R184-R196 > > Thanks, your analysis looks correct. I've updated the Security Tracker > to reflect that oldstable and stable are not affected.
In this case I think even unstable/testing are not as we ship 2.32.4-3 there correct? Regards, Salvatore
