!114 [sync] PR-109: fix CVE-2024-36620, CVE-2024-36621, CVE-2024-36623

From: @openeuler-sync-bot 
Reviewed-by: @xu_lei_123 
Signed-off-by: @xu_lei_123

1007-api-omit-missing-Created-field-from-ImageInspect-res.patch

@@ -1,69 +1,69 @@
-From 5d9e13bc8453c856f055769008dac9311f43c265 Mon Sep 17 00:00:00 2001
-From: Bjorn Neergaard <bjorn.neergaard@docker.com>
-Date: Mon, 26 Feb 2024 10:25:08 -0700
-Subject: [PATCH] api: omit missing Created field from ImageInspect response
-
-Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
----
- api/swagger.yaml    | 6 +++++-
- api/types/types.go  | 6 +++++-
- docs/api/v1.44.yaml | 6 +++++-
- 3 files changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/api/swagger.yaml b/api/swagger.yaml
-index e55a76f..350d37a 100644
---- a/api/swagger.yaml
-+++ b/api/swagger.yaml
-@@ -1743,8 +1743,12 @@ definitions:
-         description: |
-           Date and time at which the image was created, formatted in
-           [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
-+
-+          This information is only available if present in the image,
-+          and omitted otherwise.
-         type: "string"
--        x-nullable: false
-+        format: "dateTime"
-+        x-nullable: true
-         example: "2022-02-04T21:20:12.497794809Z"
-       Container:
-         description: |
-diff --git a/api/types/types.go b/api/types/types.go
-index 5c56a0c..3c1f69a 100644
---- a/api/types/types.go
-+++ b/api/types/types.go
-@@ -72,8 +72,12 @@ type ImageInspect struct {
- 
- 	// Created is the date and time at which the image was created, formatted in
- 	// RFC 3339 nano-seconds (time.RFC3339Nano).
--	Created string
- 
-+	//
-+	// This information is only available if present in the image,
-+	// and omitted otherwise.
-+	Created string `json:",omitempty"`
-+ 
- 	// Container is the ID of the container that was used to create the image.
- 	//
- 	// Depending on how the image was created, this field may be empty.
-diff --git a/docs/api/v1.44.yaml b/docs/api/v1.44.yaml
-index e55a76f..350d37a 100644
---- a/docs/api/v1.44.yaml
-+++ b/docs/api/v1.44.yaml
-@@ -1743,8 +1743,12 @@ definitions:
-         description: |
-           Date and time at which the image was created, formatted in
-           [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
-+
-+          This information is only available if present in the image,
-+          and omitted otherwise.
-         type: "string"
--        x-nullable: false
-+        format: "dateTime"
-+        x-nullable: true
-         example: "2022-02-04T21:20:12.497794809Z"
-       Container:
-         description: |
--- 
-2.41.0
-
+From 5d9e13bc8453c856f055769008dac9311f43c265 Mon Sep 17 00:00:00 2001
+From: Bjorn Neergaard <bjorn.neergaard@docker.com>
+Date: Mon, 26 Feb 2024 10:25:08 -0700
+Subject: [PATCH] api: omit missing Created field from ImageInspect response
+
+Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
+---
+ api/swagger.yaml    | 6 +++++-
+ api/types/types.go  | 6 +++++-
+ docs/api/v1.44.yaml | 6 +++++-
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/api/swagger.yaml b/api/swagger.yaml
+index e55a76f..350d37a 100644
+--- a/api/swagger.yaml
++++ b/api/swagger.yaml
+@@ -1743,8 +1743,12 @@ definitions:
+         description: |
+           Date and time at which the image was created, formatted in
+           [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
++
++          This information is only available if present in the image,
++          and omitted otherwise.
+         type: "string"
+-        x-nullable: false
++        format: "dateTime"
++        x-nullable: true
+         example: "2022-02-04T21:20:12.497794809Z"
+       Container:
+         description: |
+diff --git a/api/types/types.go b/api/types/types.go
+index 5c56a0c..3c1f69a 100644
+--- a/api/types/types.go
++++ b/api/types/types.go
+@@ -72,8 +72,12 @@ type ImageInspect struct {
+ 
+ 	// Created is the date and time at which the image was created, formatted in
+ 	// RFC 3339 nano-seconds (time.RFC3339Nano).
+-	Created string
+ 
++	//
++	// This information is only available if present in the image,
++	// and omitted otherwise.
++	Created string `json:",omitempty"`
++ 
+ 	// Container is the ID of the container that was used to create the image.
+ 	//
+ 	// Depending on how the image was created, this field may be empty.
+diff --git a/docs/api/v1.44.yaml b/docs/api/v1.44.yaml
+index e55a76f..350d37a 100644
+--- a/docs/api/v1.44.yaml
++++ b/docs/api/v1.44.yaml
+@@ -1743,8 +1743,12 @@ definitions:
+         description: |
+           Date and time at which the image was created, formatted in
+           [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
++
++          This information is only available if present in the image,
++          and omitted otherwise.
+         type: "string"
+-        x-nullable: false
++        format: "dateTime"
++        x-nullable: true
+         example: "2022-02-04T21:20:12.497794809Z"
+       Container:
+         description: |
+-- 
+2.41.0
+

1008-integration-Add-container-output-utility.patch

@@ -1,51 +1,51 @@
-From 9ee331235a3affa082d5cb0028351182b89fd123 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
-Date: Thu, 22 Feb 2024 11:14:27 +0100
-Subject: [PATCH] integration: Add container.Output utility
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Extracted from https://github.com/moby/moby/commit/bfb810445c3c111478f5e0e6268ef334c38f38cf
-
-Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
----
- integration/internal/container/container.go | 25 +++++++++++++++++++++
- 1 file changed, 25 insertions(+)
-
-diff --git a/integration/internal/container/container.go b/integration/internal/container/container.go
-index 0974ce6bf1..dac52999ae 100644
---- a/integration/internal/container/container.go
-+++ b/integration/internal/container/container.go
-@@ -170,3 +170,28 @@ func Inspect(ctx context.Context, t *testing.T, apiClient client.APIClient, cont
- 
- 	return c
- }
-+
-+type ContainerOutput struct {
-+	Stdout, Stderr string
-+}
-+
-+// Output waits for the container to end running and returns its output.
-+func Output(ctx context.Context, client client.APIClient, id string) (ContainerOutput, error) {
-+	logs, err := client.ContainerLogs(ctx, id, container.LogsOptions{Follow: true, ShowStdout: true, ShowStderr: true})
-+	if err != nil {
-+		return ContainerOutput{}, err
-+	}
-+
-+	defer logs.Close()
-+
-+	var stdoutBuf, stderrBuf bytes.Buffer
-+	_, err = stdcopy.StdCopy(&stdoutBuf, &stderrBuf, logs)
-+	if err != nil {
-+		return ContainerOutput{}, err
-+	}
-+
-+	return ContainerOutput{
-+		Stdout: stdoutBuf.String(),
-+		Stderr: stderrBuf.String(),
-+	}, nil
-+}
--- 
-2.33.0
-
+From 9ee331235a3affa082d5cb0028351182b89fd123 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Thu, 22 Feb 2024 11:14:27 +0100
+Subject: [PATCH] integration: Add container.Output utility
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Extracted from https://github.com/moby/moby/commit/bfb810445c3c111478f5e0e6268ef334c38f38cf
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ integration/internal/container/container.go | 25 +++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/integration/internal/container/container.go b/integration/internal/container/container.go
+index 0974ce6bf1..dac52999ae 100644
+--- a/integration/internal/container/container.go
++++ b/integration/internal/container/container.go
+@@ -170,3 +170,28 @@ func Inspect(ctx context.Context, t *testing.T, apiClient client.APIClient, cont
+ 
+ 	return c
+ }
++
++type ContainerOutput struct {
++	Stdout, Stderr string
++}
++
++// Output waits for the container to end running and returns its output.
++func Output(ctx context.Context, client client.APIClient, id string) (ContainerOutput, error) {
++	logs, err := client.ContainerLogs(ctx, id, container.LogsOptions{Follow: true, ShowStdout: true, ShowStderr: true})
++	if err != nil {
++		return ContainerOutput{}, err
++	}
++
++	defer logs.Close()
++
++	var stdoutBuf, stderrBuf bytes.Buffer
++	_, err = stdcopy.StdCopy(&stdoutBuf, &stderrBuf, logs)
++	if err != nil {
++		return ContainerOutput{}, err
++	}
++
++	return ContainerOutput{
++		Stdout: stdoutBuf.String(),
++		Stderr: stderrBuf.String(),
++	}, nil
++}
+-- 
+2.33.0
+

1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch

@@ -0,0 +1,37 @@
+From a72294a6688d747dcfec8751c3e2616cad703a31 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Mon, 19 Feb 2024 15:16:07 +0100
+Subject: [PATCH] mounts/validate: Don't check source exists with
+ CreateMountpoint
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Don't error out when mount source doesn't exist and mounts has
+`CreateMountpoint` option enabled.
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+(cherry picked from commit 05b883bdc836a2fd621452f58a2a2c02d253718c)
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ volume/mounts/linux_parser.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/volume/mounts/linux_parser.go b/volume/mounts/linux_parser.go
+index 1b64c23935..e7e8ad80f3 100644
+--- a/volume/mounts/linux_parser.go
++++ b/volume/mounts/linux_parser.go
+@@ -85,7 +85,9 @@ func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSour
+ 			if err != nil {
+ 				return &errMountConfig{mnt, err}
+ 			}
+-			if !exists {
++
++			createMountpoint := mnt.BindOptions != nil && mnt.BindOptions.CreateMountpoint
++			if !exists && !createMountpoint {
+ 				return &errMountConfig{mnt, errBindSourceDoesNotExist(mnt.Source)}
+ 			}
+ 		}
+-- 
+2.33.0
+

1010-fix-CVE-2024-36621.patch

@@ -0,0 +1,76 @@
+From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 6 Mar 2024 23:11:32 -0800
+Subject: [PATCH] builder-next: fix missing lock in ensurelayer
+
+When this was called concurrently from the moby image
+exporter there could be a data race where a layer was
+written to the refs map when it was already there.
+
+In that case the reference count got mixed up and on
+release only one of these layers was actually released.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+---
+ .../builder-next/adapters/snapshot/layer.go   |  3 +++
+ .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
+index 73120ea70b2ee..fc83058339c7b 100644
+--- a/builder/builder-next/adapters/snapshot/layer.go
++++ b/builder/builder-next/adapters/snapshot/layer.go
+@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
+ }
+ 
+ func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
++	s.layerCreateLocker.Lock(key)
++	defer s.layerCreateLocker.Unlock(key)
++
+ 	diffIDs, err := s.GetDiffIDs(ctx, key)
+ 	if err != nil {
+ 		return nil, err
+diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
+index a0d28ad984ba4..510ffefb49406 100644
+--- a/builder/builder-next/adapters/snapshot/snapshot.go
++++ b/builder/builder-next/adapters/snapshot/snapshot.go
+@@ -17,6 +17,7 @@ import (
+ 	"github.com/moby/buildkit/identity"
+ 	"github.com/moby/buildkit/snapshot"
+ 	"github.com/moby/buildkit/util/leaseutil"
++	"github.com/moby/locker"
+ 	"github.com/opencontainers/go-digest"
+ 	"github.com/pkg/errors"
+ 	bolt "go.etcd.io/bbolt"
+@@ -51,10 +52,11 @@ type checksumCalculator interface {
+ type snapshotter struct {
+ 	opt Opt
+ 
+-	refs map[string]layer.Layer
+-	db   *bolt.DB
+-	mu   sync.Mutex
+-	reg  graphIDRegistrar
++	refs              map[string]layer.Layer
++	db                *bolt.DB
++	mu                sync.Mutex
++	reg               graphIDRegistrar
++	layerCreateLocker *locker.Locker
+ }
+ 
+ // NewSnapshotter creates a new snapshotter
+@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
+ 	}
+ 
+ 	s := &snapshotter{
+-		opt:  opt,
+-		db:   db,
+-		refs: map[string]layer.Layer{},
+-		reg:  reg,
++		opt:               opt,
++		db:                db,
++		refs:              map[string]layer.Layer{},
++		reg:               reg,
++		layerCreateLocker: locker.New(),
+ 	}
+ 
+ 	slm := newLeaseManager(s, prevLM)

1011-fix-CVE-2024-36620.patch

@@ -0,0 +1,33 @@
+From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001
+From: Christopher Petito <47751006+krissetto@users.noreply.github.com>
+Date: Fri, 19 Apr 2024 10:44:30 +0000
+Subject: [PATCH] nil dereference fix on image history Created value
+
+Issue was caused by the changes here https://github.com/moby/moby/pull/45504
+First released in v25.0.0-beta.1
+
+Signed-off-by: Christopher Petito <47751006+krissetto@users.noreply.github.com>
+---
+ daemon/images/image_history.go | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go
+index 1617f8be62906..f621ceae13bc6 100644
+--- a/daemon/images/image_history.go
++++ b/daemon/images/image_history.go
+@@ -43,9 +43,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image.
+ 			layerCounter++
+ 		}
+ 
++		var created int64
++		if h.Created != nil {
++			created = h.Created.Unix()
++		}
++
+ 		history = append([]*image.HistoryResponseItem{{
+ 			ID:        "<missing>",
+-			Created:   h.Created.Unix(),
++			Created:   created,
+ 			CreatedBy: h.CreatedBy,
+ 			Comment:   h.Comment,
+ 			Size:      layerSize,

1012-fix-CVE-2024-36623.patch

@@ -0,0 +1,45 @@
+From 5689dabfb357b673abdb4391eef426f297d7d1bb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Thu, 22 Feb 2024 18:01:40 +0100
+Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sync access to the underlying `io.Writer` with a mutex.
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ pkg/streamformatter/streamformatter.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go
+index b0456e580dc9d..098df6b5236b9 100644
+--- a/pkg/streamformatter/streamformatter.go
++++ b/pkg/streamformatter/streamformatter.go
+@@ -5,6 +5,7 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
++	"sync"
+ 
+ 	"github.com/docker/docker/pkg/jsonmessage"
+ 	"github.com/docker/docker/pkg/progress"
+@@ -109,6 +110,7 @@ type progressOutput struct {
+ 	sf       formatProgress
+ 	out      io.Writer
+ 	newLines bool
++	mu       sync.Mutex
+ }
+ 
+ // WriteProgress formats progress information from a ProgressReader.
+@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
+ 		jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
+ 		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
+ 	}
++
++	out.mu.Lock()
++	defer out.mu.Unlock()
+ 	_, err := out.out.Write(formatted)
+ 	if err != nil {
+ 		return err

moby.spec

@@ -5,11 +5,11 @@
 %global _source_docker_init tini-0.19.0
 %define _debugsource_template %{nil}
 
-Name: 	  docker
+Name: 	  moby
 Version:  25.0.3
-Release:  17
+Release:  22
 Summary:  The open-source application container engine
-License:  ASL 2.0
+License:  Apache-2.0
 URL:	  https://www.docker.com
 # https://github.com/docker/cli/archive/refs/tags/v25.0.3.tar.gz
 Source0:  cli-%{version}.tar.gz
@@ -20,15 +20,22 @@ Source2:  tini-0.19.0.tar.gz
 Source3:  docker.service
 Source4:  docker.socket
 Source5:  docker.sysconfig
-Patch0001:  0001-fix-cve-2024-29018.patch
-Patch0002:  0002-fix-cve-2024-32473.patch
-Patch0003:  0003-add-loongarch64-seccomp-support.patch
-Patch0004:  0004-fix-docker-swarm-run-failed-for-loongarch64.patch
-Patch0005:  0005-CVE-2024-41110.patch
-Patch0006:  0006-tini.c-a-function-declaration-without-a-prototype-is.patch
-Patch0007:  0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch
-Patch0008:  0008-api-omit-missing-Created-field-from-ImageInspect-res.patch
-Patch0009:  0009-integration-Add-container-output-utility.patch
+# Patch 0001-0999 for cli
+# Patch 1001-1999 for moby
+Patch1001:  1001-fix-cve-2024-29018.patch
+Patch1002:  1002-fix-cve-2024-32473.patch
+Patch1003:  1003-add-loongarch64-seccomp-support.patch
+Patch1004:  1004-fix-docker-swarm-run-failed-for-loongarch64.patch
+Patch1005:  1005-CVE-2024-41110.patch
+Patch1006:  1006-fix-libnetwork-osl-test-TestAddRemoveInterface.patch
+Patch1007:  1007-api-omit-missing-Created-field-from-ImageInspect-res.patch
+Patch1008:  1008-integration-Add-container-output-utility.patch
+Patch1009:  1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch
+Patch1010:  1010-fix-CVE-2024-36621.patch
+Patch1011:  1011-fix-CVE-2024-36620.patch
+Patch1012:  1012-fix-CVE-2024-36623.patch
+# Patch 2001-2999 for tini
+Patch2001:  2001-tini.c-a-function-declaration-without-a-prototype-is.patch
 Requires(meta): %{name}-engine = %{version}-%{release}
 Requires(meta): %{name}-client = %{version}-%{release}
 
@@ -37,6 +44,8 @@ Conflicts: docker-ce
 Conflicts: docker-io
 Conflicts: docker-engine-cs
 Conflicts: docker-ee
+Obsoletes: docker < %{version}-%{release}
+Provides: docker = %{version}-%{release}
 
 %description
 Docker is a product for you to build, ship and run any application as a
@@ -77,12 +86,16 @@ BuildRequires: systemd-devel
 BuildRequires: tar
 BuildRequires: which
 BuildRequires: golang  >= 1.18.0
+Obsoletes: docker-engine < %{version}-%{release}
+Conflicts: docker-engine >= 2:18
+Requires: libnetwork = %{version}-%{release}
 
 %description engine
 Docker daemon binary and related utilities
 
 %package client
 Summary: Docker client binary and related utilities
+Obsoletes: docker-client < %{version}-%{release}
 
 Requires: /bin/sh
 BuildRequires: libtool-ltdl-devel
@@ -90,19 +103,22 @@ BuildRequires: libtool-ltdl-devel
 %description client
 Docker client binary and related utilities
 
+%package -n libnetwork
+Summary: Proxy used for docker port mapping
+Provides: docker-proxy
+Obsoletes: docker-proxy
+Conflicts: docker-engine < 25.0.3-20
+
+%description -n libnetwork
+Proxy used for docker port mapping.
+
 %prep
 %setup -q -n %{_source_client}
+%autopatch -p1 -m 0001 -M 0999
 %setup -q -T -n %{_source_engine} -b 1
-%patch 0001 -p1
-%patch 0002 -p1
-%patch 0003 -p1
-%patch 0004 -p1
-%patch 0005 -p1
-%patch 0007 -p1
-%patch 0008 -p1
-%patch 0009 -p1
+%autopatch -p1 -m 1001 -M 1999
 %setup -q -T -n %{_source_docker_init} -b 2
-%patch 0006 -p1
+%autopatch -p1 -m 2001 -M 2999
 
 %build
 export GO111MODULE=off
@@ -111,6 +127,8 @@ export DOCKER_GITCOMMIT=%{_gitcommit_engine}
 export DOCKER_BUILDTAGS="exclude_graphdriver_btrfs"
 
 pushd %{_builddir}/%{_source_engine}
+CGO_CFLAGS="%{build_cflags}" \
+CGO_LDFLAGS="%{build_ldflags}" \
 AUTO_GOPATH=1 VERSION=%{version} PRODUCT=docker hack/make.sh dynbinary
 popd
 
@@ -178,11 +196,13 @@ install -p -m 644 %{_builddir}/%{_source_client}/{LICENSE,MAINTAINERS,NOTICE,REA
 %files engine
 %config(noreplace) %{_sysconfdir}/sysconfig/docker
 %{_bindir}/dockerd
-%{_bindir}/docker-proxy
 %{_bindir}/docker-init
 %{_unitdir}/docker.service
 %{_unitdir}/docker.socket
 
+%files -n libnetwork
+%{_bindir}/docker-proxy
+
 %files client
 %{_bindir}/docker
 %{_datadir}/bash-completion/completions/docker
@@ -205,6 +225,23 @@ fi
 %systemd_postun_with_restart docker.service
 
 %changelog
+* Sat Nov 30 2024 Funda Wang <fundawang@yeah.net> - 25.0.3-22
+- fix CVE-2024-36620, CVE-2024-36621, CVE-2024-36623
+- reorganize patches so that they could be applied automatically
+
+* Fri Nov 29 2024 Funda Wang <fundawang@yeah.net> - 25.0.3-21
+- convert patches into unix format
+
+* Fri Nov 22 2024 Funda Wang <fundawang@yeah.net> - 25.0.3-20
+- rename back to moby
+- split docker-proxy for docker 18 to use
+
+* Thu Nov 14 2024 shechenglong <shechenglong@xfusion.com> - 25.0.3-19
+- DESC: Resolving installation conflicts between docker-engine and libnetwork
+
+* Fri Nov 08 2024 shechenglong <shechenglong@xfusion.com> - 25.0.3-18
+- DESC: Don't check source exists with CreateMountpoint
+
 * Fri Nov 08 2024 shechenglong <shechenglong@xfusion.com> - 25.0.3-17
 - DESC: move group creation into pre section rather than post section
         change requires into meta dependency for its actual use