Skip to content

Commit eb4f2ed

Browse files
sbx: update release notes (#25411)
<!--Delete sections as needed --> ## Description Refreshed sbx release notes based on upstream. ## Related issues or tickets https://docker.slack.com/archives/C09E0594URW/p1782139817528369 ## Reviews <!-- Notes for reviewers here --> <!-- List applicable reviews (optionally @tag reviewers) --> - [ ] Technical review - [ ] Editorial review --------- Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
1 parent f1c44df commit eb4f2ed

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

content/manuals/ai/sandboxes/release-notes.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -43,8 +43,8 @@ This release also improves network isolation and policy enforcement. Sandbox DNS
4343

4444
#### Networking & Proxy
4545

46-
- Sandbox DNS lookups are now gated on the network policy: a sandboxed process can no longer resolve domains that policy denies, closing a DNS-based data-exfiltration channel. Loopback names (e.g. `localhost`) are exempt to avoid breaking local OAuth callback flows.
47-
- Outgoing ICMP from sandboxes is now blocked across daemon restarts.
46+
- Sandbox DNS lookups are now gated on the network policy: a sandboxed process can no longer resolve domains that policy denies, closing a DNS-based data-exfiltration channel. Loopback names (e.g. `localhost`) are exempt to avoid breaking local OAuth callback flows. [CVE-2026-12039](https://www.cve.org/CVERecord?id=CVE-2026-12039)
47+
- Outgoing ICMP from sandboxes is now blocked across daemon restarts. [CVE-2026-12539](https://www.cve.org/CVERecord?id=CVE-2026-12539)
4848
- CIDR subnet allow rules (e.g. `sbx policy allow network 10.10.14.0/24`) now correctly permit traffic to IP addresses within the subnet.
4949
- The MITM proxy now publishes a CRL and embeds a CRL distribution point in generated certificates, fixing clients that require certificate revocation checking (e.g. .NET `CheckCertificateRevocationList=true`).
5050
- Removed the bracketed `[::1]` entry from the sandbox `NO_PROXY` default, fixing credential injection for HTTP clients that mis-parsed it.
@@ -56,7 +56,7 @@ This release also improves network isolation and policy enforcement. Sandbox DNS
5656

5757
#### Agents
5858

59-
- Fixed Cursor repeatedly prompting for login; Cursor OAuth credentials now also appear in `sbx secret ls`.
59+
- Cursor OAuth is now supported
6060

6161
#### Platform & Performance
6262

0 commit comments

Comments
 (0)