More information about this security flaw is available in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=2348367 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Using rpm -qpl --provides docker-compose-2.30.3-1.fc41.x86_64.rpm | less demonstrates that the golang.org/x/crypto/ssh package is not present in docker-compose for F41. output excerpt below: bundled(golang(go.uber.org/mock)) = 0.5.0 bundled(golang(golang.org/x/crypto)) = 0.26.0 bundled(golang(golang.org/x/exp)) = 9b4947d bundled(golang(golang.org/x/net)) = 0.28.0 bundled(golang(golang.org/x/oauth2)) = 0.22.0 bundled(golang(golang.org/x/sync)) = 0.8.0 bundled(golang(golang.org/x/sys)) = 0.26.0 bundled(golang(golang.org/x/term)) = 0.23.0 bundled(golang(golang.org/x/text)) = 0.17.0 bundled(golang(golang.org/x/time)) = 0.6.0 bundled(golang(google.golang.org/genproto)) = ef43131
My mistake reading the list of provides. x/crypto will, potentially, also include x/crypto/ssh. Reopening.
Docker-compose does not function as an ssh client or ssh server.