| Summary: | docker new security issues CVE-2014-8178 and CVE-2014-8179 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | bruno, davidwhodgins, davidwhodgins, mageia, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/660897/ | ||
| Whiteboard: | advisory has_procedure mga5-64-ok | ||
| Source RPM: | docker-1.8.1-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-10-19 16:54:58 CEST
David Walser
2015-10-19 18:15:03 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/660897/ Red Hat won't fix it: https://bugzilla.redhat.com/show_bug.cgi?id=1271253 https://bugzilla.redhat.com/show_bug.cgi?id=1271256 IIUC seems that the patches in relation to these CVEs are here: https://github.com/docker/docker/pull/16953/commits I tried apply one of these (which are very large) and got lots of reject. I don't have the knowledge to solve all that, so I propose that we update docker in mga5 to 1.8.3, last stable which includes the fixes for these CVEs. Let me know your thoughts. Status:
NEW =>
ASSIGNED If you think it's safe to update it for people who are using it in Mageia 5, I'll trust your judgment on that. It does sound like the only viable option for fixing it. Thanks for looking into it. Bruno, ping.. :) Please continue with upgrade. CC:
(none) =>
mageia Sorry for the delay updating it. I tried 1.8.3 and 1.9.1 but that is not building, due to a golang version which is a bit too old on Mageia. So should we start by updating golang first, in order to be able to build docker again ? Example: ---> Making bundle: dynbinary (in bundles/1.8.3/dynbinary) Created binary: bundles/1.8.3/dynbinary/dockerinit-1.8.3 Building: bundles/1.8.3/dynbinary/docker-1.8.3 # github.com/endophage/gotuf/signed vendor/src/github.com/endophage/gotuf/signed/verifiers.go:102: unknown rsa.PSSOptions field 'Hash' in struct literal # github.com/docker/docker/daemon .gopath/src/github.com/docker/docker/daemon/debugtrap_unix.go:17: syntax error: unexpected range, expecting (In reply to Bruno Cornec from comment #4) > Sorry for the delay updating it. I tried 1.8.3 and 1.9.1 but that is not > building, due to a golang version which is a bit too old on Mageia. So > should we start by updating golang first, in order to be able to build > docker again ? As long as updating golang doesn't break anything (and I wouldn't imagine that it would), I'd say go for it. golang has been updated and pushed to updates for 5. Package list in updates_testing: golang-1.4.3-1.mga5 docker-1.9.1-1.mga5 docker-devel-1.9.1-1.mga5 docker-fish-completion-1.9.1-1.mga5 docker-logrotate-1.9.1-1.mga5 docker-unit-test-1.9.1-1.mga5 docker-vim-1.9.1-1.mga5 docker-zsh-completion-1.9.1-1.mga5 from SRPMS: golang-1.4.3-1.mga5.src.rpm docker-1.9.1-1.mga5.src.rpm Upstream blog posts about security update and 1.9 release: https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/ http://blog.docker.com/2015/11/docker-1-9-production-ready-swarm-multi-host-networking/ Version:
Cauldron =>
5
Bruno Cornec
2015-12-20 12:27:13 CET
Assignee:
bruno =>
qa-bugs Feel free to add additional references for the golang or docker updates. Suggested advisory: ================== Manipulated layer IDs could have lead to local graph poisoning (CVE-2014-8178). Manifest validation and parsing logic errors allowed pull-by-digest validation bypass (CVE-2014-8179). To fix these issues, the golang package has been updated to version 1.4.3 and the docker package has been updated to version 1.9.1. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8179 https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/ http://blog.docker.com/2015/11/docker-1-9-production-ready-swarm-multi-host-networking/ http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00014.html CC:
(none) =>
bruno If the container is available on dockerhub, you just have to do docker pull ctnname and then docker run -ti imgid /bin/bash and you're in it. I've done a Lab doc for Docker for internal trainings that is available at http://fr.slideshare.net/eurolinux/lab-docker Bruno.
Dave Hodgins
2016-01-19 22:56:31 CET
CC:
(none) =>
davidwhodgins Testing complete mga5 64
Most of these packages are new to mga5.
No package named docker-fish-completion
No package named docker-logrotate
No package named docker-unit-test
No package named docker-vim
No package named docker-zsh-completion
# urpmq -ya docker
docker
docker-devel
docker-pkg-devel
docker-registry
python-docker-py
python-docker-registry-core
python3-docker-py
wmdocker
Testing using info fromBruno's docker docs.
# docker --version
Docker version 1.9.1, build a34a1d5
# docker info
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
# systemctl start docker.service
# docker info
Containers: 0
Images: 0
Server Version: 1.9.1
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 0
Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.1.15-desktop-2.mga5
Operating System: Mageia 5
CPUs: 4
Total Memory: 7.722 GiB
Name: localhost.localdomain
ID: Y45C:TRGZ:47MS:DZ76:KFXJ:LD5U:KBG2:DQQA:QVA3:XCVX:3RJO:4Y76
WARNING: No memory limit support
WARNING: No swap limit support
# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b901d36b6f2f: Pull complete
0a6ba66e537a: Pull complete
Digest: sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
Status: Downloaded newer image for hello-world:latest
Hello from Docker.
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker Hub account:
https://hub.docker.com
For more examples and ideas, visit:
https://docs.docker.com/userguide/Whiteboard:
advisory =>
advisory has_procedure mga5-64-ok Cleaning up .. (output is probably not formatted correctly here.) # docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9892c53db171 hello-world "/hello" 4 minutes ago Exited (0) 4 minutes ago evil_gates # docker rm 9892c53db171 9892c53db171 # systemctl stop docker.service Remove the packages if desired.
Dave Hodgins
2016-02-05 03:51:12 CET
Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0043.html Status:
ASSIGNED =>
RESOLVED |