| Summary: | docker new security issue CVE-2019-14271 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Bruno Cornec <bruno> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | mageia |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | docker-19.03.5-2.mga8.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 19.03.8 | ||
|
Description
David Walser
2019-11-26 20:25:50 CET
We can move to the cauldron versions of docker for mga7, but we'll need in fact to update all the other packages related (opencontainer-runc, docker-containerd, ...) as well. I can confirm that these packages work on both mga6 and mga7 as that's what I'm using currently. Let me know what is the recommended approach. Status:
NEW =>
ASSIGNED Patch it if you can, update otherwise.
David Walser
2020-01-14 17:43:53 CET
Status comment:
(none) =>
Fixed upstream in 19.03.1 Ok, from https://github.com/moby/moby/pull/39612 seems it only affects 19.03.x. Anyway I'm updateing docker in mga7 to 18.09.9 to be up to date, and similarly cauldron to 19.03.5. Will update when packages are rebuild. Ok, we can open a new bug for that mga7 bugfix update since this one doesn't impact it. Status:
ASSIGNED =>
RESOLVED packages for docker 18.09.9 submitted for mga7 Ok, FTR 19.03.5 also pushed to cauldron. Concerning 18.09.9, the cnagelog is here: https://github.com/docker/docker-ce/blob/v18.09.9/CHANGELOG.md Mostly bug fixes, no security one. Go ahead and open a new bug and assign it to QA. The fix for this CVE was improved in 19.03.8. It should be updated again in Cauldron. The current version is now 19.03.9: https://github.com/docker/docker-ce/releases/tag/v19.03.9 https://github.com/docker/docker-ce/blob/v19.03.9/CHANGELOG.md Status comment:
Fixed upstream in 19.03.1 =>
Fixed upstream in 19.03.8 Bruno do you think that you can take a look to this update ? CC:
(none) =>
mageia Current stable is now 19.03.10: https://github.com/docker/docker-ce/blob/v19.03.10/CHANGELOG.md Was trying with .9 and had errors building: # github.com/docker/docker/volume/mounts _build/src/github.com/docker/docker/volume/mounts/mounts.go:116:6: undefined: "github.com/docker/docker/vendor/github.com/pkg/errors".Is # github.com/docker/docker/daemon/logger/loggerutils _build/src/github.com/docker/docker/daemon/logger/loggerutils/logfile.go:179:8: undefined: "github.com/docker/docker/vendor/github.com/pkg/errors".Is Will update to .10 and see whether this part is fixed at the same time. Well you meant .11 ;-) I didn't, but you saw it before DistroWatch did: https://github.com/docker/docker-ce/blob/v19.03.11/CHANGELOG.md And now we have another security issue, CVE-2020-13401. Hopefully it doesn't affect Mageia 7. Hummm .11 has the same build issue as .9 :-( Will work on a patch, but as I'm not go fluent, it may take a bit of time before I succeed. (I rally hate the way they manage their import, but I have to deal with it) Seems these new versions now require go 1.13 to provide the Is function used in code. Cf: https://blog.golang.org/go1.13-errors That's why I had issue, as building with mga7 which "only" has 1.12. Will use my cauldron docker to build with go 1.14 and see whether it's better. That was the problem. To be kept in mind if we need to update it for mga7, we'll have to also update golang as well. Packages build in progress on build farm. Assignee:
bruno =>
qa-bugs
David Walser
2020-06-02 14:00:18 CEST
Assignee:
qa-bugs =>
bruno We don't assign Cauldron updates to QA. If it builds, mark as FIXED. If we find out the new CVE affects Mageia 7, we can open a new bug. Ah yes sorry, IIRC you already told it in the past, sorry for being so slow :-( Packages were built so I close this one. Let me know if there is anything we have to do for mga7. Thanks David for all your work following the security info. Resolution:
(none) =>
FIXED |