OpenSuSE has issued an advisory today (November 13): http://lists.opensuse.org/opensuse-updates/2014-11/msg00048.html The relevant part is about docker, as we already upgrading golang to 1.3.3 in Cauldron fixing the other issue. There is a little more info about the docker CVE on the OpenSuSE bug: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2014-5277 OpenSuSE fixed it by updating Docker to version 1.3.1. Reproducible: Steps to Reproduce:
While trying to update docker-io to 1.3.0 I have issue with golang-libcontainer: + mkdir -p ./_build/src/github.com/docker ++ pwd + ln -s /users/bruno/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0 ./_build/src/github.com/docker/libcontainer ++ pwd + export GOPATH=/users/bruno/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0/_build:/usr/lib64/golang + GOPATH=/users/bruno/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0/_build:/usr/lib64/golang ++ pwd + pushd /users/bruno/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0/_build/src ~/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0/_build/src ~/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0 + go build github.com/docker/libcontainer/nsinit # github.com/docker/libcontainer/namespaces/nsenter /tmp/go-build681149517/github.com/docker/libcontainer/namespaces/nsenter/_obj/nsenter.cgo2.o: dans la fonction « init »: /usr/lib64/golang/src/pkg/github.com/docker/libcontainer/namespaces/nsenter/nsenter.go:7: référence indéfinie vers « nsenter » collect2: erreur: ld a retourné 1 code d'état d'exécution erreur : Mauvais statut de sortie pour /users/bruno/prj/mageia/golang-libcontainer/BUILDROOT/rpm-tmp.8GL0hS (%build) If someone has a clue that would be great !
I'm now trying with docker 1.3.1 (tagged or git version) and still have issue, even after importing all the new golang packages needed: + export DOCKER_GITCOMMIT=c59b308/1.3.1.gitc59b308 + DOCKER_GITCOMMIT=c59b308/1.3.1.gitc59b308 ++ pwd + export GOPATH=/users/bruno/prj/mageia/docker-io/BUILD/docker-c59b308b6b2fc8112a93d64f4922b0ece01a4e6a/_build:/usr/lib64/golang + GOPATH=/users/bruno/prj/mageia/docker-io/BUILD/docker-c59b308b6b2fc8112a93d64f4922b0ece01a4e6a/_build:/usr/lib64/golang + hack/make.sh dynbinary # WARNING! I don't seem to be running in the Docker container. # The result of this command might be an incorrect build, and will not be # officially supported. # # Try this instead: make all # ---> Making bundle: dynbinary (in bundles/1.3.1-dev/dynbinary) # github.com/docker/docker/pkg/archive _build/src/github.com/docker/docker/pkg/archive/changes.go:138: undefined: system.Stat erreur : Mauvais statut de sortie pour /users/bruno/prj/mageia/docker-io/BUILDROOT/rpm-tmp.E6nCVe (%build) So again looking for hints as I found nothing on my side alone...
Upstream has issued an advisory today (November 24): http://openwall.com/lists/oss-security/2014/11/24/5 This addresses two new CVEs, CVE-2014-6407 and CVE-2014-6408. CVE-2014-6408 doesn't affect us as we hadn't yet upgraded to 1.3.x. Both issues are fixed in 1.3.2.
Summary: docker-io new security issue CVE-2014-5277 => docker-io new security issues CVE-2014-5277 and CVE-2014-6407
The press has caught wind of this :o): http://www.theregister.co.uk/2014/11/25/docker_vulnerabilities/
Severity: normal => critical
More info on all of these vulnerabilities: http://www.eweek.com/blogs/security-watch/docker-update-fixes-pair-of-critical-security-flaws.html
Blocks: (none) => 14674
LWN reference for CVE-2014-6707 and CVE-2014-6708: http://lwn.net/Vulnerabilities/625052/
Docker 1.3.3 and 1.4.0 have been released, fixing more security issues: http://openwall.com/lists/oss-security/2014/12/12/1
Summary: docker-io new security issues CVE-2014-5277 and CVE-2014-6407 => docker-io new security issues CVE-2014-5277, CVE-2014-6407, and CVE-2014-935[6-8]
(In reply to David Walser from comment #7) > Docker 1.3.3 and 1.4.0 have been released, fixing more security issues: > http://openwall.com/lists/oss-security/2014/12/12/1 Fedora has issued an advisory for this on December 13: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146224.html
LWN reference for CVE-2014-935[6-8]: http://lwn.net/Vulnerabilities/626414/
Updated to 1.4.1. Still same build issue. Building locally outside of packages and just tying to docker build process works. So I need to dig and find what are the differences. I've also opened an upstream bug to get help on this at https://github.com/docker/docker/issues/9453
Ping..
CC: (none) => mageia
Still working on it, in particular this week-end
I have asked to push the related packages to have docker 1.4.1 in cauldron and mga5.
Status: NEW => ASSIGNED
Fixed in docker-1.4.1-2.mga5. Nice work Bruno!
Resolution: (none) => FIXEDBlocks: 14674 => (none)Status: ASSIGNED => RESOLVED