Upstream has issued an advisory on October 12: https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/ OpenSuSE has issued an advisory for this on October 17: http://lists.opensuse.org/opensuse-updates/2015-10/msg00036.html The issues are fixed upstream in 1.8.3 and 1.6.2-CS7. Strangely, I can't find the Mageia 5 package with urpmq, but I think we have one. Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/660897/
Red Hat won't fix it: https://bugzilla.redhat.com/show_bug.cgi?id=1271253 https://bugzilla.redhat.com/show_bug.cgi?id=1271256 IIUC seems that the patches in relation to these CVEs are here: https://github.com/docker/docker/pull/16953/commits I tried apply one of these (which are very large) and got lots of reject. I don't have the knowledge to solve all that, so I propose that we update docker in mga5 to 1.8.3, last stable which includes the fixes for these CVEs. Let me know your thoughts.
Status: NEW => ASSIGNED
If you think it's safe to update it for people who are using it in Mageia 5, I'll trust your judgment on that. It does sound like the only viable option for fixing it. Thanks for looking into it.
Bruno, ping.. :) Please continue with upgrade.
CC: (none) => mageia
Sorry for the delay updating it. I tried 1.8.3 and 1.9.1 but that is not building, due to a golang version which is a bit too old on Mageia. So should we start by updating golang first, in order to be able to build docker again ? Example: ---> Making bundle: dynbinary (in bundles/1.8.3/dynbinary) Created binary: bundles/1.8.3/dynbinary/dockerinit-1.8.3 Building: bundles/1.8.3/dynbinary/docker-1.8.3 # github.com/endophage/gotuf/signed vendor/src/github.com/endophage/gotuf/signed/verifiers.go:102: unknown rsa.PSSOptions field 'Hash' in struct literal # github.com/docker/docker/daemon .gopath/src/github.com/docker/docker/daemon/debugtrap_unix.go:17: syntax error: unexpected range, expecting
(In reply to Bruno Cornec from comment #4) > Sorry for the delay updating it. I tried 1.8.3 and 1.9.1 but that is not > building, due to a golang version which is a bit too old on Mageia. So > should we start by updating golang first, in order to be able to build > docker again ? As long as updating golang doesn't break anything (and I wouldn't imagine that it would), I'd say go for it.
golang has been updated and pushed to updates for 5.
Package list in updates_testing: golang-1.4.3-1.mga5 docker-1.9.1-1.mga5 docker-devel-1.9.1-1.mga5 docker-fish-completion-1.9.1-1.mga5 docker-logrotate-1.9.1-1.mga5 docker-unit-test-1.9.1-1.mga5 docker-vim-1.9.1-1.mga5 docker-zsh-completion-1.9.1-1.mga5 from SRPMS: golang-1.4.3-1.mga5.src.rpm docker-1.9.1-1.mga5.src.rpm
Upstream blog posts about security update and 1.9 release: https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/ http://blog.docker.com/2015/11/docker-1-9-production-ready-swarm-multi-host-networking/
Version: Cauldron => 5
Assignee: bruno => qa-bugs
Feel free to add additional references for the golang or docker updates. Suggested advisory: ================== Manipulated layer IDs could have lead to local graph poisoning (CVE-2014-8178). Manifest validation and parsing logic errors allowed pull-by-digest validation bypass (CVE-2014-8179). To fix these issues, the golang package has been updated to version 1.4.3 and the docker package has been updated to version 1.9.1. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8179 https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/ http://blog.docker.com/2015/11/docker-1-9-production-ready-swarm-multi-host-networking/ http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00014.html
CC: (none) => bruno
If the container is available on dockerhub, you just have to do docker pull ctnname and then docker run -ti imgid /bin/bash and you're in it. I've done a Lab doc for Docker for internal trainings that is available at http://fr.slideshare.net/eurolinux/lab-docker Bruno.
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Testing complete mga5 64 Most of these packages are new to mga5. No package named docker-fish-completion No package named docker-logrotate No package named docker-unit-test No package named docker-vim No package named docker-zsh-completion # urpmq -ya docker docker docker-devel docker-pkg-devel docker-registry python-docker-py python-docker-registry-core python3-docker-py wmdocker Testing using info fromBruno's docker docs. # docker --version Docker version 1.9.1, build a34a1d5 # docker info Cannot connect to the Docker daemon. Is the docker daemon running on this host? # systemctl start docker.service # docker info Containers: 0 Images: 0 Server Version: 1.9.1 Storage Driver: aufs Root Dir: /var/lib/docker/aufs Backing Filesystem: extfs Dirs: 0 Dirperm1 Supported: true Execution Driver: native-0.2 Logging Driver: json-file Kernel Version: 4.1.15-desktop-2.mga5 Operating System: Mageia 5 CPUs: 4 Total Memory: 7.722 GiB Name: localhost.localdomain ID: Y45C:TRGZ:47MS:DZ76:KFXJ:LD5U:KBG2:DQQA:QVA3:XCVX:3RJO:4Y76 WARNING: No memory limit support WARNING: No swap limit support # docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world b901d36b6f2f: Pull complete 0a6ba66e537a: Pull complete Digest: sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7 Status: Downloaded newer image for hello-world:latest Hello from Docker. This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker Hub account: https://hub.docker.com For more examples and ideas, visit: https://docs.docker.com/userguide/
Whiteboard: advisory => advisory has_procedure mga5-64-ok
Cleaning up .. (output is probably not formatted correctly here.) # docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9892c53db171 hello-world "/hello" 4 minutes ago Exited (0) 4 minutes ago evil_gates # docker rm 9892c53db171 9892c53db171 # systemctl stop docker.service Remove the packages if desired.
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0043.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED