Fedora has issued an advisory on December 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LA2D3UDMXW44UEZC4BRH5EKHBGQNP2UC/ I don't know where in the docker source the vulnerable code is, where the fix is, or in what upstream version it was included. Mageia 5 and Mageia 6 are most likely affected.
Looks like it was fixed in 17.09.1: https://docs.docker.com/release-notes/docker-ce/#stable-releases
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 17.09.1
openSUSE has issued an advisory on February 9: https://lists.opensuse.org/opensuse-updates/2018-02/msg00034.html This issue was also fixed upstream in 17.09.1.
Summary: docker new security issue CVE-2017-14992 => docker new security issue CVE-2017-14992 and CVE-2017-16539
I have started to work on the update of the full Docker stack, but encountered some issues. Will work with the ML for some help around it.
Status: NEW => ASSIGNED
Fedora has issued an advisory on July 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZROWSFFIHGDTF4YUUQMDDKXOWPTGADSF/ I'm not sure if this new issue, CVE-2018-10892, affects us. It has been fixed in a commit upstream but not yet in a released docker-ce version. According to this comment upstream, our kernel may protect against this already: https://github.com/moby/moby/pull/37404#issuecomment-403221335
Joseph Wang has made docker packages that are now working, so as soon as it's pushed in cauldron, I'll try to update 6 with these versions if possible.
docker-18.06.1-1.mga7 is now in cauldron
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
I updated golang to 1.11.1 in mga6 updates_testing in order to be able to compile docker afterwards (1.10+ needed). It would need to be pushed before I can update docker for mga6
docker-18.06.1-1.mga6 is now pushed to updates_testing. In order to test it, you also need additional updates pushed in the same place: - opencontainers-runc-1.0.0rc5-3.mga6 - docker-containerd-1.2.0-0.beta.2.2.mga6
Assignee: bruno => qa-bugs
Advisory: ======================== Updated docker packages fix security vulnerabilities: Lack of content verification in docker allowed a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing (CVE-2017-14992). The DefaultLinuxSpec function in oci/defaults.go docker did not block /proc/scsi pathnames, which allowed attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP (CVE-2017-16539). Container breakout without selinux in enforcing mode (CVE-2018-10892). The docker package has been updated to version 18.06.1 to fix these issues and other bugs. Also, the golang package was updated to version 1.11.1 to be able to build the update docker software. Additionally, the docker-containerd and opencontainers-runc packages have been updated to work with the updated docker package. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14992 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16539 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10892 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LA2D3UDMXW44UEZC4BRH5EKHBGQNP2UC/ https://lists.opensuse.org/opensuse-updates/2018-02/msg00034.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZROWSFFIHGDTF4YUUQMDDKXOWPTGADSF/ ======================== Updated packages in core/updates_testing: ======================== golang-1.11.1-1.mga6 golang-docs-1.11.1-1.mga6 golang-misc-1.11.1-1.mga6 golang-tests-1.11.1-1.mga6 golang-src-1.11.1-1.mga6 golang-bin-1.11.1-1.mga6 golang-shared-1.11.1-1.mga6 docker-containerd-1.2.0-0.beta.2.2.mga6 opencontainers-runc-1.0.0rc5-3.mga6 docker-18.06.1-1.mga6 docker-devel-18.06.1-1.mga6 docker-fish-completion-18.06.1-1.mga6 docker-logrotate-18.06.1-1.mga6 docker-unit-test-18.06.1-1.mga6 docker-vim-18.06.1-1.mga6 docker-zsh-completion-18.06.1-1.mga6 docker-nano-18.06.1-1.mga6 from SRPMS: golang-1.11.1-1.mga6.src.rpm docker-containerd-1.2.0-0.beta.2.2.mga6.src.rpm opencontainers-runc-1.0.0rc5-3.mga6.src.rpm docker-18.06.1-1.mga6.src.rpm
Oops - just gave this an OK - midair collision.
CC: (none) => tarazed25
Mageia 6, x86_64 Referring to my notes it looks like this has come up before - don't know the bug number. Referring to my ebook on using docker - I know we cannot advertize in Mageia but this volume is highly recommended by me. Shall try to limit quotes. Does anybody know the law on such matters? Limiting this test to ensuring that the updated docker runs OK. Before the update: $ sudo systemctl enable docker $ sudo systemctl start docker Checked version with built-in command - a lot of output. Grant user privileges to run docker. $ sudo usermod -aG docker lcl $ Logout and in. $ sudo systemctl restart docker Checked version, then: $ docker run debian echo "Hello World" Unable to find image 'debian:latest' locally latest: Pulling from library/debian bc9ab73e5b14: Pull complete Digest: sha256:802706fa62e75c96fff96ada0e8ca11f570895ae2e9ba4a9d409981750ca544c Status: Downloaded newer image for debian:latest Hello World Successfully updated docker and golang. $ sudo systemctl restart docker The container is now available locally, stored as an image named debian. $ docker run debian echo "Hello World" Hello World $ docker version Client: Version: 18.06.0-dev API version: 1.38 Go version: go1.11.1 Git commit: e68fc7a Built: Tue Oct 16 18:09:48 2018 OS/Arch: linux/amd64 Experimental: false Server: Engine: Version: dev API version: 1.38 (minimum version 1.12) Go version: go1.11.1 Git commit: e68fc7a Built: Tue Oct 16 18:08:16 2018 OS/Arch: linux/amd64 Experimental: false Establish a shell in the container: $ docker run -h Debby -i -t debian /bin/bash root@Debby:/# echo "Can you hear me muther?" Can you hear me muther? root@Debby:/# exit exit $ docker run -h Debby -i -t debian /bin/bash root@Debby:/# Attempt to break the container... root@Debby:/# mv /bin /basket root@Debby:/# ls bash: ls: command not found From another terminal: $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5504fae8075d debian "/bin/bash" About a minute ago Up About a minute zealous_pare $ docker inspect zealous_pare [ { "Id": "5504fae8075de66538efb6f19688c89d1172ab3bf11e1fdc0fe1450e8a2d345a", "Created": "2018-10-18T08:58:26.920237021Z", [...] "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:ac:11:00:02", "DriverOpts": null } } } } ] Lots of information but if you know what to look for use grep: $ docker inspect zealous_pare | grep IPAddress "SecondaryIPAddresses": null, "IPAddress": "172.17.0.2", "IPAddress": "172.17.0.2", The format command can also be used to get specific information. There is a 'diff' command but the output does not mean much to me. I do not think there is much point in working through the whole tutorial here - these simple tests should be enough to show that docker is running normally. But referring to the advisory: "Also, the golang package was updated to version 1.11.1 to be able to build the update docker software. Additionally, the docker-containerd and opencontainers-runc packages have been updated to work with the updated docker package." ?? OK for 64-bits.
Whiteboard: (none) => MGA6-64-OK
Validating. Suggested advisory in Comment 9.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0398.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2018-15664: https://usn.ubuntu.com/4048-1/