Ubuntu has issued an advisory on August 19: https://usn.ubuntu.com/4103-2/ Mageia 6 and Mageia 7 may also be affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
docker-ce-18.09.8 fixes the issue (looking at the code in components/cli/vendor/github.com/docker/docker-credential-helpers/secretservice/secretservice_linux.go) and has been uploaded into updates_testing for Mageia 7
Status: NEW => ASSIGNEDCC: (none) => bruno
Uploaded packages: docker-18.09.3-2.mga7 docker-devel-18.09.3-2.mga7 docker-fish-completion-18.09.3-2.mga7 docker-logrotate-18.09.3-2.mga7 docker-unit-test-18.09.3-2.mga7 docker-vim-18.09.3-2.mga7 docker-zsh-completion-18.09.3-2.mga7 docker-nano-18.09.3-2.mga7 Is Mageia 6 affected?
Version: Cauldron => 7Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
docker 18.06.3-1.2 in updates_testing should fix the CVE with an applied patch derived from upstream.
(In reply to Bruno Cornec from comment #3) > docker 18.06.3-1.2 in updates_testing should fix the CVE with an applied > patch derived from upstream. For Mageia 6! For Mageia 7 the version is 18.09.8 Now working on cauldron...
Cauldron is now updated with docker 19.03.2
Assignee: bruno.cornec => qa-bugs
(In reply to Bruno Cornec from comment #4) > For Mageia 7 the version is 18.09.8 No it isn't. Did you forget to commit something?
CC: (none) => bruno.cornec, qa-bugsAssignee: qa-bugs => bruno.cornec
Uploaded for Mageia 6: docker-18.06.3-1.2.mga6 docker-devel-18.06.3-1.2.mga6 docker-fish-completion-18.06.3-1.2.mga6 docker-logrotate-18.06.3-1.2.mga6 docker-unit-test-18.06.3-1.2.mga6 docker-vim-18.06.3-1.2.mga6 docker-zsh-completion-18.06.3-1.2.mga6 docker-nano-18.06.3-1.2.mga6 What about the python-docker and docker-compose that you built? Are they supposed to be part of this update (what are they for?) or are you filing another bug for them?
The 2 other packages are linked to https://bugs.mageia.org/show_bug.cgi?id=24652 not to this one.(In reply to David Walser from comment #6) > (In reply to Bruno Cornec from comment #4) > > For Mageia 7 the version is 18.09.8 > > No it isn't. Did you forget to commit something? Yep :-( Now submitted with the correct version.
Advisory for the CVE. I don't know if you have anything to add for python-docker and docker-compose... Advisory: ======================== Updated docker packages fix security vulnerability: Jasiel Spelman discovered that a double free existed in the docker-credential-helpers bundled in Docker. A local attacker could use this to cause a denial of service (crash) or possibly execute arbitrary code (CVE-2019-1020014). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1020014 https://usn.ubuntu.com/4103-2/ ======================== Updated packages in core/updates_testing: ======================== docker-18.06.3-1.2.mga6 docker-devel-18.06.3-1.2.mga6 docker-fish-completion-18.06.3-1.2.mga6 docker-logrotate-18.06.3-1.2.mga6 docker-unit-test-18.06.3-1.2.mga6 docker-vim-18.06.3-1.2.mga6 docker-zsh-completion-18.06.3-1.2.mga6 docker-nano-18.06.3-1.2.mga6 docker-18.09.8-1.mga7 docker-devel-18.09.8-1.mga7 docker-fish-completion-18.09.8-1.mga7 docker-logrotate-18.09.8-1.mga7 docker-unit-test-18.09.8-1.mga7 docker-vim-18.09.8-1.mga7 docker-zsh-completion-18.09.8-1.mga7 docker-nano-18.09.8-1.mga7 from SRPMS: docker-18.06.3-1.2.mga6.src.rpm docker-18.09.8-1.mga7.src.rpm
Ahh, I see the other packages are in Bug 24652. Assigning to QA. Advisory and package list in Comment 9.
mga6, x86_64 Clean update. Ran some basic tests, referring to an earlier bug report. The most thorough test would be to run Bruno's Labs which is a bit beyond this tester's sketchy acquaintance with container technology. However Bruno provided a helpful recipe in comment 13, https://bugs.mageia.org/show_bug.cgi?id=24374 which I shall return to later. Started docker dæmon. Granted user privileges to lcl. $ sudo usermod -aG docker lcl $ id lcl uid=1000(lcl) gid=1000(lcl) groups=955(docker),954(vboxusers),946(qarepo),940(wireshark),1000(lcl) Logged out and in and restarted docker. $ docker version Client: Version: 18.06.0-dev API version: 1.38 Go version: go1.11.5 [...] Server: Engine: Version: 18.06.3-ce API version: 1.38 (minimum version 1.12) Current go version: $ go version go version go1.11.13 linux/amd64 $ docker run debian echo "Hello World" Hello World That worked smoothly because the debian:latest image was already in the system. $ docker run -h Debby -i -t debian /bin/bash root@Debby:/# echo "Message from shell Debby in container debian" Message from shell Debby in container debian root@Debby:/# exit exit $ docker run -h Debby -i -t debian /bin/bash root@Debby:/# mv /bin /basket root@Debby:/# ls bash: ls: command not found root@Debby:/# From another terminal: $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9f677465bf18 debian "/bin/bash" 2 minutes ago Up 2 minutes adoring_banach $ docker inspect adoring_banach [ { "Id": "9f677465bf189f49374bcffdeb2ee1620054dbb3374dd6ae8ad594f07e9756a2", "Created": "2019-09-09T08:35:06.58767681Z", "Path": "/bin/bash", "Args": [], "State": { "Status": "running", [...] $ docker inspect adoring_banach | grep IPAddress "SecondaryIPAddresses": null, "IPAddress": "172.17.0.2", "IPAddress": "172.17.0.2", Could not get much further at this point even though I have a docker hub id and password. Login was successful. OK, taking up the thread from point 5 of Bruno's recipe. $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9f677465bf18 debian "/bin/bash" 40 minutes ago Up 40 minutes adoring_banach 37f86a9f1695 debian "/bin/bash" 43 minutes ago Exited (0) 41 minutes ago dreamy_varahamihira 3a0bab492449 debian "/bin/bash" About an hour ago Exited (0) 44 minutes ago eloquent_curran b42d4cb60b29 debian "echo 'Hello World'" About an hour ago Exited (0) About an hour ago agitated_leakey 6df72c73c123 debian "bash" 5 months ago Exited (255) 4 months ago cowsay c70d49401bea fedora:latest "/bin/bash" 5 months ago Exited (0) 5 months ago upbeat_chatterjee 23a1a062bdde fedora:latest "/bin/bash" 5 months ago Exited (255) 4 months ago pedantic_sammet 64740c6ad06b hello-world "/hello" 5 months ago Exited (0) 5 months ago gracious_keldysh Removed most of those with the command: $ docker rm <CONTAINER ID> $ docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. [...] For more examples and ideas, visit: https://docs.docker.com/get-started/ $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE debian latest 2d337f242f07 5 months ago 101MB mageia 6 87bf589833e3 5 months ago 317MB fedora latest d09302f77cfc 6 months ago 275MB hello-world latest fce289e99eb9 8 months ago 1.84kB $ docker pull fedora Using default tag: latest latest: Pulling from library/fedora 5a915a173fbc: Pull complete Digest: sha256:d8d53450cae00985f9dad54a3520944c59e64aa8f01d3be61988404e11c15973 Status: Downloaded newer image for fedora:latest $ docker ps -a | grep fedora $ $ docker run -ti fedora:latest /bin/bash [root@a571c1f28d2f /]# dnf install tcsh Fedora Modular 30 - x86_64 1.9 MB/s | 1.9 MB 00:01 Fedora Modular 30 - x86_64 - Updates 2.0 MB/s | 2.9 MB 00:01 Fedora 30 - x86_64 - Updates 2.5 MB/s | 23 MB 00:09 Fedora 30 - x86_64 5.6 MB/s | 61 MB 00:10 Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: tcsh x86_64 6.20.00-12.fc30 fedora 421 k Transaction Summary ================================================================================ Install 1 Package Total download size: 421 k Installed size: 1.3 M Is this ok [y/N]: y Downloading Packages: tcsh-6.20.00-12.fc30.x86_64.rpm 1.4 MB/s | 421 kB 00:00 -------------------------------------------------------------------------------- Total 861 kB/s | 421 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : tcsh-6.20.00-12.fc30.x86_64 1/1 Running scriptlet: tcsh-6.20.00-12.fc30.x86_64 1/1 Verifying : tcsh-6.20.00-12.fc30.x86_64 1/1 Installed: tcsh-6.20.00-12.fc30.x86_64 Complete! [root@a571c1f28d2f /]# exit exit $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a571c1f28d2f fedora:latest "/bin/bash" 4 minutes ago Exited (0) 38 seconds ago naughty_bhabha 2bd09b571a70 hello-world "/hello" 13 minutes ago Exited (0) 13 minutes ago gifted_carson That all looks OK. Thanks again Bruno for earlier help.
CC: (none) => tarazed25
mga7, x86_64 Before update: $ rpm -qa | grep docker docker-18.09.3-2.mga7 docker-logrotate-18.09.3-2.mga7 docker-zsh-completion-18.09.3-2.mga7 docker-unit-test-18.09.3-2.mga7 docker-containerd-1.2.5-2.mga7 docker-vim-18.09.3-2.mga7 docker-nano-18.09.3-2.mga7 docker-fish-completion-18.09.3-2.mga7 docker-devel-18.09.3-2.mga7 $ id lcl uid=1000(lcl) gid=1000(lcl) groups=1000(lcl) $ sudo usermod -aG docker lcl Logged out and in.
Continuing from comment 12: Clean update of all eight packages. Started docker running. $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES $ $ docker version Client: Version: 18.09.0-dev ..... Server: Engine: Version: 18.09.8 $ docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 1b930d010525: Pull complete Digest: sha256:451ce787d12369c5df2a32c85e5a03d52cbcef6eb3586dd03075f3034f10adcd Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE hello-world latest fce289e99eb9 8 months ago 1.84kB $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ea64d7925056 hello-world "/hello" 3 minutes ago Exited (0) 3 minutes ago elated_matsumoto $ docker pull fedora Using default tag: latest latest: Pulling from library/fedora 5a915a173fbc: Pull complete Digest: sha256:d8d53450cae00985f9dad54a3520944c59e64aa8f01d3be61988404e11c15973 Status: Downloaded newer image for fedora:latest $ docker run -ti fedora:latest /bin/bash [root@abfb669f150e /]# dnf install tcsh Fedora Modular 30 - x86_64 1.0 MB/s | 1.9 MB 00:01 Fedora Modular 30 - x86_64 - Updates 2.4 MB/s | 2.9 MB 00:01 [...] Installed: tcsh-6.20.00-12.fc30.x86_64 Complete! That all worked fine again. $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES abfb669f150e fedora:latest "/bin/bash" 4 minutes ago Exited (127) 5 seconds ago epic_hoover ea64d7925056 hello-world "/hello" 9 minutes ago Exited (0) 9 minutes ago elated_matsumoto
Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK MGA7-64-OK
Validating. Advisory in Comment 9.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0269.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This also fixed CVE-2019-13509: https://lists.opensuse.org/opensuse-updates/2019-08/msg00203.html