openSUSE has issued an advisory on August 30: https://lists.opensuse.org/opensuse-updates/2019-08/msg00203.html The issue is fixed upstream in 19.03.1.
We can move to the cauldron versions of docker for mga7, but we'll need in fact to update all the other packages related (opencontainer-runc, docker-containerd, ...) as well. I can confirm that these packages work on both mga6 and mga7 as that's what I'm using currently. Let me know what is the recommended approach.
Status: NEW => ASSIGNED
Patch it if you can, update otherwise.
Status comment: (none) => Fixed upstream in 19.03.1
Ok, from https://github.com/moby/moby/pull/39612 seems it only affects 19.03.x. Anyway I'm updateing docker in mga7 to 18.09.9 to be up to date, and similarly cauldron to 19.03.5. Will update when packages are rebuild.
Ok, we can open a new bug for that mga7 bugfix update since this one doesn't impact it.
Status: ASSIGNED => RESOLVEDVersion: 7 => CauldronResolution: (none) => FIXED
packages for docker 18.09.9 submitted for mga7
Ok, FTR 19.03.5 also pushed to cauldron. Concerning 18.09.9, the cnagelog is here: https://github.com/docker/docker-ce/blob/v18.09.9/CHANGELOG.md Mostly bug fixes, no security one.
Go ahead and open a new bug and assign it to QA.
See https://bugs.mageia.org/show_bug.cgi?id=26109
The fix for this CVE was improved in 19.03.8. It should be updated again in Cauldron. The current version is now 19.03.9: https://github.com/docker/docker-ce/releases/tag/v19.03.9 https://github.com/docker/docker-ce/blob/v19.03.9/CHANGELOG.md
Status comment: Fixed upstream in 19.03.1 => Fixed upstream in 19.03.8Status: RESOLVED => REOPENEDSource RPM: docker-18.09.8-1.mga7.src.rpm => docker-19.03.5-2.mga8.src.rpmResolution: FIXED => (none)
Bruno do you think that you can take a look to this update ?
CC: (none) => mageia
Current stable is now 19.03.10: https://github.com/docker/docker-ce/blob/v19.03.10/CHANGELOG.md
Was trying with .9 and had errors building: # github.com/docker/docker/volume/mounts _build/src/github.com/docker/docker/volume/mounts/mounts.go:116:6: undefined: "github.com/docker/docker/vendor/github.com/pkg/errors".Is # github.com/docker/docker/daemon/logger/loggerutils _build/src/github.com/docker/docker/daemon/logger/loggerutils/logfile.go:179:8: undefined: "github.com/docker/docker/vendor/github.com/pkg/errors".Is Will update to .10 and see whether this part is fixed at the same time.
Well you meant .11 ;-)
I didn't, but you saw it before DistroWatch did: https://github.com/docker/docker-ce/blob/v19.03.11/CHANGELOG.md And now we have another security issue, CVE-2020-13401. Hopefully it doesn't affect Mageia 7.
Hummm .11 has the same build issue as .9 :-( Will work on a patch, but as I'm not go fluent, it may take a bit of time before I succeed. (I rally hate the way they manage their import, but I have to deal with it)
Seems these new versions now require go 1.13 to provide the Is function used in code. Cf: https://blog.golang.org/go1.13-errors That's why I had issue, as building with mga7 which "only" has 1.12. Will use my cauldron docker to build with go 1.14 and see whether it's better.
That was the problem. To be kept in mind if we need to update it for mga7, we'll have to also update golang as well. Packages build in progress on build farm.
Assignee: bruno => qa-bugs
Assignee: qa-bugs => bruno
We don't assign Cauldron updates to QA. If it builds, mark as FIXED. If we find out the new CVE affects Mageia 7, we can open a new bug.
Ah yes sorry, IIRC you already told it in the past, sorry for being so slow :-( Packages were built so I close this one. Let me know if there is anything we have to do for mga7. Thanks David for all your work following the security info.
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED