Ubuntu has issued an advisory on October 15: https://ubuntu.com/security/notices/USN-4589-2 More details are here: https://www.openwall.com/lists/oss-security/2020/10/15/1 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
docker-19.03.13-1.mga8 source rpm uploaded with corresponding build packages to fix this for cauldron. Mageia7 in process.
Status: NEW => ASSIGNED
docker-18.09.9-1.2.mga7 source rpm uploaded with corresponding build packages to fix this for Mageia7 in updtaes_testing.
Assignee: bruno => qa-bugs
Advisory: ======================== Updated docker packages fix security vulnerability: It was discovered that Docker could be made to expose sensitive information when processing URLs in container image manifests. A remote attacker could use this to trick the user and obtain the user's registry credentials (CVE-2020-15157). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15157 https://www.openwall.com/lists/oss-security/2020/10/15/1 https://ubuntu.com/security/notices/USN-4589-2 ======================== Updated packages in core/updates_testing: ======================== docker-18.09.9-1.2.mga7 docker-devel-18.09.9-1.2.mga7 docker-fish-completion-18.09.9-1.2.mga7 docker-logrotate-18.09.9-1.2.mga7 docker-unit-test-18.09.9-1.2.mga7 docker-vim-18.09.9-1.2.mga7 docker-zsh-completion-18.09.9-1.2.mga7 docker-nano-18.09.9-1.2.mga7 from docker-18.09.9-1.2.mga7.src.rpm
CC: (none) => brunoVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
Hope to get round to this soon.
CC: (none) => tarazed25
mga7, x86_64 Starting from 18.09.9.1-1 version Updated all the packages. $ rpm -qa | grep docker docker-fish-completion-18.09.9-1.2.mga7 docker-vim-18.09.9-1.2.mga7 docker-devel-18.09.9-1.2.mga7 docker-18.09.9-1.2.mga7 docker-logrotate-18.09.9-1.2.mga7 docker-unit-test-18.09.9-1.2.mga7 docker-nano-18.09.9-1.2.mga7 docker-zsh-completion-18.09.9-1.2.mga7 docker-containerd-1.2.5-2.mga7 Followed procedure used in previous updates of docker based on notes from Bruno Cornec. Added user to docker group. Logged out and in. $ sudo systemctl start docker Status check OK. $ id uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),951(docker),955(wireshark) $ docker version Client: Version: 18.09.0-dev API version: 1.39 Go version: go1.13.15 [...] Server: Engine: Version: 18.09.9 .... $ docker run debian echo "Hello World" Unable to find image 'debian:latest' locally latest: Pulling from library/debian e4c3d3e4f7b0: Pull complete Digest: sha256:8414aa82208bc4c2761dc149df67e25c6b8a9380e5d8c4e7b5c84ca2d04bb244 Status: Downloaded newer image for debian:latest Hello World $ docker run -h Debby -i -t debian /bin/bash root@Debby:/# echo "Message from shell Debby in container debian" Message from shell Debby in container debian root@Debby:/# mv /bin /basket root@Debby:/# date bash: date: command not found root@Debby:/# mv /basket /bin bash: /bin/mv: No such file or directory root@Debby:/# exit exit $ docker run -h Debby -i -t debian /bin/bash root@Debby:/# ls bin dev home lib64 mnt proc run srv tmp var boot etc lib media opt root sbin sys usr root@Debby:/# date Sat Nov 7 00:11:26 UTC 2020 From another terminal: $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7903a29613ec debian "/bin/bash" 2 minutes ago Up 2 minutes condescending_brown [ { "Id": "7903a29613ecfb9d6edfd6f9a386759eeb6fdecc962a105a05101e7210b7b1c7", "Created": "2020-11-07T00:10:58.508651438Z", "Path": "/bin/bash", ..... Lots of information about the running instance. Look at recent process history. $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7903a29613ec debian "/bin/bash" 6 minutes ago Up 6 minutes condescending_brown d9924dd8a48a debian "/bin/bash" 8 minutes ago Exited (127) 7 minutes ago tender_fermat e49fa0abbb2f debian "echo 'Hello World'" 9 minutes ago Exited (0) 9 minutes ago eloquent_vaughan $ docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 0e03bdcc26d7: Pull complete Digest: sha256:8c5aeeb6a5f3ba4883347d3747a7249f491766ca1caa47e5da5dfcf6b9b717c0 Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. ................. $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE debian latest 1510e8501783 3 weeks ago 114MB hello-world latest bf756fb1ae65 10 months ago 13.3kB $ docker pull fedora Using default tag: latest latest: Pulling from library/fedora ee7e89337106: Pull complete Digest: sha256:b9ec86d36fca7b1d3de39cd7c258e8d90c377d312c21a7748071ce49069b8db4 Status: Downloaded newer image for fedora:latest $ docker ps -a | grep fedora $ docker run -ti fedora:latest /bin/bash [root@60997345f921 /]# dnf install ruby Fedora 33 openh264 (From Cisco) - x86_64 2.1 kB/s | 2.5 kB 00:01 Fedora Modular 33 - x86_64 2.2 MB/s | 3.3 MB 00:01 Fedora Modular 33 - x86_64 - Updates 919 kB/s | 1.0 MB 00:01 Fedora 33 - x86_64 - Updates 1.8 MB/s | 11 MB 00:06 Fedora 33 - x86_64 8.7 MB/s | 72 MB 00:08 Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: ruby x86_64 2.7.2-135.fc33 updates 41 k Installing dependencies: ruby-libs x86_64 2.7.2-135.fc33 updates 3.2 M [...] rubygems noarch 3.0.3-125.fc31 updates 245 k Transaction Summary ================================================================================ Install 12 Packages Total download size: 4.1 M Installed size: 15 M Is this ok [y/N]: y [...] Installed: ruby-2.7.2-135.fc33.x86_64 ruby-default-gems-2.7.2-135.fc33.noarch ruby-libs-2.7.2-135.fc33.x86_64 [...] Complete! [root@60997345f921 /]# irb irb(main):001:0> 1.upto( 16 ).inject( :+ ) => 136 irb(main):002:0> exit [root@60997345f921 /]# dnf install tcsh Last metadata expiration check: 0:05:14 ago on Sat Nov 7 00:25:06 2020. Dependencies resolved. [...] Complete! [root@60997345f921 /]# exit $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 60997345f921 fedora:latest "/bin/bash" 9 minutes ago Exited (0) 21 seconds ago keen_euler 1f5c09fe35ff hello-world "/hello" 13 minutes ago Exited (0) 13 minutes ago pedantic_johnson 7903a29613ec debian "/bin/bash" 22 minutes ago Up 22 minutes condescending_brown d9924dd8a48a debian "/bin/bash" 24 minutes ago Exited (127) 22 minutes ago tender_fermat e49fa0abbb2f debian "echo 'Hello World'" 24 minutes ago Exited (0) 24 minutes ago eloquent_vaughan $ docker run -it --name cowsay --hostname cowsay debian bash root@cowsay:/# apt-get update [...] Fetched 8397 kB in 2s (4717 kB/s) Reading package lists... Done root@cowsay:/# apt-get install -y cowsay fortune [...] Processing triggers for libc-bin (2.28-10) ... root@cowsay:/# /usr/games/fortune | /usr/games/cowsay ______________________________________ / A tall, dark stranger will have more \ \ fun than you. / -------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || root@cowsay:/# /usr/games/fortune | /usr/games/cowsay ______________________________________ / You are a fluke of the universe; you \ \ have no right to be here. / -------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || <Used up arrow to repeat the command.> root@cowsay:/# exit Passing this on the basis that the installation succeeded and the bash shell and basic commands all work as expected.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0406.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED