Ubuntu has issued an advisory for one of these issues on October 4:
https://ubuntu.com/security/notices/USN-5103-1

Assigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => bruno

docker 20.10.9 pushed to cauldron

Status: NEW => ASSIGNED

SUSE has issued an advisory for this today (October 12):
https://lists.suse.com/pipermail/sle-security-updates/2021-October/009566.html

docker 20.10.9 pushed to mga8 updates_testing

Assignee: bruno => qa-bugs

docker-fish-completion-20.10.9-1.mga8
docker-nano-20.10.9-1.mga8
docker-zsh-completion-20.10.9-1.mga8
docker-logrotate-20.10.9-1.mga8
docker-20.10.9-1.mga8
docker-devel-20.10.9-1.mga8

from docker-20.10.9-1.mga8.src.rpm

Status comment: Fixed upstream in 20.10.9 => (none)
CC: (none) => bruno

mga8, x64

Installed missing packages before updating.
# rpm -qa | grep docker
docker-containerd-1.5.7-1.mga8
docker-fish-completion-20.10.5-1.mga8
docker-zsh-completion-20.10.5-1.mga8
docker-logrotate-20.10.5-1.mga8
docker-nano-20.10.5-1.mga8
docker-20.10.5-1.mga8

docker-devel would not install.
# urpmi docker-devel
A requested package cannot be installed:
docker-devel-20.10.5-1.mga8.x86_64 (due to unsatisfied golang-ipath())

Continuing, but please note the failure.

After updates docker-devel was missing.
$ rpm -qa | grep docker
docker-20.10.9-1.mga8
docker-containerd-1.5.7-1.mga8
docker-zsh-completion-20.10.9-1.mga8
docker-fish-completion-20.10.9-1.mga8
docker-nano-20.10.9-1.mga8

$ sudo systemctl restart docker
$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
..............

Repeated tests similar to those on bug 29268, ignoring the moby fixes - no idea how to check those.  Removed several old images.
$ docker ps -a
CONTAINER ID   IMAGE           COMMAND       CREATED         STATUS                     PORTS     NAMES
5b03ae090d6e   hello-world     "/hello"      7 minutes ago   Exited (0) 7 minutes ago             agitated_kilby
c91b7bc8d5b2   fedora:latest   "bash"        3 hours ago     Exited (0) 3 hours ago               reverent_black
8be0163b7586   fedora:latest   "/bin/bash"   3 hours ago     Exited (0) 3 hours ago               nostalgic_hamilton
7a590701f872   ubuntu          "bash"        3 hours ago     Exited (0) 3 hours ago               beautiful_jepsen
4a976d45fb97   hello-world     "/hello"      3 hours ago     Exited (0) 3 hours ago               stupefied_blackburn

$ docker run -it fedora:latest zsh
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "zsh": executable file not found in $PATH: unknown.
ERRO[0000] error waiting for container: context canceled
$ docker run -it fedora:latest bash
[root@61f76f4e329d /]# apt-get zsh
bash: apt-get: command not found
[root@61f76f4e329d /]# dnf install zsh
Fedora 34 - x86_64                                                                               8.4 MB/s |  74 MB     00:08    
Fedora 34 openh264 (From Cisco) - x86_64                                                         1.8 kB/s | 2.5 kB     00:01    
................
[root@61f76f4e329d /]# zsh
[root@61f76f4e329d]/# ls -l lib64/libz<Tab>zstd<Tab>.so.1
libz.so.1@         libz.so.1.2.11*    libzck.so.1@       libzck.so.1.1.15*  libzstd.so.1@      libzstd.so.1.5.0*
lrwxrwxrwx 1 root root 16 May 16 20:01 lib64/libzstd.so.1 -> libzstd.so.1.5.0
[root@61f76f4e329d]/# exit
[root@61f76f4e329d /]# dnf install fish
......................
[root@61f76f4e329d /]# fish
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
<Everything in fish is colour coded>
<In the following line libsmart was automatically extended to libsmartcols.so.1
which was a complete softlink but tabbing presented alternative completions>
root@61f76f4e329d /#  ls -l lib64/libsmartcols.so.1 
…cols.so.1  …cols.so.1.1.0
<Typing . Tab completed the name>
-rwxr-xr-x 1 root root 107472 Feb 12  2021 lib64/libsmartcols.so.1.1.0
root@61f76f4e329d /# exit
[root@61f76f4e329d /]# dnf install nano
...................
[root@61f76f4e329d /]# nano
<It launches in the terminal>
^X
[root@61f76f4e329d /]# exit

In retrospect it strikes me that these last three tests may have been a waste of time.  Do we need a Mageia image with all the trimmings?  I cannot see the connection between the updates and the dnf installed applications.  Building such an image is way beyond my capabilities and the devel package is probably a necessity.

Apart from that docker is running smoothly at a simplistic level.
Would appreciate some guidance.

CC: (none) => tarazed25

There seems to be a Mageia image.
$ docker run mageia:latest
Unable to find image 'mageia:latest' locally
latest: Pulling from library/mageia
2b7a6260b5e1: Pull complete 
Digest: sha256:ee8deeb5ab22773a38ee147c98127b2faa5edc72272beef5d497db44c4fda658
Status: Downloaded newer image for mageia:latest

Is it usable in this testing context?

zsh and fish installed in the mageia container.
Go ahead with the tests?

Bruno, please see the dependency issue in Comment 7.  Things like this, and Len's other questions are why you need to leave yourself in CC when assigning to QA.

Keywords: (none) => feedback

Thanks Dave.

@Bruno.  Been trying to work this out.  If the docker-*-completion modules are extensions to the docker service then they would likely be os agnostic.  In which case the earlier tests with the fedora image are valid.

That just leaves the devel package dependency problem.

Ping!
I am pretty confident that the shell completion plugins are supposed to work with any distribution so these packages are all OK except for development.

Fedora has issued an advisory for this today (October 19):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/

Bruno, we still need to address the dependency issue in Comment 7.

Sorry, was pretty busy these last days, will look at it today

The problem is that this dependency is not an explicit one in the .psec, but something computed:
PECS/log.%{origname}:Requires: go-filesystem golang-ipath() libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.32)(64bit) libdevmapper.so.1.02()(64bit) libdevmapper.so.1.02(Base)(64bit) libdevmapper.so.1.02(DM_1_02_97)(64bit) libdl.so.2()(64bit) libdl.so.2(GLIBC_2.2.5)(64bit) libpthread.so.0()(64bit) libpthread.so.0(GLIBC_2.2.5)(64bit) libpthread.so.0(GLIBC_2.3.2)(64bit) libsystemd.so.0()(64bit) libsystemd.so.0(LIBSYSTEMD_209)(64bit)

And I have no idea on how to fix that sorry :-(

If it's a legitimate dependency, you need to import the package that provides it.  If it's not, you need to either do a _requires_exclude on the generated dependency or a _requires_exclude_from_file on the file where that dependency is coming from.

Sorry, I'm not a go programmer, and really can't be sure. If I look in the code I do not find a reference for any ipath call, so I wonder why its required. So I'll exclude it for now, hopping it's not a mistake.

Not much on the web either.  Reading https://fedora.pkgs.org/33/fedora-x86_64/golang-github-docker-compose-on-kubernetes-cmd-controller-devel-0.4.25-2.alpha1.fc33.noarch.rpm.html
might indicate that golang-ipath is used in special circumstances so maybe we should just ignore it.

Well we can't just ignore it if it's not installable, but any solution that fixes that should be fine, especially as I don't believe anything requires (or BRs) docker-devel.

Yes, I was agreeing that excluding golang-ipath seemed like a good idea.
Tried installing golang-opencensus-devel which pulled in 48 packages but still no golang-ipath.

Still failing on golang-ipath.  Is the excluded version available yet?

It Wasn't as I wanted feedback. I'm just pushing it to updates_testing (and updated cauldron as well)

Thanks Bruno.  Waiting for mirrors to sync.

mirrorservice has not caught up with the whole set but these installed without a problem:
docker-20.10.9-3.mga8
docker-devel-20.10.9-3.mga8

Presumably the other packages will not have been affected apart from the new labels so do we have to re-test them?  Simply re-installing them should be sufficient?

All packages updated.
docker-fish-completion-20.10.9-3.mga8
docker-zsh-completion-20.10.9-3.mga8
docker-nano-20.10.9-3.mga8
docker-20.10.9-3.mga8
docker-devel-20.10.9-3.mga8
docker-logrotate-20.10.9-3.mga8

docker restarted and running.
$ docker ps -a
CONTAINER ID   IMAGE           COMMAND       CREATED      STATUS                    PORTS     NAMES
57e1e97459b9   mageia:latest   "bash"        8 days ago   Exited (1) 44 hours ago             youthful_shannon
88f8321c5926   mageia:latest   "zsh"         8 days ago   Created                             awesome_easley
73cb1a30bba0   mageia:latest   "/bin/bash"   8 days ago   Exited (0) 8 days ago               funny_allen
61f76f4e329d   fedora:latest   "bash"        8 days ago   Exited (0) 8 days ago               funny_cori
.............

Whiteboard: (none) => MGA8-64-OK

OK to remove feedback?

Keywords: feedback => (none)

Yes indeed.

Seems good to go no ?

Yes, I would say so.

Thank you, Gentlemen. Validating. 

Bruno, it would be a big help if you could write a suggested advisory, putting all this information together.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Still need an advisory. See bug 29582, comment 2 for an example of what's
expected to be provided to qa.

The list of packages is included to ensure we know what to test. The list of
issues (cve and bug fixes) so we know what to look for having been changed by
the update.

CC: (none) => davidwhodgins

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0500.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED