Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:2119-1 Final 1 1 2019-08-13T12:58:40Z current 2019-08-13T12:58:40Z 2019-08-13T12:58:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker: - CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409). - CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160). - Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413). golang-github-docker-libnetwork: - Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-Azure-Basic-On-Demand-2019-2119,Image SLES12-SP5-Azure-Standard-On-Demand-2019-2119,Image SLES12-SP5-EC2-ECS-On-Demand-2019-2119,Image SLES12-SP5-EC2-On-Demand-2019-2119,Image SLES12-SP5-GCE-On-Demand-2019-2119,SUSE-2019-2119,SUSE-OpenStack-Cloud-6-LTSS-2019-2119,SUSE-SLE-Module-Containers-12-2019-2119 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20192119-1/ Link for SUSE-SU-2019:2119-1 https://lists.suse.com/pipermail/sle-security-updates/2019-August/005814.html E-Mail link for SUSE-SU-2019:2119-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1100331 SUSE Bug 1100331 https://bugzilla.suse.com/1121967 SUSE Bug 1121967 https://bugzilla.suse.com/1142160 SUSE Bug 1142160 https://bugzilla.suse.com/1142413 SUSE Bug 1142413 https://bugzilla.suse.com/1143409 SUSE Bug 1143409 https://www.suse.com/security/cve/CVE-2018-10892/ SUSE CVE CVE-2018-10892 page https://www.suse.com/security/cve/CVE-2019-13509/ SUSE CVE CVE-2019-13509 page https://www.suse.com/security/cve/CVE-2019-14271/ SUSE CVE CVE-2019-14271 page https://www.suse.com/security/cve/CVE-2019-5736/ SUSE CVE CVE-2019-5736 page Image SLES12-SP5-Azure-Basic-On-Demand Image SLES12-SP5-Azure-Standard-On-Demand Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-On-Demand SUSE Linux Enterprise Module for Containers 12 SUSE OpenStack Cloud 6-LTSS containerd-1.2.6-16.23.1 docker-19.03.1_ce-98.46.1 containerd-ctr-1.2.6-16.23.1 containerd-kubic-1.2.6-16.23.1 containerd-kubic-ctr-1.2.6-16.23.1 docker-bash-completion-19.03.1_ce-98.46.1 docker-kubic-19.03.1_ce-98.46.1 docker-kubic-bash-completion-19.03.1_ce-98.46.1 docker-kubic-kubeadm-criconfig-19.03.1_ce-98.46.1 docker-kubic-test-19.03.1_ce-98.46.1 docker-kubic-zsh-completion-19.03.1_ce-98.46.1 docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 docker-test-19.03.1_ce-98.46.1 docker-zsh-completion-19.03.1_ce-98.46.1 golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 containerd-1.2.6-16.23.1 as a component of Image SLES12-SP5-Azure-Basic-On-Demand docker-19.03.1_ce-98.46.1 as a component of Image SLES12-SP5-Azure-Basic-On-Demand containerd-1.2.6-16.23.1 as a component of Image SLES12-SP5-Azure-Standard-On-Demand docker-19.03.1_ce-98.46.1 as a component of Image SLES12-SP5-Azure-Standard-On-Demand containerd-1.2.6-16.23.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand docker-19.03.1_ce-98.46.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand containerd-1.2.6-16.23.1 as a component of Image SLES12-SP5-EC2-On-Demand docker-19.03.1_ce-98.46.1 as a component of Image SLES12-SP5-EC2-On-Demand containerd-1.2.6-16.23.1 as a component of Image SLES12-SP5-GCE-On-Demand docker-19.03.1_ce-98.46.1 as a component of Image SLES12-SP5-GCE-On-Demand containerd-1.2.6-16.23.1 as a component of SUSE Linux Enterprise Module for Containers 12 docker-19.03.1_ce-98.46.1 as a component of SUSE Linux Enterprise Module for Containers 12 docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 as a component of SUSE Linux Enterprise Module for Containers 12 docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 as a component of SUSE Linux Enterprise Module for Containers 12 containerd-1.2.6-16.23.1 as a component of SUSE OpenStack Cloud 6-LTSS docker-19.03.1_ce-98.46.1 as a component of SUSE OpenStack Cloud 6-LTSS docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 as a component of SUSE OpenStack Cloud 6-LTSS docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 as a component of SUSE OpenStack Cloud 6-LTSS The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness. CVE-2018-10892 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-EC2-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-GCE-On-Demand:docker-19.03.1_ce-98.46.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.2.6-16.23.1 SUSE Linux Enterprise Module for Containers 12:docker-19.03.1_ce-98.46.1 SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 SUSE OpenStack Cloud 6-LTSS:containerd-1.2.6-16.23.1 SUSE OpenStack Cloud 6-LTSS:docker-19.03.1_ce-98.46.1 SUSE OpenStack Cloud 6-LTSS:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE OpenStack Cloud 6-LTSS:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N 6.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192119-1/ https://www.suse.com/security/cve/CVE-2018-10892.html CVE-2018-10892 https://bugzilla.suse.com/1100331 SUSE Bug 1100331 https://bugzilla.suse.com/1100838 SUSE Bug 1100838 In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret. CVE-2019-13509 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-EC2-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-GCE-On-Demand:docker-19.03.1_ce-98.46.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.2.6-16.23.1 SUSE Linux Enterprise Module for Containers 12:docker-19.03.1_ce-98.46.1 SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 SUSE OpenStack Cloud 6-LTSS:containerd-1.2.6-16.23.1 SUSE OpenStack Cloud 6-LTSS:docker-19.03.1_ce-98.46.1 SUSE OpenStack Cloud 6-LTSS:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE OpenStack Cloud 6-LTSS:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192119-1/ https://www.suse.com/security/cve/CVE-2019-13509.html CVE-2019-13509 https://bugzilla.suse.com/1142160 SUSE Bug 1142160 In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container. CVE-2019-14271 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-EC2-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-GCE-On-Demand:docker-19.03.1_ce-98.46.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.2.6-16.23.1 SUSE Linux Enterprise Module for Containers 12:docker-19.03.1_ce-98.46.1 SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 SUSE OpenStack Cloud 6-LTSS:containerd-1.2.6-16.23.1 SUSE OpenStack Cloud 6-LTSS:docker-19.03.1_ce-98.46.1 SUSE OpenStack Cloud 6-LTSS:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE OpenStack Cloud 6-LTSS:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192119-1/ https://www.suse.com/security/cve/CVE-2019-14271.html CVE-2019-14271 https://bugzilla.suse.com/1143409 SUSE Bug 1143409 runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. CVE-2019-5736 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-EC2-On-Demand:docker-19.03.1_ce-98.46.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.2.6-16.23.1 Image SLES12-SP5-GCE-On-Demand:docker-19.03.1_ce-98.46.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.2.6-16.23.1 SUSE Linux Enterprise Module for Containers 12:docker-19.03.1_ce-98.46.1 SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 SUSE OpenStack Cloud 6-LTSS:containerd-1.2.6-16.23.1 SUSE OpenStack Cloud 6-LTSS:docker-19.03.1_ce-98.46.1 SUSE OpenStack Cloud 6-LTSS:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE OpenStack Cloud 6-LTSS:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1 moderate 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192119-1/ https://www.suse.com/security/cve/CVE-2019-5736.html CVE-2019-5736 https://bugzilla.suse.com/1121967 SUSE Bug 1121967 https://bugzilla.suse.com/1122185 SUSE Bug 1122185 https://bugzilla.suse.com/1173421 SUSE Bug 1173421 https://bugzilla.suse.com/1218894 SUSE Bug 1218894