Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2021-1 Final 1 1 2019-08-29T16:21:56Z current 2019-08-29T16:21:56Z 2019-08-29T16:21:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker: - CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409). - CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160). - Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649). runc: - Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920). - Update to runc 425e105d5a03, which is required by Docker (bsc#1139649). containerd: - CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967). - Update to containerd v1.2.6, which is required by docker (bsc#1139649). golang-github-docker-libnetwork: - Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413, bsc#1139649). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2021 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/22XH5BZGCHAOESP2KM3ZT4XHBXIVMEZK/#22XH5BZGCHAOESP2KM3ZT4XHBXIVMEZK E-Mail link for openSUSE-SU-2019:2021-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1100331 SUSE Bug 1100331 https://bugzilla.suse.com/1121967 SUSE Bug 1121967 https://bugzilla.suse.com/1138920 SUSE Bug 1138920 https://bugzilla.suse.com/1139649 SUSE Bug 1139649 https://bugzilla.suse.com/1142160 SUSE Bug 1142160 https://bugzilla.suse.com/1142413 SUSE Bug 1142413 https://bugzilla.suse.com/1143409 SUSE Bug 1143409 https://www.suse.com/security/cve/CVE-2018-10892/ SUSE CVE CVE-2018-10892 page https://www.suse.com/security/cve/CVE-2019-13509/ SUSE CVE CVE-2019-13509 page https://www.suse.com/security/cve/CVE-2019-14271/ SUSE CVE CVE-2019-14271 page https://www.suse.com/security/cve/CVE-2019-5736/ SUSE CVE CVE-2019-5736 page openSUSE Leap 15.0 openSUSE Leap 15.1 containerd-1.2.6-lp151.2.6.1 containerd-ctr-1.2.6-lp151.2.6.1 docker-19.03.1_ce-lp151.2.12.1 docker-bash-completion-19.03.1_ce-lp151.2.12.1 docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 docker-test-19.03.1_ce-lp151.2.12.1 docker-zsh-completion-19.03.1_ce-lp151.2.12.1 golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 containerd-1.2.6-lp151.2.6.1 as a component of openSUSE Leap 15.0 containerd-ctr-1.2.6-lp151.2.6.1 as a component of openSUSE Leap 15.0 docker-19.03.1_ce-lp151.2.12.1 as a component of openSUSE Leap 15.0 docker-bash-completion-19.03.1_ce-lp151.2.12.1 as a component of openSUSE Leap 15.0 docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 as a component of openSUSE Leap 15.0 docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 as a component of openSUSE Leap 15.0 docker-test-19.03.1_ce-lp151.2.12.1 as a component of openSUSE Leap 15.0 docker-zsh-completion-19.03.1_ce-lp151.2.12.1 as a component of openSUSE Leap 15.0 golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 as a component of openSUSE Leap 15.0 containerd-1.2.6-lp151.2.6.1 as a component of openSUSE Leap 15.1 containerd-ctr-1.2.6-lp151.2.6.1 as a component of openSUSE Leap 15.1 docker-19.03.1_ce-lp151.2.12.1 as a component of openSUSE Leap 15.1 docker-bash-completion-19.03.1_ce-lp151.2.12.1 as a component of openSUSE Leap 15.1 docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 as a component of openSUSE Leap 15.1 docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 as a component of openSUSE Leap 15.1 docker-test-19.03.1_ce-lp151.2.12.1 as a component of openSUSE Leap 15.1 docker-zsh-completion-19.03.1_ce-lp151.2.12.1 as a component of openSUSE Leap 15.1 golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 as a component of openSUSE Leap 15.1 The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness. CVE-2018-10892 openSUSE Leap 15.0:containerd-1.2.6-lp151.2.6.1 openSUSE Leap 15.0:containerd-ctr-1.2.6-lp151.2.6.1 openSUSE Leap 15.0:docker-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-bash-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.0:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 openSUSE Leap 15.0:docker-test-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-zsh-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.1:containerd-1.2.6-lp151.2.6.1 openSUSE Leap 15.1:containerd-ctr-1.2.6-lp151.2.6.1 openSUSE Leap 15.1:docker-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-bash-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.1:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 openSUSE Leap 15.1:docker-test-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-zsh-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/22XH5BZGCHAOESP2KM3ZT4XHBXIVMEZK/#22XH5BZGCHAOESP2KM3ZT4XHBXIVMEZK https://www.suse.com/security/cve/CVE-2018-10892.html CVE-2018-10892 https://bugzilla.suse.com/1100331 SUSE Bug 1100331 https://bugzilla.suse.com/1100838 SUSE Bug 1100838 In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret. CVE-2019-13509 openSUSE Leap 15.0:containerd-1.2.6-lp151.2.6.1 openSUSE Leap 15.0:containerd-ctr-1.2.6-lp151.2.6.1 openSUSE Leap 15.0:docker-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-bash-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.0:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 openSUSE Leap 15.0:docker-test-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-zsh-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.1:containerd-1.2.6-lp151.2.6.1 openSUSE Leap 15.1:containerd-ctr-1.2.6-lp151.2.6.1 openSUSE Leap 15.1:docker-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-bash-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.1:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 openSUSE Leap 15.1:docker-test-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-zsh-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/22XH5BZGCHAOESP2KM3ZT4XHBXIVMEZK/#22XH5BZGCHAOESP2KM3ZT4XHBXIVMEZK https://www.suse.com/security/cve/CVE-2019-13509.html CVE-2019-13509 https://bugzilla.suse.com/1142160 SUSE Bug 1142160 In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container. CVE-2019-14271 openSUSE Leap 15.0:containerd-1.2.6-lp151.2.6.1 openSUSE Leap 15.0:containerd-ctr-1.2.6-lp151.2.6.1 openSUSE Leap 15.0:docker-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-bash-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.0:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 openSUSE Leap 15.0:docker-test-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-zsh-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.1:containerd-1.2.6-lp151.2.6.1 openSUSE Leap 15.1:containerd-ctr-1.2.6-lp151.2.6.1 openSUSE Leap 15.1:docker-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-bash-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.1:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 openSUSE Leap 15.1:docker-test-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-zsh-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/22XH5BZGCHAOESP2KM3ZT4XHBXIVMEZK/#22XH5BZGCHAOESP2KM3ZT4XHBXIVMEZK https://www.suse.com/security/cve/CVE-2019-14271.html CVE-2019-14271 https://bugzilla.suse.com/1143409 SUSE Bug 1143409 runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. CVE-2019-5736 openSUSE Leap 15.0:containerd-1.2.6-lp151.2.6.1 openSUSE Leap 15.0:containerd-ctr-1.2.6-lp151.2.6.1 openSUSE Leap 15.0:docker-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-bash-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.0:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 openSUSE Leap 15.0:docker-test-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:docker-zsh-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.0:golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.1:containerd-1.2.6-lp151.2.6.1 openSUSE Leap 15.1:containerd-ctr-1.2.6-lp151.2.6.1 openSUSE Leap 15.1:docker-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-bash-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.1:docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1 openSUSE Leap 15.1:docker-test-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:docker-zsh-completion-19.03.1_ce-lp151.2.12.1 openSUSE Leap 15.1:golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/22XH5BZGCHAOESP2KM3ZT4XHBXIVMEZK/#22XH5BZGCHAOESP2KM3ZT4XHBXIVMEZK https://www.suse.com/security/cve/CVE-2019-5736.html CVE-2019-5736 https://bugzilla.suse.com/1121967 SUSE Bug 1121967 https://bugzilla.suse.com/1122185 SUSE Bug 1122185 https://bugzilla.suse.com/1173421 SUSE Bug 1173421 https://bugzilla.suse.com/1218894 SUSE Bug 1218894