Security update for lxc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2245-1 Final 1 1 2019-10-03T10:23:09Z current 2019-10-03T10:23:09Z 2019-10-03T10:23:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for lxc This update for lxc fixes the following issues: Update to lxc 3.2.1. The changelog can be found at https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322 + seccomp: support syscall forwarding to userspace + add lxc.seccomp.allow_nesting + pidfd: Add initial support for the new pidfd api * Many hardening improvements. * Use /sys/kernel/cgroup/delegate file for cgroup v2. * Fix CVE-2019-5736 equivalent bug. - fix apparmor dropin to be compatible with LXC 3.1.0 (boo#1131762) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2245 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZEKPXAULRUSJYU4B66UDTT35NKPZHFT6/#ZEKPXAULRUSJYU4B66UDTT35NKPZHFT6 E-Mail link for openSUSE-SU-2019:2245-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1131762 SUSE Bug 1131762 https://www.suse.com/security/cve/CVE-2019-5736/ SUSE CVE CVE-2019-5736 page openSUSE Leap 15.1 liblxc-devel-3.2.1-lp151.4.5.1 liblxc1-3.2.1-lp151.4.5.1 lxc-3.2.1-lp151.4.5.1 lxc-bash-completion-3.2.1-lp151.4.5.1 pam_cgfs-3.2.1-lp151.4.5.1 liblxc-devel-3.2.1-lp151.4.5.1 as a component of openSUSE Leap 15.1 liblxc1-3.2.1-lp151.4.5.1 as a component of openSUSE Leap 15.1 lxc-3.2.1-lp151.4.5.1 as a component of openSUSE Leap 15.1 lxc-bash-completion-3.2.1-lp151.4.5.1 as a component of openSUSE Leap 15.1 pam_cgfs-3.2.1-lp151.4.5.1 as a component of openSUSE Leap 15.1 runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. CVE-2019-5736 openSUSE Leap 15.1:liblxc-devel-3.2.1-lp151.4.5.1 openSUSE Leap 15.1:liblxc1-3.2.1-lp151.4.5.1 openSUSE Leap 15.1:lxc-3.2.1-lp151.4.5.1 openSUSE Leap 15.1:lxc-bash-completion-3.2.1-lp151.4.5.1 openSUSE Leap 15.1:pam_cgfs-3.2.1-lp151.4.5.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZEKPXAULRUSJYU4B66UDTT35NKPZHFT6/#ZEKPXAULRUSJYU4B66UDTT35NKPZHFT6 https://www.suse.com/security/cve/CVE-2019-5736.html CVE-2019-5736 https://bugzilla.suse.com/1121967 SUSE Bug 1121967 https://bugzilla.suse.com/1122185 SUSE Bug 1122185 https://bugzilla.suse.com/1173421 SUSE Bug 1173421 https://bugzilla.suse.com/1218894 SUSE Bug 1218894