Login
Login-Name Passwort


 
Newsletter
Werbung

Sicherheit: Ausführen von Code mit höheren Privilegien in Docker
Aktuelle Meldungen Distributionen
Name: Ausführen von Code mit höheren Privilegien in Docker
ID: RHSA-2017:0116-01
Distribution: Red Hat
Plattformen: Red Hat Enterprise Linux Extras
Datum: Mi, 18. Januar 2017, 10:47
Referenzen: https://access.redhat.com/security/cve/CVE-2016-9962
https://access.redhat.com/security/vulnerabilities/cve-2016-9962

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: docker security, bug fix, and enhancement update
Advisory ID: RHSA-2017:0116-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0116.html
Issue date: 2017-01-17
CVE Names: CVE-2016-9962
=====================================================================

1. Summary:

An update for docker is now available for Red Hat Enterprise Linux 7
Extras.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux 7 Extras - x86_64

3. Description:

Docker is an open-source engine that automates the deployment of any
application as a lightweight, portable, self-sufficient container that will
run virtually anywhere.

The following packages have been upgraded to a newer upstream version:
docker (1.12.5). (BZ#1404298)

Security Fix(es):

* The runc component used by `docker exec` feature of docker allowed
additional container processes via to be ptraced by the pid 1 of the
container. This allows the main processes of the container, if running as
root, to gain low-level access to these new processes during
initialization. An attacker can, depending on the nature of the incoming
process, leverage this to elevate access to the host. This ranges from
accessing host content through the file descriptors of the incoming process
to, potentially, a complete container escape by leveraging memory access or
syscall interception. (CVE-2016-9962)

Red Hat would like to thank the Docker project for reporting this issue.
Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the
original reporters.

Bug Fix(es):

* The docker containers and images did not read proxy variables from the
environment when contacting registries. As a consequence, a user could not
pull image when the system was configured to use a proxy. The containers
and images have been fixed to read proxy variables from the environment,
and pulling images now from a system with a proxy works correctly.
(BZ#1393816)

* Occasionally the docker-storage-setup service could start before a thin
pool is ready which caused it to failed. As a consequence, the docker
daemon also failed. This bug has been fixed and now docker-storage-setup
waits for a thin pool to be created for 60 seconds. This default time can
be configured. As a result, docker and docker-storage-setup start correctly
upon reboot. (BZ#1316786)

* Previously, the docker daemon's unit file was not supplying the userspace
proxy path. As a consequence, containers that exposed ports could not be
started. To fix this bug, the unit file was updated to include the
userspace proxy path option to the daemon start command, along with several
other minor packaging fixes. As a result, containers that expose ports can
now be started as expected. (BZ#1406460)

* Previously, the system CA (Certificate Authority) pool was excluded when
the registry CA is used from the /etc/docker/certs.d/ directory. As a
consequence, pulling images failed with the following error:

Failed to push image: x509: certificate signed by unknown authority

This bug has been fixed and docker now reads the system CA pool correctly
and pulling images now work correctly. (BZ#1400372)

* Previously, the docker daemon option did not handle correctly the
"--block-registry docker.io" option. As a consequence, docker allowed
pulling images from docker.io even when the "--block-registry
docker.io"
option was enabled. This update fixed the handling of the option, and now
using "--block-registry docker.io" correctly blocks image pulling.
(BZ#1395401)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1316786 - Docker can activate storage before LVM is ready, causing "Failed
to start Docker Application Container Engine."
1341760 - docker should require package subscription-manager-plugin-container,
not subscription-manager
1346206 - docker command overwrites DOCKER_CERT_PATH variable
1360195 - docker module at lower priority 100 with module at priority 400 when
update and downgrade
1364238 - docker-1.12 regression: inconsistent exit codes in command-line flag
processing
1373952 - [extras-rhel-7.3.0] selinux issues prevent docker.service from
starting
1385924 - docker run --cgroup-parent : unexpected result for pid
1388585 - yum update to Red Hat docker 1.12 omits docker-storage
EnvironmentFile entry from systemd unit
1389442 - docker-1.12 can not pull image:tag from
brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888
1393816 - [1.12.3]docker didn't work behind proxy
1395401 - block-registry does not work for docker.io with docker 1.10
1399398 - Error starting daemon: Error initializing network controller: Error
creating default \"bridge\" network: cannot create network docker0
1400228 - Ability to disable subscription-manager-into-containers host-wide
1400372 - System CA pool excluded when registry CA is used from /etc/docker
1403264 - systemctl start docker for docker-1.12.3-10.el7.x86_64 fails to start
1403270 - Upgrade to RHEL Atomic 7.3.1 breaks the sshd authentication via SSSD
1403370 - failed to install selinux policies from containers-selinux when
installing docker 1.12
1403843 - Installing container-selinux-1.12.3-10.el7.x86_64 produces errors
1404298 - [extras-rhel-7.3.2] rebase docker to v1.12.4 + projectatomic patches
1404372 - docker-1.12: exec: "docker-proxy": executable file not found
in $PATH.
1405306 - docker run with parameter "--privileged" get failed
1405464 - docker panic trying to 'atomic install' the openscap
container
1405888 - container-selinux breaks anytime selinux-policy-targeted is updated
1405989 - Attempt to install latest docker fails due to /libexecdir/docker/sh
dependency
1406446 - Default to no signatures verification in docker
1409531 - CVE-2016-9962 docker: insecure opening of file-descriptor allows
privilege escalation
1410434 - Docker 1.12.5 and OpenShift 3.4.0.38 : Frequent unexpected EOF
during push causing build failures
1412385 - [extras-rhel-7.3.2] selinux issues

6. Package List:

Red Hat Enterprise Linux 7 Extras:

Source:
docker-1.12.5-14.el7.src.rpm

x86_64:
container-selinux-1.12.5-14.el7.x86_64.rpm
docker-1.12.5-14.el7.x86_64.rpm
docker-client-1.12.5-14.el7.x86_64.rpm
docker-common-1.12.5-14.el7.x86_64.rpm
docker-logrotate-1.12.5-14.el7.x86_64.rpm
docker-lvm-plugin-1.12.5-14.el7.x86_64.rpm
docker-novolume-plugin-1.12.5-14.el7.x86_64.rpm
docker-rhel-push-plugin-1.12.5-14.el7.x86_64.rpm
docker-v1.10-migrator-1.12.5-14.el7.x86_64.rpm

Red Hat Enterprise Linux 7 Extras:

Source:
docker-1.12.5-14.el7.src.rpm

x86_64:
container-selinux-1.12.5-14.el7.x86_64.rpm
docker-1.12.5-14.el7.x86_64.rpm
docker-client-1.12.5-14.el7.x86_64.rpm
docker-common-1.12.5-14.el7.x86_64.rpm
docker-logrotate-1.12.5-14.el7.x86_64.rpm
docker-lvm-plugin-1.12.5-14.el7.x86_64.rpm
docker-novolume-plugin-1.12.5-14.el7.x86_64.rpm
docker-rhel-push-plugin-1.12.5-14.el7.x86_64.rpm
docker-v1.10-migrator-1.12.5-14.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-9962
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/security/vulnerabilities/cve-2016-9962

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYfyEUXlSAg2UNWIIRApDXAKCRBiBH+9wKesI08XZoIVTvu7DEdwCeNzMQ
IhQpU3X4wDJ68mkUTHh70KA=
=mDIf
-----END PGP SIGNATURE-----


--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung