openSUSE Security Update: Security update for docker ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:2073-1 Rating: moderate References: #949660 #954737 #954812 Cross-References: CVE-2014-8178 CVE-2014-8179 Affected Products: openSUSE Leap 42.1 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: Docker was updated to version 1.9.0, bringing features and bugfixes (bnc#954812): * Runtime: - `docker stats` now returns block IO metrics (#15005) - `docker stats` now details network stats per interface (#15786) - Add `ancestor=<image>` filter to `docker ps --filter` flag to filter containers based on their ancestor images (#14570) - Add `label=<somelabel>` filter to `docker ps --filter` to filter containers based on label (#16530) - Add `--kernel-memory` flag to `docker run` (#14006) - Add `--message` flag to `docker import` allowing to specify an optional message (#15711) - Add `--privileged` flag to `docker exec` (#14113) - Add `--stop-signal` flag to `docker run` allowing to replace the container process stopping signal (#15307) - Add a new `unless-stopped` restart policy (#15348) - Inspecting an image now returns tags (#13185) - Add container size information to `docker inspect` (#15796) - Add `RepoTags` and `RepoDigests` field to `/images/{name:.*}/json` (#17275) - Remove the deprecated `/container/ps` endpoint from the API (#15972) - Send and document correct HTTP codes for `/exec/<name>/start` (#16250) - Share shm and mqueue between containers sharing IPC namespace (#15862) - Event stream now shows OOM status when `--oom-kill-disable` is set (#16235) - Ensure special network files (/etc/hosts etc.) are read-only if bind-mounted with `ro` option (#14965) - Improve `rmi` performance (#16890) - Do not update /etc/hosts for the default bridge network, except for links (#17325) - Fix conflict with duplicate container names (#17389) - Fix an issue with incorrect template execution in `docker inspect` (#17284) - DEPRECATE `-c` short flag variant for `--cpu-shares` in docker run (#16271) * Client: - Allow `docker import` to import from local files (#11907) * Builder: - Add a `STOPSIGNAL` Dockerfile instruction allowing to set a different stop-signal for the container process (#15307) - Add an `ARG` Dockerfile instruction and a `--build-arg` flag to `docker build` that allows to add build-time environment variables (#15182) - Improve cache miss performance (#16890) * Storage: - devicemapper: Implement deferred deletion capability (#16381) * Networking: - `docker network` exits experimental and is part of standard release (#16645) - New network top-level concept, with associated subcommands and API (#16645) WARNING: the API is different from the experimental API - Support for multiple isolated/micro-segmented networks (#16645) - Built-in multihost networking using VXLAN based overlay driver (#14071) - Support for third-party network plugins (#13424) - Ability to dynamically connect containers to multiple networks (#16645) - Support for user-defined IP address management via pluggable IPAM drivers (#16910) - Add daemon flags `--cluster-store` and `--cluster-advertise` for built-in nodes discovery (#16229) - Add `--cluster-store-opt` for setting up TLS settings (#16644) - Add `--dns-opt` to the daemon (#16031) - DEPRECATE following container `NetworkSettings` fields in API v1.21: `EndpointID`, `Gateway`, `GlobalIPv6Address`, `GlobalIPv6PrefixLen`, `IPAddress`, `IPPrefixLen`, `IPv6Gateway` and `MacAddress`. Those are now specific to the `bridge` network. Use `NetworkSettings.Networks` to inspect the networking settings of a container per network. * Volumes: - New top-level `volume` subcommand and API (#14242) - Move API volume driver settings to host-specific config (#15798) - Print an error message if volume name is not unique (#16009) - Ensure volumes created from Dockerfiles always use the local volume driver (#15507) - DEPRECATE auto-creating missing host paths for bind mounts (#16349) * Logging: - Add `awslogs` logging driver for Amazon CloudWatch (#15495) - Add generic `tag` log option to allow customizing container/image information passed to driver (e.g. show container names) (#15384) - Implement the `docker logs` endpoint for the journald driver (#13707) - DEPRECATE driver-specific log tags (e.g. `syslog-tag`, etc.) (#15384) * Distribution: - `docker search` now works with partial names (#16509) - Push optimization: avoid buffering to file (#15493) - The daemon will display progress for images that were already being pulled by another client (#15489) - Only permissions required for the current action being performed are requested (#) - Renaming trust keys (and respective environment variables) from `offline` to `root` and `tagging` to `repository` (#16894) - DEPRECATE trust key environment variables `DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and `DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` (#16894) * Security: - Add SELinux profiles to the rpm package (#15832) - Fix various issues with AppArmor profiles provided in the deb package (#14609) - Add AppArmor policy that prevents writing to /proc (#15571) * Change systemd unit file to no longer use the deprecated "-d" option (bnc#954737) - Also docker was updated to the 1.8.3 version that fixes security issues: * Fix layer IDs lead to local graph poisoning (CVE-2014-8178) (bnc#949660) * Fix manifest validation and parsing logic errors allow pull-by-digest validation bypass (CVE-2014-8179) * Add `--disable-legacy-registry` to prevent a daemon from using a v1 registry Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2015-792=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (x86_64): docker-1.9.0-4.1 docker-debuginfo-1.9.0-4.1 docker-debugsource-1.9.0-4.1 - openSUSE Leap 42.1 (noarch): docker-bash-completion-1.9.0-4.1 docker-test-1.9.0-4.1 docker-zsh-completion-1.9.0-4.1 References: https://www.suse.com/security/cve/CVE-2014-8178.html https://www.suse.com/security/cve/CVE-2014-8179.html https://bugzilla.suse.com/949660 https://bugzilla.suse.com/954737 https://bugzilla.suse.com/954812