openSUSE Security Update: Security update for docker ______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1596-1 Rating: important References: #907012 #907014 Cross-References: CVE-2014-6407 CVE-2014-6408 Affected Products: openSUSE 13.2 ______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
docker was updated to version 1.3.2 to fix two security issues.
These security issues were fixed: - Symbolic and hardlink issues leading to privilege escalation (CVE-2014-6407). - Potential container escalation (CVE-2014-6408).
There non-security issues were fixed: - Fix deadlock in docker ps -f exited=1 - Fix a bug when --volumes-from references a container that failed to start - --insecure-registry now accepts CIDR notation such as 10.1.0.0/16 - Private registries whose IPs fall in the 127.0.0.0/8 range do no need the --insecure-registry flag - Skip the experimental registry v2 API when mirroring is enabled - Fixed minor packaging issues.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2014-757
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (x86_64):
docker-1.3.2-9.1 docker-debuginfo-1.3.2-9.1 docker-debugsource-1.3.2-9.1
- openSUSE 13.2 (noarch):
docker-bash-completion-1.3.2-9.1 docker-zsh-completion-1.3.2-9.1
References:
http://support.novell.com/security/cve/CVE-2014-6407.html http://support.novell.com/security/cve/CVE-2014-6408.html https://bugzilla.suse.com/show_bug.cgi?id=907012 https://bugzilla.suse.com/show_bug.cgi?id=907014