openSUSE Security Update: Security update for docker ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1596-1 Rating: important References: #907012 #907014 Cross-References: CVE-2014-6407 CVE-2014-6408 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: docker was updated to version 1.3.2 to fix two security issues. These security issues were fixed: - Symbolic and hardlink issues leading to privilege escalation (CVE-2014-6407). - Potential container escalation (CVE-2014-6408). There non-security issues were fixed: - Fix deadlock in docker ps -f exited=1 - Fix a bug when --volumes-from references a container that failed to start - --insecure-registry now accepts CIDR notation such as 10.1.0.0/16 - Private registries whose IPs fall in the 127.0.0.0/8 range do no need the --insecure-registry flag - Skip the experimental registry v2 API when mirroring is enabled - Fixed minor packaging issues. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2014-757 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (x86_64): docker-1.3.2-9.1 docker-debuginfo-1.3.2-9.1 docker-debugsource-1.3.2-9.1 - openSUSE 13.2 (noarch): docker-bash-completion-1.3.2-9.1 docker-zsh-completion-1.3.2-9.1 References: http://support.novell.com/security/cve/CVE-2014-6407.html http://support.novell.com/security/cve/CVE-2014-6408.html https://bugzilla.suse.com/show_bug.cgi?id=907012 https://bugzilla.suse.com/show_bug.cgi?id=907014