SUSE-SU-2014:1648-1: moderate: Security update for docker, sle2docker, go

sle-security-updates at sle-security-updates at
Mon Dec 15 06:04:41 MST 2014

   SUSE Security Update: Security update for docker, sle2docker, go

Announcement ID:    SUSE-SU-2014:1648-1
Rating:             moderate
References:         #898901 #902289 #902413 #907012 #907014 
Cross-References:   CVE-2014-5277 CVE-2014-5282 CVE-2014-6407
                    CVE-2014-6408 CVE-2014-7189
Affected Products:
                    SUSE Linux Enterprise Server 12

   An update that fixes 5 vulnerabilities is now available.


   Docker was updated to version 1.3.2 to fix five security issues and
   several other bugs.

   - Updated to 1.3.2 (2014-11-20) - fixes bnc#907012 (CVE-2014-6407) and
     bnc#907014 (CVE-2014-6408)
   - Fixed minor packaging issues.

   These security issues were fixed:
   - Prevent fallback to SSL protocols lower than TLS 1.0 for client, daemon
     and registry (CVE-2014-5277).
   - Secure HTTPS connection to registries with certificate verification and
     without HTTP fallback unless `--insecure-registry` is specified.
   - Tagging image to ID can redirect images on subsequent pulls
   - Fix tar breakout vulnerability (CVE-2014-6407)
   - Extractions are now sandboxed chroot (CVE-2014-6407)
   - Security options are no longer committed to images (CVE-2014-6408)

   These non-security issues were fixed:
   - Fix deadlock in `docker ps -f exited=1`
   - Fix a bug when `--volumes-from` references a container that failed to
   - `--insecure-registry` now accepts CIDR notation such as
   - Private registries whose IPs fall in the range do no need
     the `--insecure-registry` flag
   - Skip the experimental registry v2 API when mirroring is enabled
   - Fix issue where volumes would not be shared
   - Fix issue with `--iptables=false` not automatically setting
   - Fix docker run output to non-TTY stdout
   - Fix escaping `$` for environment variables
   - Fix issue with lowercase `onbuild` Dockerfile instruction
   - Restrict envrionment variable expansion to `ENV`, `ADD`, `COPY`,
   - docker `exec` allows you to run additional processes inside existing
   - docker `create` gives you the ability to create a container via the cli
     without executing a process
   - `--security-opts` options to allow user to customize container labels
     and apparmor profiles
   - docker `ps` filters
   - Wildcard support to copy/add
   - Move production urls to from
   - Allocate ip address on the bridge inside a valid cidr
   - Use for pr and ci testing
   - Ability to setup an official registry mirror
   - Ability to save multiple images with docker `save`

   go was updated to version 1.3.3 to fix one security issue and several
   other bugs.

   This security issue was fixed:
   - TLS client authentication issue (CVE-2014-7189).

   These non-security issues were fixed:
   - Avoid stripping debuginfo on arm, it fails (and is not necessary)
   - Revert the /usr/share/go/contrib symlink as it caused problems during
     update. Moved all go sources to /usr/share/go/contrib/src instead of
     /usr/share/go/contrib/src/pkg and created pkg and src symlinks in
     contrib to add it to GOPATH
   - Fixed %go_contribsrcdir value
   - Copy temporary macros.go as go.macros to avoid it to be built
   - Do not modify Source: files, because that makes the .src.rpm being tied
     to one specific arch.
   - Removed extra src folder in /usr/share/go/contrib: the goal is to
     transform this folder into a proper entry for GOPATH. This folder is now
     linked to %{_libdir}/go/contrib
   - go requires gcc to build sources using cgo
   - tools-packaging.patch: Allow building cover and vet tools in
     $GOROOT_TARGET/pkg/tool instead of $GOROOT/pkg/tool. This will allow
     building go tools as a separate package

   sle2docker was updated to version 0.2.2 to fix one bug:
   - Fix SLE12 urls (bnc#902289)

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2014-111

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Server 12 (x86_64):



More information about the sle-security-updates mailing list