SUSE-SU-2014:1648-1: moderate: Security update for docker, sle2docker, go

Mon Dec 15 06:04:41 MST 2014

   SUSE Security Update: Security update for docker, sle2docker, go
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:1648-1
Rating:             moderate
References:         #898901 #902289 #902413 #907012 #907014 
Cross-References:   CVE-2014-5277 CVE-2014-5282 CVE-2014-6407
                    CVE-2014-6408 CVE-2014-7189
Affected Products:
                    SUSE Linux Enterprise Server 12
______________________________________________________________________________

   An update that fixes 5 vulnerabilities is now available.

Description:

   Docker was updated to version 1.3.2 to fix five security issues and
   several other bugs.

   - Updated to 1.3.2 (2014-11-20) - fixes bnc#907012 (CVE-2014-6407) and
     bnc#907014 (CVE-2014-6408)
   - Fixed minor packaging issues.

   These security issues were fixed:
   - Prevent fallback to SSL protocols lower than TLS 1.0 for client, daemon
     and registry (CVE-2014-5277).
   - Secure HTTPS connection to registries with certificate verification and
     without HTTP fallback unless `--insecure-registry` is specified.
   - Tagging image to ID can redirect images on subsequent pulls
     (CVE-2014-5282).
   - Fix tar breakout vulnerability (CVE-2014-6407)
   - Extractions are now sandboxed chroot (CVE-2014-6407)
   - Security options are no longer committed to images (CVE-2014-6408)

   These non-security issues were fixed:
   - Fix deadlock in `docker ps -f exited=1`
   - Fix a bug when `--volumes-from` references a container that failed to
     start
   - `--insecure-registry` now accepts CIDR notation such as 10.1.0.0/16
   - Private registries whose IPs fall in the 127.0.0.0/8 range do no need
     the `--insecure-registry` flag
   - Skip the experimental registry v2 API when mirroring is enabled
   - Fix issue where volumes would not be shared
   - Fix issue with `--iptables=false` not automatically setting
     `--ip-masq=false`
   - Fix docker run output to non-TTY stdout
   - Fix escaping `$` for environment variables
   - Fix issue with lowercase `onbuild` Dockerfile instruction
   - Restrict envrionment variable expansion to `ENV`, `ADD`, `COPY`,
     `WORKDIR`, `EXPOSE`, `VOLUME` and `USER`
   - docker `exec` allows you to run additional processes inside existing
     containers
   - docker `create` gives you the ability to create a container via the cli
     without executing a process
   - `--security-opts` options to allow user to customize container labels
     and apparmor profiles
   - docker `ps` filters
   - Wildcard support to copy/add
   - Move production urls to get.docker.com from get.docker.io
   - Allocate ip address on the bridge inside a valid cidr
   - Use drone.io for pr and ci testing
   - Ability to setup an official registry mirror
   - Ability to save multiple images with docker `save`

   go was updated to version 1.3.3 to fix one security issue and several
   other bugs.

   This security issue was fixed:
   - TLS client authentication issue (CVE-2014-7189).

   These non-security issues were fixed:
   - Avoid stripping debuginfo on arm, it fails (and is not necessary)
   - Revert the /usr/share/go/contrib symlink as it caused problems during
     update. Moved all go sources to /usr/share/go/contrib/src instead of
     /usr/share/go/contrib/src/pkg and created pkg and src symlinks in
     contrib to add it to GOPATH
   - Fixed %go_contribsrcdir value
   - Copy temporary macros.go as go.macros to avoid it to be built
   - Do not modify Source: files, because that makes the .src.rpm being tied
     to one specific arch.
   - Removed extra src folder in /usr/share/go/contrib: the goal is to
     transform this folder into a proper entry for GOPATH. This folder is now
     linked to %{_libdir}/go/contrib
   - go requires gcc to build sources using cgo
   - tools-packaging.patch: Allow building cover and vet tools in
     $GOROOT_TARGET/pkg/tool instead of $GOROOT/pkg/tool. This will allow
     building go tools as a separate package

   sle2docker was updated to version 0.2.2 to fix one bug:
   - Fix SLE12 urls (bnc#902289)

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2014-111

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Server 12 (x86_64):

      docker-1.3.2-9.1
      docker-debuginfo-1.3.2-9.1
      docker-debugsource-1.3.2-9.1
      ruby2.1-rubygem-sle2docker-0.2.3-5.1
      sle2docker-0.2.3-5.1

References:

   http://support.novell.com/security/cve/CVE-2014-5277.html
   http://support.novell.com/security/cve/CVE-2014-5282.html
   http://support.novell.com/security/cve/CVE-2014-6407.html
   http://support.novell.com/security/cve/CVE-2014-6408.html
   http://support.novell.com/security/cve/CVE-2014-7189.html
   https://bugzilla.suse.com/show_bug.cgi?id=898901
   https://bugzilla.suse.com/show_bug.cgi?id=902289
   https://bugzilla.suse.com/show_bug.cgi?id=902413
   https://bugzilla.suse.com/show_bug.cgi?id=907012
   https://bugzilla.suse.com/show_bug.cgi?id=907014