SUSE-SU-2015:0082-1: moderate: Security update for docker
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Jan 19 09:04:40 MST 2015
SUSE Security Update: Security update for docker
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:0082-1
Rating: moderate
References: #909709 #909710 #909712 #913211 #913213
Cross-References: CVE-2014-9356 CVE-2014-9357 CVE-2014-9358
Affected Products:
SUSE Linux Enterprise Server 12
______________________________________________________________________________
An update that solves three vulnerabilities and has two
fixes is now available.
Description:
This docker version upgrade fixes the following security and non security
issues, and adds the also additional features:
- Updated to 1.4.1 (2014-12-15):
* Runtime:
- Fix issue with volumes-from and bind mounts not being honored after
create (fixes bnc#913213)
- Added e2fsprogs as runtime dependency, this is required when the
devicemapper driver is used. (bnc#913211).
- Fixed owner & group for docker.socket (thanks to Andrei Dziahel and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752555#5)
- Updated to 1.4.0 (2014-12-11):
* Notable Features since 1.3.0:
- Set key=value labels to the daemon (displayed in `docker info`),
applied with new `-label` daemon flag
- Add support for `ENV` in Dockerfile of the form: `ENV name=value
name2=value2...`
- New Overlayfs Storage Driver
- `docker info` now returns an `ID` and `Name` field
- Filter events by event name, container, or image
- `docker cp` now supports copying from container volumes
- Fixed `docker tag`, so it honors `--force` when overriding a tag for
existing image.
- Changes introduced by 1.3.3 (2014-12-11):
* Security:
- Fix path traversal vulnerability in processing of absolute symbolic
links (CVE-2014-9356) - (bnc#909709)
- Fix decompression of xz image archives, preventing privilege
escalation (CVE-2014-9357) - (bnc#909710)
- Validate image IDs (CVE-2014-9358) - (bnc#909712)
* Runtime:
- Fix an issue when image archives are being read slowly
* Client:
- Fix a regression related to stdin redirection
- Fix a regression with `docker cp` when destination is the current
directory
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2015-28
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 12 (x86_64):
docker-1.4.1-16.1
docker-debuginfo-1.4.1-16.1
docker-debugsource-1.4.1-16.1
References:
http://support.novell.com/security/cve/CVE-2014-9356.html
http://support.novell.com/security/cve/CVE-2014-9357.html
http://support.novell.com/security/cve/CVE-2014-9358.html
https://bugzilla.suse.com/show_bug.cgi?id=909709
https://bugzilla.suse.com/show_bug.cgi?id=909710
https://bugzilla.suse.com/show_bug.cgi?id=909712
https://bugzilla.suse.com/show_bug.cgi?id=913211
https://bugzilla.suse.com/show_bug.cgi?id=913213
More information about the sle-security-updates
mailing list