-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2831
               Moderate: docker security and bug fix update
                               30 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           docker
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Access Privileged Data -- Existing Account
                   Modify Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-15664  

Reference:         ASB-2019.0181
                   ESB-2019.2491
                   ESB-2019.2198
                   ESB-2019.2145

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:1910

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: docker security and bug fix update
Advisory ID:       RHSA-2019:1910-01
Product:           Red Hat Enterprise Linux Extras
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:1910
Issue date:        2019-07-29
CVE Names:         CVE-2018-15664 
=====================================================================

1. Summary:

An update for docker is now available for Red Hat Enterprise Linux 7
Extras.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux 7 Extras - aarch64, ppc64le, s390x, x86_64

3. Description:

Docker is an open-source engine that automates the deployment of any
application as a lightweight, portable, self-sufficient container that runs
virtually anywhere. 

Security Fix(es):

* docker: symlink-exchange race attacks in docker cp (CVE-2018-15664)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* slowness of system shutdown when containers are being stopped - dockerd
is unable to communicate with rhel-push-plugin (BZ#1714032)

* journald Log() in dockerd causes nil pointer dereference when
PutMessage() is called before reading msg.Source (BZ#1720363)

* regression: docker cp: Rel: can't make /..../a relative to a (BZ#1723491)

* Regression: docker cp: can no longer pull image files (BZ#1727488)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1714722 - CVE-2018-15664 docker: symlink-exchange race attacks in docker cp
1723491 - regression: docker cp: Rel: can't make /..../a relative to a

6. Package List:

Red Hat Enterprise Linux 7 Extras:

Source:
docker-1.13.1-102.git7f2769b.el7.src.rpm

aarch64:
docker-1.13.1-102.git7f2769b.el7.aarch64.rpm
docker-client-1.13.1-102.git7f2769b.el7.aarch64.rpm
docker-common-1.13.1-102.git7f2769b.el7.aarch64.rpm
docker-debuginfo-1.13.1-102.git7f2769b.el7.aarch64.rpm
docker-logrotate-1.13.1-102.git7f2769b.el7.aarch64.rpm
docker-lvm-plugin-1.13.1-102.git7f2769b.el7.aarch64.rpm
docker-novolume-plugin-1.13.1-102.git7f2769b.el7.aarch64.rpm
docker-rhel-push-plugin-1.13.1-102.git7f2769b.el7.aarch64.rpm
docker-v1.10-migrator-1.13.1-102.git7f2769b.el7.aarch64.rpm

ppc64le:
docker-1.13.1-102.git7f2769b.el7.ppc64le.rpm
docker-client-1.13.1-102.git7f2769b.el7.ppc64le.rpm
docker-common-1.13.1-102.git7f2769b.el7.ppc64le.rpm
docker-debuginfo-1.13.1-102.git7f2769b.el7.ppc64le.rpm
docker-logrotate-1.13.1-102.git7f2769b.el7.ppc64le.rpm
docker-lvm-plugin-1.13.1-102.git7f2769b.el7.ppc64le.rpm
docker-novolume-plugin-1.13.1-102.git7f2769b.el7.ppc64le.rpm
docker-rhel-push-plugin-1.13.1-102.git7f2769b.el7.ppc64le.rpm
docker-v1.10-migrator-1.13.1-102.git7f2769b.el7.ppc64le.rpm

s390x:
docker-1.13.1-102.git7f2769b.el7.s390x.rpm
docker-client-1.13.1-102.git7f2769b.el7.s390x.rpm
docker-common-1.13.1-102.git7f2769b.el7.s390x.rpm
docker-debuginfo-1.13.1-102.git7f2769b.el7.s390x.rpm
docker-logrotate-1.13.1-102.git7f2769b.el7.s390x.rpm
docker-lvm-plugin-1.13.1-102.git7f2769b.el7.s390x.rpm
docker-novolume-plugin-1.13.1-102.git7f2769b.el7.s390x.rpm
docker-rhel-push-plugin-1.13.1-102.git7f2769b.el7.s390x.rpm
docker-v1.10-migrator-1.13.1-102.git7f2769b.el7.s390x.rpm

x86_64:
docker-1.13.1-102.git7f2769b.el7.x86_64.rpm
docker-client-1.13.1-102.git7f2769b.el7.x86_64.rpm
docker-common-1.13.1-102.git7f2769b.el7.x86_64.rpm
docker-debuginfo-1.13.1-102.git7f2769b.el7.x86_64.rpm
docker-logrotate-1.13.1-102.git7f2769b.el7.x86_64.rpm
docker-lvm-plugin-1.13.1-102.git7f2769b.el7.x86_64.rpm
docker-novolume-plugin-1.13.1-102.git7f2769b.el7.x86_64.rpm
docker-rhel-push-plugin-1.13.1-102.git7f2769b.el7.x86_64.rpm
docker-v1.10-migrator-1.13.1-102.git7f2769b.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-15664
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXT8cSNzjgjWX9erEAQi2JA/+K/QqdrRTCRF3b2ZJJEV7sGFQKXMBlTV8
EZG9KgjOVqlEDbfKAGy8Zebs2N81dWdfPguSK1k0xYHSPmEo4uhHUbOnd0lIrVpY
kaRcpE4PtNsV9sqjoO6Lomols33J8/q/sz2xpQA740SgQ3MBcYzztqbfSrXrNuyf
kGWZubHuABqnsJ2HHlqPZCiiw1OcC+fRKjxjHKfGyqBBGwlcfCn33YJCm2tJGvVE
nGVm70JuYVChY/9rgos8SK96wEo8jCIVNJ7X6ppfGeX6mmK5wVT7MhDSJihe9IwI
frkXj1l+dYfcYO/mDubwEdIU6/WLqlmjni+AapKtLMrQzuH+d1kegFW3xsE6Cb72
vt2cmAMdJlAw9VUXPLrlZdSdJxniS4GnTlfFkw7FA+349EmMB8I5RoqNju16+hos
Vfr8RW3KQ8uESnLM9hi1gCBrk11qyXKVmnKeyPZq0yX8vKCgwcRZmUDTTgZx0rVg
wvWEjQcpnCM2JSMhYrWd4XyMesX3y4CnZpXd9b12mKV8GZzkWNw5A/APKzMVZtvH
101LluOy18xL+2ShyMmQIVWfrnaXVKUyuY4V+lq5XQlVPQrD7aHglkLbttd+GFvh
kb2ImsTOLm6lzOule1BWk181bcPkJlgBOxlRb2OveY3wqAQBnrqrvcdw45PiNkag
EYW5YpeNnu8=
=P8/C
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXT/XbWaOgq3Tt24GAQgTphAAwMawnstosqCnxAjqtopGwPDbXwDgP2b+
e0xLWhjD0rRqRWeFOwPw5Y08sokT95gL1R4er9tRKu9gMWXsaJq+Dj+jbTFbQswM
6s9ENsZC2Ybj1Y8DGje3K2d4qAY63j7hZIfVa3u898ScNgJwFMYNWqDC9rLkBuoL
aXYkfo0rYv0AMmwK7BmYmjaq/UwBPN2CC8WRfjMFaz9gbmFBz0p4w+69daMNq3VE
Mg4lyshZuFjxT8y0FPlTgeHba7xM3PY00NzEkSrOa0iQqnmRyT4zy89YA46DsyOK
7HX7wUzYdS/GPmTHn3xh7w2FapZ5y7+1b5ZrhjV3ylAyFALEOg5KRaKapE9bu1n4
h9DGHke6RO9psFoVyrcYeErmGalxdFuz35WNCxbWcEFYEAVLftBDTBch2CUGsjKW
LpHXKm9cPBXu+rPRCAghBeCJID2HJMMWEXY18+fOzzTGZTTzP5ETbPhSxm8Cf2nn
UPiIfsHjgCUY0lI0r6JddDaOwRiRsYT+XbC3j3CClQoSe90YprEhQGiI3iIhAFhA
HKhEnPgSTJxB4AZ9T8m8Fc0pLP05YCjGkRsBabF2G6xeuwTMqf0DgFcq6kwMU84B
QL4nNUkXVTDuZcEPdLeGAn7gyglCSfk3qbu3OnflXfLIGADvUYv7C/nH1CHd5AdK
Sb1UMhmzRYs=
=/TAB
-----END PGP SIGNATURE-----