Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2831 Moderate: docker security and bug fix update 30 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: docker Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Access Privileged Data -- Existing Account Modify Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-15664 Reference: ASB-2019.0181 ESB-2019.2491 ESB-2019.2198 ESB-2019.2145 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:1910 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: docker security and bug fix update Advisory ID: RHSA-2019:1910-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://access.redhat.com/errata/RHSA-2019:1910 Issue date: 2019-07-29 CVE Names: CVE-2018-15664 ===================================================================== 1. Summary: An update for docker is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux 7 Extras - aarch64, ppc64le, s390x, x86_64 3. Description: Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere. Security Fix(es): * docker: symlink-exchange race attacks in docker cp (CVE-2018-15664) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * slowness of system shutdown when containers are being stopped - dockerd is unable to communicate with rhel-push-plugin (BZ#1714032) * journald Log() in dockerd causes nil pointer dereference when PutMessage() is called before reading msg.Source (BZ#1720363) * regression: docker cp: Rel: can't make /..../a relative to a (BZ#1723491) * Regression: docker cp: can no longer pull image files (BZ#1727488) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1714722 - CVE-2018-15664 docker: symlink-exchange race attacks in docker cp 1723491 - regression: docker cp: Rel: can't make /..../a relative to a 6. Package List: Red Hat Enterprise Linux 7 Extras: Source: docker-1.13.1-102.git7f2769b.el7.src.rpm aarch64: docker-1.13.1-102.git7f2769b.el7.aarch64.rpm docker-client-1.13.1-102.git7f2769b.el7.aarch64.rpm docker-common-1.13.1-102.git7f2769b.el7.aarch64.rpm docker-debuginfo-1.13.1-102.git7f2769b.el7.aarch64.rpm docker-logrotate-1.13.1-102.git7f2769b.el7.aarch64.rpm docker-lvm-plugin-1.13.1-102.git7f2769b.el7.aarch64.rpm docker-novolume-plugin-1.13.1-102.git7f2769b.el7.aarch64.rpm docker-rhel-push-plugin-1.13.1-102.git7f2769b.el7.aarch64.rpm docker-v1.10-migrator-1.13.1-102.git7f2769b.el7.aarch64.rpm ppc64le: docker-1.13.1-102.git7f2769b.el7.ppc64le.rpm docker-client-1.13.1-102.git7f2769b.el7.ppc64le.rpm docker-common-1.13.1-102.git7f2769b.el7.ppc64le.rpm docker-debuginfo-1.13.1-102.git7f2769b.el7.ppc64le.rpm docker-logrotate-1.13.1-102.git7f2769b.el7.ppc64le.rpm docker-lvm-plugin-1.13.1-102.git7f2769b.el7.ppc64le.rpm docker-novolume-plugin-1.13.1-102.git7f2769b.el7.ppc64le.rpm docker-rhel-push-plugin-1.13.1-102.git7f2769b.el7.ppc64le.rpm docker-v1.10-migrator-1.13.1-102.git7f2769b.el7.ppc64le.rpm s390x: docker-1.13.1-102.git7f2769b.el7.s390x.rpm docker-client-1.13.1-102.git7f2769b.el7.s390x.rpm docker-common-1.13.1-102.git7f2769b.el7.s390x.rpm docker-debuginfo-1.13.1-102.git7f2769b.el7.s390x.rpm docker-logrotate-1.13.1-102.git7f2769b.el7.s390x.rpm docker-lvm-plugin-1.13.1-102.git7f2769b.el7.s390x.rpm docker-novolume-plugin-1.13.1-102.git7f2769b.el7.s390x.rpm docker-rhel-push-plugin-1.13.1-102.git7f2769b.el7.s390x.rpm docker-v1.10-migrator-1.13.1-102.git7f2769b.el7.s390x.rpm x86_64: docker-1.13.1-102.git7f2769b.el7.x86_64.rpm docker-client-1.13.1-102.git7f2769b.el7.x86_64.rpm docker-common-1.13.1-102.git7f2769b.el7.x86_64.rpm docker-debuginfo-1.13.1-102.git7f2769b.el7.x86_64.rpm docker-logrotate-1.13.1-102.git7f2769b.el7.x86_64.rpm docker-lvm-plugin-1.13.1-102.git7f2769b.el7.x86_64.rpm docker-novolume-plugin-1.13.1-102.git7f2769b.el7.x86_64.rpm docker-rhel-push-plugin-1.13.1-102.git7f2769b.el7.x86_64.rpm docker-v1.10-migrator-1.13.1-102.git7f2769b.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-15664 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXT8cSNzjgjWX9erEAQi2JA/+K/QqdrRTCRF3b2ZJJEV7sGFQKXMBlTV8 EZG9KgjOVqlEDbfKAGy8Zebs2N81dWdfPguSK1k0xYHSPmEo4uhHUbOnd0lIrVpY kaRcpE4PtNsV9sqjoO6Lomols33J8/q/sz2xpQA740SgQ3MBcYzztqbfSrXrNuyf kGWZubHuABqnsJ2HHlqPZCiiw1OcC+fRKjxjHKfGyqBBGwlcfCn33YJCm2tJGvVE nGVm70JuYVChY/9rgos8SK96wEo8jCIVNJ7X6ppfGeX6mmK5wVT7MhDSJihe9IwI frkXj1l+dYfcYO/mDubwEdIU6/WLqlmjni+AapKtLMrQzuH+d1kegFW3xsE6Cb72 vt2cmAMdJlAw9VUXPLrlZdSdJxniS4GnTlfFkw7FA+349EmMB8I5RoqNju16+hos Vfr8RW3KQ8uESnLM9hi1gCBrk11qyXKVmnKeyPZq0yX8vKCgwcRZmUDTTgZx0rVg wvWEjQcpnCM2JSMhYrWd4XyMesX3y4CnZpXd9b12mKV8GZzkWNw5A/APKzMVZtvH 101LluOy18xL+2ShyMmQIVWfrnaXVKUyuY4V+lq5XQlVPQrD7aHglkLbttd+GFvh kb2ImsTOLm6lzOule1BWk181bcPkJlgBOxlRb2OveY3wqAQBnrqrvcdw45PiNkag EYW5YpeNnu8= =P8/C - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXT/XbWaOgq3Tt24GAQgTphAAwMawnstosqCnxAjqtopGwPDbXwDgP2b+ e0xLWhjD0rRqRWeFOwPw5Y08sokT95gL1R4er9tRKu9gMWXsaJq+Dj+jbTFbQswM 6s9ENsZC2Ybj1Y8DGje3K2d4qAY63j7hZIfVa3u898ScNgJwFMYNWqDC9rLkBuoL aXYkfo0rYv0AMmwK7BmYmjaq/UwBPN2CC8WRfjMFaz9gbmFBz0p4w+69daMNq3VE Mg4lyshZuFjxT8y0FPlTgeHba7xM3PY00NzEkSrOa0iQqnmRyT4zy89YA46DsyOK 7HX7wUzYdS/GPmTHn3xh7w2FapZ5y7+1b5ZrhjV3ylAyFALEOg5KRaKapE9bu1n4 h9DGHke6RO9psFoVyrcYeErmGalxdFuz35WNCxbWcEFYEAVLftBDTBch2CUGsjKW LpHXKm9cPBXu+rPRCAghBeCJID2HJMMWEXY18+fOzzTGZTTzP5ETbPhSxm8Cf2nn UPiIfsHjgCUY0lI0r6JddDaOwRiRsYT+XbC3j3CClQoSe90YprEhQGiI3iIhAFhA HKhEnPgSTJxB4AZ9T8m8Fc0pLP05YCjGkRsBabF2G6xeuwTMqf0DgFcq6kwMU84B QL4nNUkXVTDuZcEPdLeGAn7gyglCSfk3qbu3OnflXfLIGADvUYv7C/nH1CHd5AdK Sb1UMhmzRYs= =/TAB -----END PGP SIGNATURE-----