-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1150
                    docker security and bug fix update
                               1 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           docker
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8945 CVE-2020-1702 CVE-2019-16884

Reference:         ESB-2020.1048
                   ESB-2020.0914
                   ESB-2020.0870
                   ESB-2020.0115

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:1234

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: docker security and bug fix update
Advisory ID:       RHSA-2020:1234-01
Product:           Red Hat Enterprise Linux Extras
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1234
Issue date:        2020-03-31
CVE Names:         CVE-2019-16884 CVE-2020-1702 CVE-2020-8945 
=====================================================================

1. Summary:

An update for docker is now available for Red Hat Enterprise Linux 7
Extras.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux 7 Extras - ppc64le, s390x, x86_64

3. Description:

Docker is an open-source engine that automates the deployment of any
application as a lightweight, portable, self-sufficient container that runs
virtually anywhere. 

Security Fix(es):

* runc: AppArmor/SELinux bypass with malicious image that specifies a
volume at /proc (CVE-2019-16884)

* proglottis/gpgme: Use-after-free in GPGME bindings during container image
pull (CVE-2020-8945)

* containers/image: Container images read entire image manifest into memory
(CVE-2020-1702)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Whitelist statx(2) in docker (BZ#1784228)

* Upgrading docker resulting into increase Systemd logs (BZ#1791870)

* docker should be linked against gpgme-pthread (BZ#1792243)

* docker cannot be updated to 108 on rhos13 as a container fails to start
with "pivot_root invalid argument" error. (BZ#1795376)

* OVS pods are unable to stop when running under docker version 1.13.1-108
(BZ#1796451)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1757214 - CVE-2019-16884 runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc
1784228 - Whitelist statx(2) in docker
1792796 - CVE-2020-1702 containers/image: Container images read entire image manifest into memory
1795376 - docker cannot be updated to 108 on rhos13 as a container fails to start with "pivot_root invalid argument" error.
1795838 - CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull
1796451 - OVS pods are unable to stop when running under docker version 1.13.1-108

6. Package List:

Red Hat Enterprise Linux 7 Extras:

Source:
docker-1.13.1-161.git64e9980.el7_8.src.rpm

ppc64le:
docker-1.13.1-161.git64e9980.el7_8.ppc64le.rpm
docker-client-1.13.1-161.git64e9980.el7_8.ppc64le.rpm
docker-common-1.13.1-161.git64e9980.el7_8.ppc64le.rpm
docker-debuginfo-1.13.1-161.git64e9980.el7_8.ppc64le.rpm
docker-logrotate-1.13.1-161.git64e9980.el7_8.ppc64le.rpm
docker-lvm-plugin-1.13.1-161.git64e9980.el7_8.ppc64le.rpm
docker-novolume-plugin-1.13.1-161.git64e9980.el7_8.ppc64le.rpm
docker-rhel-push-plugin-1.13.1-161.git64e9980.el7_8.ppc64le.rpm
docker-v1.10-migrator-1.13.1-161.git64e9980.el7_8.ppc64le.rpm

s390x:
docker-1.13.1-161.git64e9980.el7_8.s390x.rpm
docker-client-1.13.1-161.git64e9980.el7_8.s390x.rpm
docker-common-1.13.1-161.git64e9980.el7_8.s390x.rpm
docker-debuginfo-1.13.1-161.git64e9980.el7_8.s390x.rpm
docker-logrotate-1.13.1-161.git64e9980.el7_8.s390x.rpm
docker-lvm-plugin-1.13.1-161.git64e9980.el7_8.s390x.rpm
docker-novolume-plugin-1.13.1-161.git64e9980.el7_8.s390x.rpm
docker-rhel-push-plugin-1.13.1-161.git64e9980.el7_8.s390x.rpm
docker-v1.10-migrator-1.13.1-161.git64e9980.el7_8.s390x.rpm

x86_64:
docker-1.13.1-161.git64e9980.el7_8.x86_64.rpm
docker-client-1.13.1-161.git64e9980.el7_8.x86_64.rpm
docker-common-1.13.1-161.git64e9980.el7_8.x86_64.rpm
docker-debuginfo-1.13.1-161.git64e9980.el7_8.x86_64.rpm
docker-logrotate-1.13.1-161.git64e9980.el7_8.x86_64.rpm
docker-lvm-plugin-1.13.1-161.git64e9980.el7_8.x86_64.rpm
docker-novolume-plugin-1.13.1-161.git64e9980.el7_8.x86_64.rpm
docker-rhel-push-plugin-1.13.1-161.git64e9980.el7_8.x86_64.rpm
docker-v1.10-migrator-1.13.1-161.git64e9980.el7_8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-16884
https://access.redhat.com/security/cve/CVE-2020-1702
https://access.redhat.com/security/cve/CVE-2020-8945
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXoPf7dzjgjWX9erEAQgfTBAAivXNmCENSnaCF2o3LIe0Tp7/ED1A+r1s
PNuhx9unOC9mohmb8g5e0vcgQ3zzsIydjy+mpYvQFCsrEfOFhKWjWY1ov7myxFUy
QV4A4Eivx23XKw/2dm9kTuMlA3w3DmBmIFF0h/Ohbgx0VpmIqU1EyLdFt8XTYqgE
kq9PLuN8fC9T11tVG/+fYdKA1D9MgIbmQ92s7BvarRGWZawTKpxoJ+w31kPh122K
19ORoYdTET8PWIyUJGgP05Xwc0HoZcMpf66Ot/9G5ZSuh/aKgVaXtiHiwWMaNbsD
d7aCqikdNdcVVIfcjZGouDf5fHwcuXLMCyFG/8C6gUoeCKwzSbSSDXK51dvGeQ8o
n77nEiemLoo5g6ksqHrotPamJwvi4GjfiJ82G2KUBxerefoo9/a2iIn6S7bwv7QR
hzIUcDDakNyd70eYemCJRpO58t5a4Utr9jBGlfbeftcxkDPVhJ3KrXOrQEYPhmpu
qYVf9j85irp/F6Dz9gROOLRwN0r3mADtHGjX22+lCN+qtuRWB5aawXgqP6AflHub
ATfhTL85cEd9XcROOnoOVbQkLxXtQ2/XzGb6P3yyM64XYJREwxThoO1LphSCkIA0
1KgOswHHwGkGDyUojdMeNfjsEbQIxZRzlMp3j433YImleTn0dosQZWcziq8Uwp3l
mVd7XHcmlk8=
=Mo8H
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXoQ/o2aOgq3Tt24GAQhVjw//QSzlmXV6JKi3ktR4KbCxCfaKkMyDToIQ
f5teh6ap1sYGXhyMNKXo/LFZbYh+5cl8AlZCg6e3d8KyVNgxAvX2dyieOdfG5loE
deaFl7Mi4CP2f5Gp6mmlP34c0ru+kd6bbR+mUL5By4jurYT43I//+9gzfl3tBoEi
C9ryWqlsLNbqBxG7LaxaNyS+c4/4Y7+aVjm2SztwSQTCeiDoGhcsCyc3EXeM/rZX
8GtsPX+wHzBNWg+NemSvbm5Y1cebLjsMAKh0Xte3TtWlldzT3RCoqPbd8JluWnth
BFBT0W1FijONtTelshk2sVLxscCMZOFj+PWX3clukw0EUaj9xOGyDovqSLTjJxeA
JZETHcydbyLAE2Uq8VZG1A0/Jcpu2kPiL/POTfSWhZY+QqTQ8tQioFbIkfcobUs6
M7ft9lRiQ1RB0YMPgHvv07qD78gRa7F2NGRon5C/eNVolNdknrhV9s6baevqF1R7
jXqCNLqLFjpz6oiH2bTl0FLhZ9fnDlDcVMDgGZyArQnOPoPTXZQQSBTNTX4YLj2s
JieqnvKsEpOyrUKNChUhAHciHwVABEXGZdc9qoXuXtNJyqU9s0+v/LWjec07tNRq
NCo/9C31QxyGsG+JJwN/MHz4jWuNcvsc3qKmfknMUls8W9hcddSHhZ8yFhUkimnY
BNe8EJ1YAu8=
=Ph6a
-----END PGP SIGNATURE-----