suse-su-2018:0386-1
Vulnerability from csaf_suse
Published
2018-02-07 14:22
Modified
2018-02-07 14:22
Summary
Version update for docker, docker-runc, containerd, golang-github-docker-libnetwork
Notes
Title of the patch
Version update for docker, docker-runc, containerd, golang-github-docker-libnetwork
Description of the patch
This update for docker, docker-runc, containerd, golang-github-docker-libnetwork fixes several issues.
These security issues were fixed:
- CVE-2017-16539: The DefaultLinuxSpec function in oci/defaults.go docker did
not block /proc/scsi pathnames, which allowed attackers to trigger data loss
(when certain older Linux kernels are used) by leveraging Docker container
access to write a 'scsi remove-single-device' line to /proc/scsi/scsi, aka SCSI
MICDROP (bnc#1066801)
- CVE-2017-14992: Lack of content verification in docker allowed a remote
attacker to cause a Denial of Service via a crafted image layer payload, aka
gzip bombing. (bnc#1066210)
These non-security issues were fixed:
- bsc#1059011: The systemd service helper script used a timeout of 60 seconds to start the daemon, which is insufficient in cases where the daemon takes longer to start. Instead, set the service type from 'simple' to 'notify' and remove the now superfluous helper script.
- bsc#1057743: New requirement with new version of docker-libnetwork.
- bsc#1032287: Missing docker systemd configuration.
- bsc#1057743: New 'symbol' for libnetwork requirement.
- bsc#1057743: Update secrets patch to handle 'old' containers that have orphaned secret data no longer available on the host.
- bsc#1055676: Update patches to correctly handle volumes and mounts when Docker is running with user namespaces enabled.
- bsc#1045628:: Add patch to make the dm storage driver remove a container's rootfs mountpoint before attempting to do libdm operations on it. This helps avoid complications when live mounts will leak into containers.
- bsc#1069758: Upgrade Docker to v17.09.1_ce (and obsolete docker-image-migrator).
- bsc#1021227: bsc#1029320 bsc#1058173 -- Enable docker devicemapper support for deferred removal/deletion within Containers module.
- bsc#1046024: Correct interaction between Docker and SuSEFirewall2, to avoid breaking Docker networking after boot.
- bsc#1048046: Build with -buildmode=pie to make all binaries PIC.
- bsc#1072798: Remove dependency on obsolete bridge-utils.
- bsc#1064926: Set --start-timeout=2m by default to match upstream.
- bsc#1065109, bsc#1053532: Use the upstream makefile so that Docker can get the commit ID in `docker info`.
Please note that the 'docker-runc' package is just a rename of the old 'runc' package to match that we now ship the Docker fork of runc.
Patchnames
SUSE-OpenStack-Cloud-6-2018-273,SUSE-SLE-Module-Containers-12-2018-273
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Version update for docker, docker-runc, containerd, golang-github-docker-libnetwork",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for docker, docker-runc, containerd, golang-github-docker-libnetwork fixes several issues.\n\nThese security issues were fixed:\n\n- CVE-2017-16539: The DefaultLinuxSpec function in oci/defaults.go docker did\n not block /proc/scsi pathnames, which allowed attackers to trigger data loss\n (when certain older Linux kernels are used) by leveraging Docker container\n access to write a \u0027scsi remove-single-device\u0027 line to /proc/scsi/scsi, aka SCSI\n MICDROP (bnc#1066801)\n\n- CVE-2017-14992: Lack of content verification in docker allowed a remote\n attacker to cause a Denial of Service via a crafted image layer payload, aka\n gzip bombing. (bnc#1066210)\n\nThese non-security issues were fixed:\n\n- bsc#1059011: The systemd service helper script used a timeout of 60 seconds to start the daemon, which is insufficient in cases where the daemon takes longer to start. Instead, set the service type from \u0027simple\u0027 to \u0027notify\u0027 and remove the now superfluous helper script.\n- bsc#1057743: New requirement with new version of docker-libnetwork.\n- bsc#1032287: Missing docker systemd configuration.\n- bsc#1057743: New \u0027symbol\u0027 for libnetwork requirement.\n- bsc#1057743: Update secrets patch to handle \u0027old\u0027 containers that have orphaned secret data no longer available on the host.\n- bsc#1055676: Update patches to correctly handle volumes and mounts when Docker is running with user namespaces enabled.\n- bsc#1045628:: Add patch to make the dm storage driver remove a container\u0027s rootfs mountpoint before attempting to do libdm operations on it. This helps avoid complications when live mounts will leak into containers.\n- bsc#1069758: Upgrade Docker to v17.09.1_ce (and obsolete docker-image-migrator).\n- bsc#1021227: bsc#1029320 bsc#1058173 -- Enable docker devicemapper support for deferred removal/deletion within Containers module.\n- bsc#1046024: Correct interaction between Docker and SuSEFirewall2, to avoid breaking Docker networking after boot.\n- bsc#1048046: Build with -buildmode=pie to make all binaries PIC.\n- bsc#1072798: Remove dependency on obsolete bridge-utils.\n- bsc#1064926: Set --start-timeout=2m by default to match upstream. \n- bsc#1065109, bsc#1053532: Use the upstream makefile so that Docker can get the commit ID in `docker info`.\n\nPlease note that the \u0027docker-runc\u0027 package is just a rename of the old \u0027runc\u0027 package to match that we now ship the Docker fork of runc.\n ",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-6-2018-273,SUSE-SLE-Module-Containers-12-2018-273",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_0386-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:0386-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20180386-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:0386-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-February/003714.html"
},
{
"category": "self",
"summary": "SUSE Bug 1021227",
"url": "https://bugzilla.suse.com/1021227"
},
{
"category": "self",
"summary": "SUSE Bug 1029320",
"url": "https://bugzilla.suse.com/1029320"
},
{
"category": "self",
"summary": "SUSE Bug 1032287",
"url": "https://bugzilla.suse.com/1032287"
},
{
"category": "self",
"summary": "SUSE Bug 1045628",
"url": "https://bugzilla.suse.com/1045628"
},
{
"category": "self",
"summary": "SUSE Bug 1046024",
"url": "https://bugzilla.suse.com/1046024"
},
{
"category": "self",
"summary": "SUSE Bug 1048046",
"url": "https://bugzilla.suse.com/1048046"
},
{
"category": "self",
"summary": "SUSE Bug 1051429",
"url": "https://bugzilla.suse.com/1051429"
},
{
"category": "self",
"summary": "SUSE Bug 1053532",
"url": "https://bugzilla.suse.com/1053532"
},
{
"category": "self",
"summary": "SUSE Bug 1055676",
"url": "https://bugzilla.suse.com/1055676"
},
{
"category": "self",
"summary": "SUSE Bug 1057743",
"url": "https://bugzilla.suse.com/1057743"
},
{
"category": "self",
"summary": "SUSE Bug 1058173",
"url": "https://bugzilla.suse.com/1058173"
},
{
"category": "self",
"summary": "SUSE Bug 1059011",
"url": "https://bugzilla.suse.com/1059011"
},
{
"category": "self",
"summary": "SUSE Bug 1064926",
"url": "https://bugzilla.suse.com/1064926"
},
{
"category": "self",
"summary": "SUSE Bug 1065109",
"url": "https://bugzilla.suse.com/1065109"
},
{
"category": "self",
"summary": "SUSE Bug 1066210",
"url": "https://bugzilla.suse.com/1066210"
},
{
"category": "self",
"summary": "SUSE Bug 1066801",
"url": "https://bugzilla.suse.com/1066801"
},
{
"category": "self",
"summary": "SUSE Bug 1069468",
"url": "https://bugzilla.suse.com/1069468"
},
{
"category": "self",
"summary": "SUSE Bug 1069758",
"url": "https://bugzilla.suse.com/1069758"
},
{
"category": "self",
"summary": "SUSE Bug 1072798",
"url": "https://bugzilla.suse.com/1072798"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-14992 page",
"url": "https://www.suse.com/security/cve/CVE-2017-14992/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-16539 page",
"url": "https://www.suse.com/security/cve/CVE-2017-16539/"
}
],
"title": "Version update for docker, docker-runc, containerd, golang-github-docker-libnetwork",
"tracking": {
"current_release_date": "2018-02-07T14:22:48Z",
"generator": {
"date": "2018-02-07T14:22:48Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:0386-1",
"initial_release_date": "2018-02-07T14:22:48Z",
"revision_history": [
{
"date": "2018-02-07T14:22:48Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le",
"product": {
"name": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le",
"product_id": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "docker-17.09.1_ce-98.8.1.ppc64le",
"product": {
"name": "docker-17.09.1_ce-98.8.1.ppc64le",
"product_id": "docker-17.09.1_ce-98.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le",
"product": {
"name": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le",
"product_id": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le"
}
},
{
"category": "product_version",
"name": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le",
"product": {
"name": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le",
"product_id": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x",
"product": {
"name": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x",
"product_id": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x"
}
},
{
"category": "product_version",
"name": "docker-17.09.1_ce-98.8.1.s390x",
"product": {
"name": "docker-17.09.1_ce-98.8.1.s390x",
"product_id": "docker-17.09.1_ce-98.8.1.s390x"
}
},
{
"category": "product_version",
"name": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x",
"product": {
"name": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x",
"product_id": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x"
}
},
{
"category": "product_version",
"name": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x",
"product": {
"name": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x",
"product_id": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"product": {
"name": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"product_id": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-17.09.1_ce-98.8.1.x86_64",
"product": {
"name": "docker-17.09.1_ce-98.8.1.x86_64",
"product_id": "docker-17.09.1_ce-98.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"product": {
"name": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"product_id": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64",
"product": {
"name": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64",
"product_id": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 6",
"product": {
"name": "SUSE OpenStack Cloud 6",
"product_id": "SUSE OpenStack Cloud 6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Containers 12",
"product": {
"name": "SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-containers:12"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64 as component of SUSE OpenStack Cloud 6",
"product_id": "SUSE OpenStack Cloud 6:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64"
},
"product_reference": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-17.09.1_ce-98.8.1.x86_64 as component of SUSE OpenStack Cloud 6",
"product_id": "SUSE OpenStack Cloud 6:docker-17.09.1_ce-98.8.1.x86_64"
},
"product_reference": "docker-17.09.1_ce-98.8.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64 as component of SUSE OpenStack Cloud 6",
"product_id": "SUSE OpenStack Cloud 6:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64"
},
"product_reference": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64 as component of SUSE OpenStack Cloud 6",
"product_id": "SUSE OpenStack Cloud 6:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64"
},
"product_reference": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le"
},
"product_reference": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x"
},
"product_reference": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64"
},
"product_reference": "containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-17.09.1_ce-98.8.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.ppc64le"
},
"product_reference": "docker-17.09.1_ce-98.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-17.09.1_ce-98.8.1.s390x as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.s390x"
},
"product_reference": "docker-17.09.1_ce-98.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-17.09.1_ce-98.8.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.x86_64"
},
"product_reference": "docker-17.09.1_ce-98.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le"
},
"product_reference": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x"
},
"product_reference": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64"
},
"product_reference": "docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le"
},
"product_reference": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x"
},
"product_reference": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64"
},
"product_reference": "docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-14992",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-14992"
}
],
"notes": [
{
"category": "general",
"text": "Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64",
"SUSE OpenStack Cloud 6:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE OpenStack Cloud 6:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-14992",
"url": "https://www.suse.com/security/cve/CVE-2017-14992"
},
{
"category": "external",
"summary": "SUSE Bug 1066210 for CVE-2017-14992",
"url": "https://bugzilla.suse.com/1066210"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64",
"SUSE OpenStack Cloud 6:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE OpenStack Cloud 6:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64",
"SUSE OpenStack Cloud 6:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE OpenStack Cloud 6:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-02-07T14:22:48Z",
"details": "moderate"
}
],
"title": "CVE-2017-14992"
},
{
"cve": "CVE-2017-16539",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-16539"
}
],
"notes": [
{
"category": "general",
"text": "The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a \"scsi remove-single-device\" line to /proc/scsi/scsi, aka SCSI MICDROP.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64",
"SUSE OpenStack Cloud 6:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE OpenStack Cloud 6:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-16539",
"url": "https://www.suse.com/security/cve/CVE-2017-16539"
},
{
"category": "external",
"summary": "SUSE Bug 1066801 for CVE-2017-16539",
"url": "https://bugzilla.suse.com/1066801"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64",
"SUSE OpenStack Cloud 6:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE OpenStack Cloud 6:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.ppc64le",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.s390x",
"SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64",
"SUSE OpenStack Cloud 6:containerd-0.2.9+gitr706_06b9cb351610-16.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-17.09.1_ce-98.8.1.x86_64",
"SUSE OpenStack Cloud 6:docker-libnetwork-0.7.0.1+gitr2066_7b2b1feb1de4-10.1.x86_64",
"SUSE OpenStack Cloud 6:docker-runc-1.0.0rc4+gitr3338_3f2f8b84a77f-1.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-02-07T14:22:48Z",
"details": "moderate"
}
],
"title": "CVE-2017-16539"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…