Red Hat Security Advisory 2016-1034-01 - Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. Security Fix: It was found that Docker would launch containers under the specified UID instead of a username. An attacker able to launch a container could use this flaw to escalate their privileges to root within the launched container.
fef631830638375fd374745e17155f22b591a950b15fa0987ffc1f44087ce1cf
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: docker security, bug fix, and enhancement update
Advisory ID: RHSA-2016:1034-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1034.html
Issue date: 2016-05-12
CVE Names: CVE-2016-3697
=====================================================================
1. Summary:
An update for docker is now available for Red Hat Enterprise Linux 7
Extras.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux 7 Extras - x86_64
3. Description:
Docker is an open-source engine that automates the deployment of any
application as a lightweight, portable, self-sufficient container that will
run virtually anywhere.
Security Fix(es):
* It was found that Docker would launch containers under the specified UID
instead of a username. An attacker able to launch a container could use
this flaw to escalate their privileges to root within the launched
container. (CVE-2016-3697)
This issue was discovered by Mrunal Patel (Red Hat).
Bug Fix(es):
* The process of pulling an image spawns a new "goroutine" for each layer
in the image manifest. If any of these downloads, everything stops and an
error is returned, even though other goroutines would still be running and
writing output through a progress reader which is attached to an http
response writer. Since the request handler had already returned from the
first error, the http server panics when one of these download goroutines
makes a write to the response writer buffer. This bug has been fixed, and
docker no longer panics when pulling an image. (BZ#1264562)
* Previously, in certain situations, a container rootfs remained busy
during container removal. This typically happened if a container mount
point leaked into another mount namespace. As a consequence, container
removal failed. To fix this bug, a new docker daemon option
"dm.use_deferred_deletion" has been provided. If set to true, this option
will defer the container rootfs deletion. The user will see success on
container removal but the actual thin device backing the rootfs will be
deleted later when it is not busy anymore. (BZ#1190492)
* Previously, the Docker unit file had the "Restart" option set to
"on-failure". Consequently, the docker daemon was forced to restart even in
cases where it couldn't be started because of configuration or other issues
and this situation forced unnecessary restarts of the docker-storage-setup
service in a loop. This also caused real error messages to be lost due to
so many restarts. To fix this bug, "Restart=on-failure" has been replaced
with "Restart=on-abnormal" in the docker unit file. As a result, the docker
daemon will not automatically restart if it fails with an unclean exit
code. (BZ#1319783)
* Previously, the request body was incorrectly read twice by the docker
daemon and consequently, an EOF error was returned. To fix this bug, the
code which incorrectly read the request body the first time has been
removed. As a result, the EOF error is no longer returned and the body is
correctly read when really needed. (BZ#1329743)
Enhancement(s):
* The /usr/bin/docker script now calls /usr/bin/docker-current or
/usr/bin/docker-latest based on the value of the sysconfig variable
DOCKERBINARY present in /etc/sysconfig/docker. /usr/bin/docker and
/etc/sysconfig/docker provided by the docker-common package allow the admin
to configure which docker client binary gets called. /usr/bin/docker will
call /usr/bin/docker-latest by default when docker is not installed. If
docker is installed, /usr/bin/docker will call /usr/bin/docker-current by
default, unless DOCKERBINARY is set to /usr/bin/docker-latest in
/etc/sysconfig/docker. This way, you can use docker-latest or docker
without the need to check which version of the daemon is currently running.
(BZ#1328219)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1186066 - The docker stop operation doesn't work with --pid=host containers containing multiple processes
1261565 - docker-storage-setup service fails after initial successful run if DEVS is defined in /etc/sysconfig/docker-storage-setup
1266307 - Capture information about the remote user connecting over socket in /run/docker
1268059 - docker exec setting the wrong cgroups
1272143 - Can't start containers that use supplemental groups but lack /etc/groups
1303110 - [extras-rhel-7.2.4] Docker does not own /usr/lib/docker-storage-setup
1309739 - docker push fails when pushing image to docker hub
1316651 - Docker run read-only: System error: read-only file system
1319783 - [docker] Use Restart=on-abnormal instead of Restart=on-failure
1322762 - sha256 Conflict while pull images after upgrade
1328219 - [extras-rhel-7.2.4] include docker-common subpackage in 'docker' to handle /usr/bin/docker for docker and docker-latest
1329423 - Skip /dev setup in container when it is bind mounted in
1329450 - CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs
1329743 - Unable to push images to private registry using docker-1.9.1-25 and python-docker-py-1.7.2-1
1330595 - /usr/bin/docker wrapper script: $@ must be quoted
1330622 - enhance condition judgement in /usr/bin/docker script
1331007 - SELinux regression in docker-selinux-1.9.1-37
1332592 - Incomplete requirement on docker-common
6. Package List:
Red Hat Enterprise Linux 7 Extras:
Source:
docker-1.9.1-40.el7.src.rpm
x86_64:
docker-1.9.1-40.el7.x86_64.rpm
docker-common-1.9.1-40.el7.x86_64.rpm
docker-forward-journald-1.9.1-40.el7.x86_64.rpm
docker-logrotate-1.9.1-40.el7.x86_64.rpm
docker-selinux-1.9.1-40.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-3697
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXNNmjXlSAg2UNWIIRAiykAJsFs/yFnQFjyl2Yy/SEvNqQEkMkAQCfaZQg
27AS5B9QUiqNaHl08y1kvTs=
=GZkL
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce