[RHSA-2016:1034-01] Moderate: docker security, bug fix, and enhancement update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: docker security, bug fix, and enhancement update

Advisory ID: RHSA-2016:1034-01

Product: Red Hat Enterprise Linux Extras

Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1034.html

Issue date: 2016-05-12

CVE Names: CVE-2016-3697

=====================================================================

 

1. Summary:

 

An update for docker is now available for Red Hat Enterprise Linux 7

Extras.

 

Red Hat Product Security has rated this update as having a security impact

of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available for each vulnerability from

the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux 7 Extras - x86_64

 

3. Description:

 

Docker is an open-source engine that automates the deployment of any

application as a lightweight, portable, self-sufficient container that will

run virtually anywhere.

 

Security Fix(es):

 

* It was found that Docker would launch containers under the specified UID

instead of a username. An attacker able to launch a container could use

this flaw to escalate their privileges to root within the launched

container. (CVE-2016-3697)

 

This issue was discovered by Mrunal Patel (Red Hat).

 

Bug Fix(es):

 

* The process of pulling an image spawns a new "goroutine" for each layer

in the image manifest. If any of these downloads, everything stops and an

error is returned, even though other goroutines would still be running and

writing output through a progress reader which is attached to an http

response writer. Since the request handler had already returned from the

first error, the http server panics when one of these download goroutines

makes a write to the response writer buffer. This bug has been fixed, and

docker no longer panics when pulling an image. (BZ#1264562)

 

* Previously, in certain situations, a container rootfs remained busy

during container removal. This typically happened if a container mount

point leaked into another mount namespace. As a consequence, container

removal failed. To fix this bug, a new docker daemon option

"dm.use_deferred_deletion" has been provided. If set to true, this option

will defer the container rootfs deletion. The user will see success on

container removal but the actual thin device backing the rootfs will be

deleted later when it is not busy anymore. (BZ#1190492)

 

* Previously, the Docker unit file had the "Restart" option set to

"on-failure". Consequently, the docker daemon was forced to restart even in

cases where it couldn't be started because of configuration or other issues

and this situation forced unnecessary restarts of the docker-storage-setup

service in a loop. This also caused real error messages to be lost due to

so many restarts. To fix this bug, "Restart=on-failure" has been replaced

with "Restart=on-abnormal" in the docker unit file. As a result, the docker

daemon will not automatically restart if it fails with an unclean exit

code. (BZ#1319783)

 

* Previously, the request body was incorrectly read twice by the docker

daemon and consequently, an EOF error was returned. To fix this bug, the

code which incorrectly read the request body the first time has been

removed. As a result, the EOF error is no longer returned and the body is

correctly read when really needed. (BZ#1329743)

 

Enhancement(s):

 

* The /usr/bin/docker script now calls /usr/bin/docker-current or

/usr/bin/docker-latest based on the value of the sysconfig variable

DOCKERBINARY present in /etc/sysconfig/docker. /usr/bin/docker and

/etc/sysconfig/docker provided by the docker-common package allow the admin

to configure which docker client binary gets called. /usr/bin/docker will

call /usr/bin/docker-latest by default when docker is not installed. If

docker is installed, /usr/bin/docker will call /usr/bin/docker-current by

default, unless DOCKERBINARY is set to /usr/bin/docker-latest in

/etc/sysconfig/docker. This way, you can use docker-latest or docker

without the need to check which version of the daemon is currently running.

(BZ#1328219)

 

4. Solution:

 

For details on how to apply this update, which includes the changes

described in this advisory, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1186066 - The docker stop operation doesn't work with --pid=host containers containing multiple processes

1261565 - docker-storage-setup service fails after initial successful run if DEVS is defined in /etc/sysconfig/docker-storage-setup

1266307 - Capture information about the remote user connecting over socket in /run/docker

1268059 - docker exec setting the wrong cgroups

1272143 - Can't start containers that use supplemental groups but lack /etc/groups

1303110 - [extras-rhel-7.2.4] Docker does not own /usr/lib/docker-storage-setup

1309739 - docker push fails when pushing image to docker hub

1316651 - Docker run read-only: System error: read-only file system

1319783 - [docker] Use Restart=on-abnormal instead of Restart=on-failure

1322762 - sha256 Conflict while pull images after upgrade

1328219 - [extras-rhel-7.2.4] include docker-common subpackage in 'docker' to handle /usr/bin/docker for docker and docker-latest

1329423 - Skip /dev setup in container when it is bind mounted in

1329450 - CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs

1329743 - Unable to push images to private registry using docker-1.9.1-25 and python-docker-py-1.7.2-1

1330595 - /usr/bin/docker wrapper script: $ ( -at -) must be quoted

1330622 - enhance condition judgement in /usr/bin/docker script

1331007 - SELinux regression in docker-selinux-1.9.1-37

1332592 - Incomplete requirement on docker-common

 

6. Package List:

 

Red Hat Enterprise Linux 7 Extras:

 

Source:

docker-1.9.1-40.el7.src.rpm

 

x86_64:

docker-1.9.1-40.el7.x86_64.rpm

docker-common-1.9.1-40.el7.x86_64.rpm

docker-forward-journald-1.9.1-40.el7.x86_64.rpm

docker-logrotate-1.9.1-40.el7.x86_64.rpm

docker-selinux-1.9.1-40.el7.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2016-3697

https://access.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2016 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFXNNmjXlSAg2UNWIIRAiykAJsFs/yFnQFjyl2Yy/SEvNqQEkMkAQCfaZQg

27AS5B9QUiqNaHl08y1kvTs=

=GZkL

-----END PGP SIGNATURE-----

 

 

--