Security update for docker SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:0984-1 Final 1 1 2015-05-19T18:41:00Z current 2015-05-19T18:41:00Z 2015-05-19T18:41:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for docker The Linux container runtime environment Docker was updated to version 1.6.2 to fix several security and non-security issues. - Security: - Fix read/write /proc paths. (CVE-2015-3630) - Prohibit VOLUME /proc and VOLUME /. (CVE-2015-3631) - Fix opening of file-descriptor 1. (CVE-2015-3627) - Fix symlink traversal on container respawn allowing local privilege escalation. (CVE-2015-3629) - Runtime: - Update Apparmor policy to not allow mounts. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SERVER-12-2015-230 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20150984-1/ Link for SUSE-SU-2015:0984-1 https://lists.suse.com/pipermail/sle-security-updates/2015-June/001419.html E-Mail link for SUSE-SU-2015:0984-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/930235 SUSE Bug 930235 https://bugzilla.suse.com/931301 SUSE Bug 931301 https://www.suse.com/security/cve/CVE-2015-3627/ SUSE CVE CVE-2015-3627 page https://www.suse.com/security/cve/CVE-2015-3629/ SUSE CVE CVE-2015-3629 page https://www.suse.com/security/cve/CVE-2015-3630/ SUSE CVE CVE-2015-3630 page https://www.suse.com/security/cve/CVE-2015-3631/ SUSE CVE CVE-2015-3631 page SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 docker-1.6.2-31.2 docker-1.6.2-31.2 as a component of SUSE Linux Enterprise Server 12 docker-1.6.2-31.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image. CVE-2015-3627 SUSE Linux Enterprise Server 12:docker-1.6.2-31.2 SUSE Linux Enterprise Server for SAP Applications 12:docker-1.6.2-31.2 moderate 3.2 AV:L/AC:L/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150984-1/ https://www.suse.com/security/cve/CVE-2015-3627.html CVE-2015-3627 https://bugzilla.suse.com/930235 SUSE Bug 930235 https://bugzilla.suse.com/945060 SUSE Bug 945060 Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization ("mount namespace breakout") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container. CVE-2015-3629 SUSE Linux Enterprise Server 12:docker-1.6.2-31.2 SUSE Linux Enterprise Server for SAP Applications 12:docker-1.6.2-31.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150984-1/ https://www.suse.com/security/cve/CVE-2015-3629.html CVE-2015-3629 https://bugzilla.suse.com/930235 SUSE Bug 930235 https://bugzilla.suse.com/945060 SUSE Bug 945060 Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image. CVE-2015-3630 SUSE Linux Enterprise Server 12:docker-1.6.2-31.2 SUSE Linux Enterprise Server for SAP Applications 12:docker-1.6.2-31.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150984-1/ https://www.suse.com/security/cve/CVE-2015-3630.html CVE-2015-3630 https://bugzilla.suse.com/930235 SUSE Bug 930235 https://bugzilla.suse.com/945060 SUSE Bug 945060 Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc. CVE-2015-3631 SUSE Linux Enterprise Server 12:docker-1.6.2-31.2 SUSE Linux Enterprise Server for SAP Applications 12:docker-1.6.2-31.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150984-1/ https://www.suse.com/security/cve/CVE-2015-3631.html CVE-2015-3631 https://bugzilla.suse.com/930235 SUSE Bug 930235 https://bugzilla.suse.com/945060 SUSE Bug 945060