openSUSE Security Update : docker (openSUSE-2015-792)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

Docker was updated to version 1.9.0, bringing features and bugfixes
(bnc#954812) :

- Runtime :

- `docker stats` now returns block IO metrics (#15005)

- `docker stats` now details network stats per interface
(#15786)

- Add `ancestor=<image>` filter to `docker ps --filter`
flag to filter containers based on their ancestor images
(#14570)

- Add `label=<somelabel>` filter to `docker ps --filter`
to filter containers based on label (#16530)

- Add `--kernel-memory` flag to `docker run` (#14006)

- Add `--message` flag to `docker import` allowing to
specify an optional message (#15711)

- Add `--privileged` flag to `docker exec` (#14113)

- Add `--stop-signal` flag to `docker run` allowing to
replace the container process stopping signal (#15307)

- Add a new `unless-stopped` restart policy (#15348)

- Inspecting an image now returns tags (#13185)

- Add container size information to `docker inspect`
(#15796)

- Add `RepoTags` and `RepoDigests` field to
`/images/{name:.*}/json` (#17275)

- Remove the deprecated `/container/ps` endpoint from the
API (#15972)

- Send and document correct HTTP codes for
`/exec/<name>/start` (#16250)

- Share shm and mqueue between containers sharing IPC
namespace (#15862)

- Event stream now shows OOM status when
`--oom-kill-disable` is set (#16235)

- Ensure special network files (/etc/hosts etc.) are
read-only if bind-mounted with `ro` option (#14965)

- Improve `rmi` performance (#16890)

- Do not update /etc/hosts for the default bridge network,
except for links (#17325)

- Fix conflict with duplicate container names (#17389)

- Fix an issue with incorrect template execution in
`docker inspect` (#17284)

- DEPRECATE `-c` short flag variant for `--cpu-shares` in
docker run (#16271)

- Client :

- Allow `docker import` to import from local files
(#11907)

- Builder :

- Add a `STOPSIGNAL` Dockerfile instruction allowing to
set a different stop-signal for the container process
(#15307)

- Add an `ARG` Dockerfile instruction and a `--build-arg`
flag to `docker build` that allows to add build-time
environment variables (#15182)

- Improve cache miss performance (#16890)

- Storage :

- devicemapper: Implement deferred deletion capability
(#16381)

- Networking :

- `docker network` exits experimental and is part of
standard release (#16645)

- New network top-level concept, with associated
subcommands and API (#16645) WARNING: the API is
different from the experimental API

- Support for multiple isolated/micro-segmented networks
(#16645)

- Built-in multihost networking using VXLAN based overlay
driver (#14071)

- Support for third-party network plugins (#13424)

- Ability to dynamically connect containers to multiple
networks (#16645)

- Support for user-defined IP address management via
pluggable IPAM drivers (#16910)

- Add daemon flags `--cluster-store` and
`--cluster-advertise` for built-in nodes discovery
(#16229)

- Add `--cluster-store-opt` for setting up TLS settings
(#16644)

- Add `--dns-opt` to the daemon (#16031)

- DEPRECATE following container `NetworkSettings` fields
in API v1.21: `EndpointID`, `Gateway`,
`GlobalIPv6Address`, `GlobalIPv6PrefixLen`, `IPAddress`,
`IPPrefixLen`, `IPv6Gateway` and `MacAddress`. Those are
now specific to the `bridge` network. Use
`NetworkSettings.Networks` to inspect the networking
settings of a container per network.

- Volumes :

- New top-level `volume` subcommand and API (#14242)

- Move API volume driver settings to host-specific config
(#15798)

- Print an error message if volume name is not unique
(#16009)

- Ensure volumes created from Dockerfiles always use the
local volume driver (#15507)

- DEPRECATE auto-creating missing host paths for bind
mounts (#16349)

- Logging :

- Add `awslogs` logging driver for Amazon CloudWatch
(#15495)

- Add generic `tag` log option to allow customizing
container/image information passed to driver (e.g. show
container names) (#15384)

- Implement the `docker logs` endpoint for the journald
driver (#13707)

- DEPRECATE driver-specific log tags (e.g. `syslog-tag`,
etc.) (#15384)

- Distribution :

- `docker search` now works with partial names (#16509)

- Push optimization: avoid buffering to file (#15493)

- The daemon will display progress for images that were
already being pulled by another client (#15489)

- Only permissions required for the current action being
performed are requested (#)

- Renaming trust keys (and respective environment
variables) from `offline` to `root` and `tagging` to
`repository` (#16894)

- DEPRECATE trust key environment variables
`DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and
`DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` (#16894)

- Security :

- Add SELinux profiles to the rpm package (#15832)

- Fix various issues with AppArmor profiles provided in
the deb package (#14609)

- Add AppArmor policy that prevents writing to /proc
(#15571)

- Change systemd unit file to no longer use the deprecated
'-d' option (bnc#954737)

- Also docker was updated to the 1.8.3 version that fixes
security issues :

- Fix layer IDs lead to local graph poisoning
(CVE-2014-8178) (bnc#949660)

- Fix manifest validation and parsing logic errors allow
pull-by-digest validation bypass (CVE-2014-8179)

- Add `--disable-legacy-registry` to prevent a daemon from
using a v1 registry

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=949660
https://bugzilla.opensuse.org/show_bug.cgi?id=954737
https://bugzilla.opensuse.org/show_bug.cgi?id=954812

Solution :

Update the affected docker packages.

Risk factor :

Medium

Family: SuSE Local Security Checks

Nessus Plugin ID: 87017 ()

Bugtraq ID:

CVE ID: CVE-2014-8178
CVE-2014-8179

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now