openSUSE Security Update : docker (openSUSE-2015-792)

Medium Nessus Plugin ID 87017


The remote openSUSE host is missing a security update.


Docker was updated to version 1.9.0, bringing features and bugfixes (bnc#954812) :

- Runtime :

- `docker stats` now returns block IO metrics (#15005)

- `docker stats` now details network stats per interface (#15786)

- Add `ancestor=<image>` filter to `docker ps --filter` flag to filter containers based on their ancestor images (#14570)

- Add `label=<somelabel>` filter to `docker ps --filter` to filter containers based on label (#16530)

- Add `--kernel-memory` flag to `docker run` (#14006)

- Add `--message` flag to `docker import` allowing to specify an optional message (#15711)

- Add `--privileged` flag to `docker exec` (#14113)

- Add `--stop-signal` flag to `docker run` allowing to replace the container process stopping signal (#15307)

- Add a new `unless-stopped` restart policy (#15348)

- Inspecting an image now returns tags (#13185)

- Add container size information to `docker inspect` (#15796)

- Add `RepoTags` and `RepoDigests` field to `/images/{name:.*}/json` (#17275)

- Remove the deprecated `/container/ps` endpoint from the API (#15972)

- Send and document correct HTTP codes for `/exec/<name>/start` (#16250)

- Share shm and mqueue between containers sharing IPC namespace (#15862)

- Event stream now shows OOM status when `--oom-kill-disable` is set (#16235)

- Ensure special network files (/etc/hosts etc.) are read-only if bind-mounted with `ro` option (#14965)

- Improve `rmi` performance (#16890)

- Do not update /etc/hosts for the default bridge network, except for links (#17325)

- Fix conflict with duplicate container names (#17389)

- Fix an issue with incorrect template execution in `docker inspect` (#17284)

- DEPRECATE `-c` short flag variant for `--cpu-shares` in docker run (#16271)

- Client :

- Allow `docker import` to import from local files (#11907)

- Builder :

- Add a `STOPSIGNAL` Dockerfile instruction allowing to set a different stop-signal for the container process (#15307)

- Add an `ARG` Dockerfile instruction and a `--build-arg` flag to `docker build` that allows to add build-time environment variables (#15182)

- Improve cache miss performance (#16890)

- Storage :

- devicemapper: Implement deferred deletion capability (#16381)

- Networking :

- `docker network` exits experimental and is part of standard release (#16645)

- New network top-level concept, with associated subcommands and API (#16645) WARNING: the API is different from the experimental API

- Support for multiple isolated/micro-segmented networks (#16645)

- Built-in multihost networking using VXLAN based overlay driver (#14071)

- Support for third-party network plugins (#13424)

- Ability to dynamically connect containers to multiple networks (#16645)

- Support for user-defined IP address management via pluggable IPAM drivers (#16910)

- Add daemon flags `--cluster-store` and `--cluster-advertise` for built-in nodes discovery (#16229)

- Add `--cluster-store-opt` for setting up TLS settings (#16644)

- Add `--dns-opt` to the daemon (#16031)

- DEPRECATE following container `NetworkSettings` fields in API v1.21: `EndpointID`, `Gateway`, `GlobalIPv6Address`, `GlobalIPv6PrefixLen`, `IPAddress`, `IPPrefixLen`, `IPv6Gateway` and `MacAddress`. Those are now specific to the `bridge` network. Use `NetworkSettings.Networks` to inspect the networking settings of a container per network.

- Volumes :

- New top-level `volume` subcommand and API (#14242)

- Move API volume driver settings to host-specific config (#15798)

- Print an error message if volume name is not unique (#16009)

- Ensure volumes created from Dockerfiles always use the local volume driver (#15507)

- DEPRECATE auto-creating missing host paths for bind mounts (#16349)

- Logging :

- Add `awslogs` logging driver for Amazon CloudWatch (#15495)

- Add generic `tag` log option to allow customizing container/image information passed to driver (e.g. show container names) (#15384)

- Implement the `docker logs` endpoint for the journald driver (#13707)

- DEPRECATE driver-specific log tags (e.g. `syslog-tag`, etc.) (#15384)

- Distribution :

- `docker search` now works with partial names (#16509)

- Push optimization: avoid buffering to file (#15493)

- The daemon will display progress for images that were already being pulled by another client (#15489)

- Only permissions required for the current action being performed are requested (#)

- Renaming trust keys (and respective environment variables) from `offline` to `root` and `tagging` to `repository` (#16894)


- Security :

- Add SELinux profiles to the rpm package (#15832)

- Fix various issues with AppArmor profiles provided in the deb package (#14609)

- Add AppArmor policy that prevents writing to /proc (#15571)

- Change systemd unit file to no longer use the deprecated '-d' option (bnc#954737)

- Also docker was updated to the 1.8.3 version that fixes security issues :

- Fix layer IDs lead to local graph poisoning (CVE-2014-8178) (bnc#949660)

- Fix manifest validation and parsing logic errors allow pull-by-digest validation bypass (CVE-2014-8179)

- Add `--disable-legacy-registry` to prevent a daemon from using a v1 registry


Update the affected docker packages.

See Also

Plugin Details

Severity: Medium

ID: 87017

File Name: openSUSE-2015-792.nasl

Version: $Revision: 1.1 $

Type: local

Agent: unix

Published: 2015/11/24

Modified: 2015/11/24

Dependencies: 12634

Risk Information

Risk Factor: Medium

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:docker, p-cpe:/a:novell:opensuse:docker-bash-completion, p-cpe:/a:novell:opensuse:docker-debuginfo, p-cpe:/a:novell:opensuse:docker-debugsource, p-cpe:/a:novell:opensuse:docker-test, p-cpe:/a:novell:opensuse:docker-zsh-completion, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2015/11/14

Reference Information

CVE: CVE-2014-8178, CVE-2014-8179