Issued:
2020-03-31
Updated:
2020-03-31

RHSA-2020:1234 - Security Advisory

Synopsis

Moderate: docker security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for docker is now available for Red Hat Enterprise Linux 7 Extras.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere.

Security Fix(es):

  • runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc (CVE-2019-16884)
  • proglottis/gpgme: Use-after-free in GPGME bindings during container image pull (CVE-2020-8945)
  • containers/image: Container images read entire image manifest into memory (CVE-2020-1702)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Whitelist statx(2) in docker (BZ#1784228)
  • Upgrading docker resulting into increase Systemd logs (BZ#1791870)
  • docker should be linked against gpgme-pthread (BZ#1792243)
  • docker cannot be updated to 108 on rhos13 as a container fails to start with "pivot_root invalid argument" error. (BZ#1795376)
  • OVS pods are unable to stop when running under docker version 1.13.1-108 (BZ#1796451)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

  • BZ - 1757214 - CVE-2019-16884 runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc
  • BZ - 1784228 - Whitelist statx(2) in docker
  • BZ - 1792796 - CVE-2020-1702 containers/image: Container images read entire image manifest into memory
  • BZ - 1795376 - docker cannot be updated to 108 on rhos13 as a container fails to start with "pivot_root invalid argument" error.
  • BZ - 1795838 - CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull
  • BZ - 1796451 - OVS pods are unable to stop when running under docker version 1.13.1-108

Red Hat Enterprise Linux Server 7

SRPM
docker-1.13.1-161.git64e9980.el7_8.src.rpm SHA-256: 47a1cc1aa45f245e8b68e7c8f0a6ce3b75d8c86827dc547f5a7f162ba20e267d
x86_64
docker-1.13.1-161.git64e9980.el7_8.x86_64.rpm SHA-256: d9139486feeb6eace8e8ea6d027a6ae7cca70bcf3e72e67aa679a2acec8cd2a8
docker-client-1.13.1-161.git64e9980.el7_8.x86_64.rpm SHA-256: 28a90104f2a56902ec0732f3e11a17302b2ef70a746e461df52d79f497fc2c02
docker-common-1.13.1-161.git64e9980.el7_8.x86_64.rpm SHA-256: c85c5b896a55d8f3a6baf70927d679e55f12b333c08445b64ae6331afe9ec9b3
docker-debuginfo-1.13.1-161.git64e9980.el7_8.x86_64.rpm SHA-256: ba0d997c78344fc8d244e8dfee85a7c8cfeab636f846e4e97b42c2d75294575e
docker-logrotate-1.13.1-161.git64e9980.el7_8.x86_64.rpm SHA-256: a85538a3822c983cd95e948d9e597231c9a56885a186ffea69397cbdfed39d3a
docker-lvm-plugin-1.13.1-161.git64e9980.el7_8.x86_64.rpm SHA-256: c3ed1898e0eb9406a6e7be301f65bf53bce6d11f9102f34895a3bafdfafc1c51
docker-novolume-plugin-1.13.1-161.git64e9980.el7_8.x86_64.rpm SHA-256: cbe84348ad6f2c362aeb5483118cd861bf4e040c80b3bc623584dd9b9456158c
docker-rhel-push-plugin-1.13.1-161.git64e9980.el7_8.x86_64.rpm SHA-256: 36c63264bba63b5443a76cefcb54debea2d0d9b3e1003d8ad89bcf1015a69bbc
docker-v1.10-migrator-1.13.1-161.git64e9980.el7_8.x86_64.rpm SHA-256: def1bc9fc1a23a3629ef8ebc30c16e883947a9ee2e4f6d04f95777341691445c

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
docker-1.13.1-161.git64e9980.el7_8.src.rpm SHA-256: 47a1cc1aa45f245e8b68e7c8f0a6ce3b75d8c86827dc547f5a7f162ba20e267d
s390x
docker-1.13.1-161.git64e9980.el7_8.s390x.rpm SHA-256: d29fb8c324ad2c5dd25f857cc8ff2fbea64a1132f458f1d4fff9f282537c695d
docker-client-1.13.1-161.git64e9980.el7_8.s390x.rpm SHA-256: de66cd97ea014db147387178100782baafc1ef0c7f616ae02914264805be71c2
docker-common-1.13.1-161.git64e9980.el7_8.s390x.rpm SHA-256: c5348ef97a00dd962140986bf7e127681c4faa76949213882be7b22931b444ee
docker-debuginfo-1.13.1-161.git64e9980.el7_8.s390x.rpm SHA-256: 69dac7b4a9e7ecfd31a7b8c51a416a4a5fe06a3c86e69645c68c0a78c9e21b2d
docker-logrotate-1.13.1-161.git64e9980.el7_8.s390x.rpm SHA-256: 4acf5112bf9fdcd2a09c26f5b3d59262300880f684214bf8a126b11ce47c36bc
docker-lvm-plugin-1.13.1-161.git64e9980.el7_8.s390x.rpm SHA-256: c9fcd310cec0d9ca1639c3321ae37366ab0aa2b98b3b5c08c1cf5c1cd1c7907b
docker-novolume-plugin-1.13.1-161.git64e9980.el7_8.s390x.rpm SHA-256: 5e5fee3a0bc78f51949ce0ee2ff42f2bc48f697722bc1010bb4d7426b46a3f11
docker-rhel-push-plugin-1.13.1-161.git64e9980.el7_8.s390x.rpm SHA-256: f3785042334401527011fd052f8c5b5a0cb23246d5f7472d8d22101e17471f73
docker-v1.10-migrator-1.13.1-161.git64e9980.el7_8.s390x.rpm SHA-256: ff84dd654069afa7275531b22bfa2c1fcc55029663467c4a8c9ad197ab9a3d7d

Red Hat Enterprise Linux for Power, little endian 7

SRPM
docker-1.13.1-161.git64e9980.el7_8.src.rpm SHA-256: 47a1cc1aa45f245e8b68e7c8f0a6ce3b75d8c86827dc547f5a7f162ba20e267d
ppc64le
docker-1.13.1-161.git64e9980.el7_8.ppc64le.rpm SHA-256: 9df14cf2410aba2a932d2f4d6a0a09b5705982947cbf566ccc6e3e4aa889408b
docker-client-1.13.1-161.git64e9980.el7_8.ppc64le.rpm SHA-256: 8e8ed0a41847c6ac3c24abe8c931eaf5798949950aaccac8feb8aca7c60139bb
docker-common-1.13.1-161.git64e9980.el7_8.ppc64le.rpm SHA-256: 580586a6c5ecc14669602f702663ab4c379e2e2835a7e55b47c8a01acb0021d0
docker-debuginfo-1.13.1-161.git64e9980.el7_8.ppc64le.rpm SHA-256: 133e9f85b91710de915228397566de9bdca4b2c01bbe8557f356b95cf93f6138
docker-logrotate-1.13.1-161.git64e9980.el7_8.ppc64le.rpm SHA-256: d22f73f20af275f6fa830c252fff6b610d2a673b3bbe50263c9cf44bdd740d36
docker-lvm-plugin-1.13.1-161.git64e9980.el7_8.ppc64le.rpm SHA-256: 661d68fb902157e755dd0fb3688f559b14695dee2dd86ef9cc32a36a732835d2
docker-novolume-plugin-1.13.1-161.git64e9980.el7_8.ppc64le.rpm SHA-256: b3194306c1b1c2b1f096ce30ddbe491e6f71df9aebaab6fc727a22d81a064f43
docker-rhel-push-plugin-1.13.1-161.git64e9980.el7_8.ppc64le.rpm SHA-256: a9da987fb77cd7d66b5fe88f0f1898135ac1c4481bc8f1b4f27786ff3adb513a
docker-v1.10-migrator-1.13.1-161.git64e9980.el7_8.ppc64le.rpm SHA-256: 253b4e4d33ead235ec5ee2445a1a0e415da03b74240ec6bc5ed5ceb432a86822

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.