Detections
Analytics

openSUSE Security Update : docker (openSUSE-2015-792)

high Nessus Plugin ID 87017

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

Docker was updated to version 1.9.0, bringing features and bugfixes (bnc#954812) :

 - Runtime :

 - `docker stats` now returns block IO metrics (#15005)

 - `docker stats` now details network stats per interface (#15786)

 - Add `ancestor=<image>` filter to `docker ps --filter` flag to filter containers based on their ancestor images (#14570)

 - Add `label=<somelabel>` filter to `docker ps --filter` to filter containers based on label (#16530)

 - Add `--kernel-memory` flag to `docker run` (#14006)

 - Add `--message` flag to `docker import` allowing to specify an optional message (#15711)

 - Add `--privileged` flag to `docker exec` (#14113)

 - Add `--stop-signal` flag to `docker run` allowing to replace the container process stopping signal (#15307)

 - Add a new `unless-stopped` restart policy (#15348)

 - Inspecting an image now returns tags (#13185)

 - Add container size information to `docker inspect` (#15796)

 - Add `RepoTags` and `RepoDigests` field to `/images/(name:.*)/json` (#17275)

 - Remove the deprecated `/container/ps` endpoint from the API (#15972)

 - Send and document correct HTTP codes for `/exec/<name>/start` (#16250)

 - Share shm and mqueue between containers sharing IPC namespace (#15862)

 - Event stream now shows OOM status when `--oom-kill-disable` is set (#16235)

 - Ensure special network files (/etc/hosts etc.) are read-only if bind-mounted with `ro` option (#14965)

 - Improve `rmi` performance (#16890)

 - Do not update /etc/hosts for the default bridge network, except for links (#17325)

 - Fix conflict with duplicate container names (#17389)

 - Fix an issue with incorrect template execution in `docker inspect` (#17284)

 - DEPRECATE `-c` short flag variant for `--cpu-shares` in docker run (#16271)

 - Client :

 - Allow `docker import` to import from local files (#11907)

 - Builder :

 - Add a `STOPSIGNAL` Dockerfile instruction allowing to set a different stop-signal for the container process (#15307)

 - Add an `ARG` Dockerfile instruction and a `--build-arg` flag to `docker build` that allows to add build-time environment variables (#15182)

 - Improve cache miss performance (#16890)

 - Storage :

 - devicemapper: Implement deferred deletion capability (#16381)

 - Networking :

 - `docker network` exits experimental and is part of standard release (#16645)

 - New network top-level concept, with associated subcommands and API (#16645) WARNING: the API is different from the experimental API

 - Support for multiple isolated/micro-segmented networks (#16645)

 - Built-in multihost networking using VXLAN based overlay driver (#14071)

 - Support for third-party network plugins (#13424)

 - Ability to dynamically connect containers to multiple networks (#16645)

 - Support for user-defined IP address management via pluggable IPAM drivers (#16910)

 - Add daemon flags `--cluster-store` and `--cluster-advertise` for built-in nodes discovery (#16229)

 - Add `--cluster-store-opt` for setting up TLS settings (#16644)

 - Add `--dns-opt` to the daemon (#16031)

 - DEPRECATE following container `NetworkSettings` fields in API v1.21: `EndpointID`, `Gateway`, `GlobalIPv6Address`, `GlobalIPv6PrefixLen`, `IPAddress`, `IPPrefixLen`, `IPv6Gateway` and `MacAddress`. Those are now specific to the `bridge` network. Use `NetworkSettings.Networks` to inspect the networking settings of a container per network.

 - Volumes :

 - New top-level `volume` subcommand and API (#14242)

 - Move API volume driver settings to host-specific config (#15798)

 - Print an error message if volume name is not unique (#16009)

 - Ensure volumes created from Dockerfiles always use the local volume driver (#15507)

 - DEPRECATE auto-creating missing host paths for bind mounts (#16349)

 - Logging :

 - Add `awslogs` logging driver for Amazon CloudWatch (#15495)

 - Add generic `tag` log option to allow customizing container/image information passed to driver (e.g. show container names) (#15384)

 - Implement the `docker logs` endpoint for the journald driver (#13707)

 - DEPRECATE driver-specific log tags (e.g. `syslog-tag`, etc.) (#15384)

 - Distribution :

 - `docker search` now works with partial names (#16509)

 - Push optimization: avoid buffering to file (#15493)

 - The daemon will display progress for images that were already being pulled by another client (#15489)

 - Only permissions required for the current action being performed are requested (#)

 - Renaming trust keys (and respective environment variables) from `offline` to `root` and `tagging` to `repository` (#16894)

 - DEPRECATE trust key environment variables `DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and `DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` (#16894)

 - Security :

 - Add SELinux profiles to the rpm package (#15832)

 - Fix various issues with AppArmor profiles provided in the deb package (#14609)

 - Add AppArmor policy that prevents writing to /proc (#15571)

 - Change systemd unit file to no longer use the deprecated '-d' option (bnc#954737)

 - Also docker was updated to the 1.8.3 version that fixes security issues :

 - Fix layer IDs lead to local graph poisoning (CVE-2014-8178) (bnc#949660)

 - Fix manifest validation and parsing logic errors allow pull-by-digest validation bypass (CVE-2014-8179)

 - Add `--disable-legacy-registry` to prevent a daemon from using a v1 registry

Solution

Update the affected docker packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=949660

https://bugzilla.opensuse.org/show_bug.cgi?id=954737

https://bugzilla.opensuse.org/show_bug.cgi?id=954812

Plugin Details

Severity: High

ID: 87017

File Name: openSUSE-2015-792.nasl

Version: 1.5

Type: local

Agent: unix

Published: 11/24/2015

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:docker, p-cpe:/a:novell:opensuse:docker-bash-completion, p-cpe:/a:novell:opensuse:docker-debuginfo, p-cpe:/a:novell:opensuse:docker-debugsource, p-cpe:/a:novell:opensuse:docker-test, p-cpe:/a:novell:opensuse:docker-zsh-completion, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 11/14/2015

Vulnerability Publication Date: 12/17/2019

Reference Information

CVE: CVE-2014-8178, CVE-2014-8179