Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0278-1 Final 1 1 2021-02-12T00:12:41Z current 2021-02-12T00:12:41Z 2021-02-12T00:12:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-278 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UGKTLORCQ4MPZPDFGWKJEEPQRXFUTZYZ/ E-Mail link for openSUSE-SU-2021:0278-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1174075 SUSE Bug 1174075 https://bugzilla.suse.com/1176708 SUSE Bug 1176708 https://bugzilla.suse.com/1178801 SUSE Bug 1178801 https://bugzilla.suse.com/1178969 SUSE Bug 1178969 https://bugzilla.suse.com/1180243 SUSE Bug 1180243 https://bugzilla.suse.com/1180401 SUSE Bug 1180401 https://bugzilla.suse.com/1181730 SUSE Bug 1181730 https://bugzilla.suse.com/1181732 SUSE Bug 1181732 https://www.suse.com/security/cve/CVE-2020-15257/ SUSE CVE CVE-2020-15257 page https://www.suse.com/security/cve/CVE-2021-21284/ SUSE CVE CVE-2021-21284 page https://www.suse.com/security/cve/CVE-2021-21285/ SUSE CVE CVE-2021-21285 page openSUSE Leap 15.2 containerd-1.3.9-lp152.2.3.1 containerd-ctr-1.3.9-lp152.2.3.1 docker-19.03.15_ce-lp152.2.3.1 docker-bash-completion-19.03.15_ce-lp152.2.3.1 docker-fish-completion-19.03.15_ce-lp152.2.3.1 docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1 docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1 docker-test-19.03.15_ce-lp152.2.3.1 docker-zsh-completion-19.03.15_ce-lp152.2.3.1 fish-2.7.1-lp152.5.3.1 fish-devel-2.7.1-lp152.5.3.1 golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1 containerd-1.3.9-lp152.2.3.1 as a component of openSUSE Leap 15.2 containerd-ctr-1.3.9-lp152.2.3.1 as a component of openSUSE Leap 15.2 docker-19.03.15_ce-lp152.2.3.1 as a component of openSUSE Leap 15.2 docker-bash-completion-19.03.15_ce-lp152.2.3.1 as a component of openSUSE Leap 15.2 docker-fish-completion-19.03.15_ce-lp152.2.3.1 as a component of openSUSE Leap 15.2 docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1 as a component of openSUSE Leap 15.2 docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1 as a component of openSUSE Leap 15.2 docker-test-19.03.15_ce-lp152.2.3.1 as a component of openSUSE Leap 15.2 docker-zsh-completion-19.03.15_ce-lp152.2.3.1 as a component of openSUSE Leap 15.2 fish-2.7.1-lp152.5.3.1 as a component of openSUSE Leap 15.2 fish-devel-2.7.1-lp152.5.3.1 as a component of openSUSE Leap 15.2 golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1 as a component of openSUSE Leap 15.2 containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim's API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container. CVE-2020-15257 openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1 openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1 openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1 openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1 openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1 openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1 openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1 important 3.6 AV:L/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UGKTLORCQ4MPZPDFGWKJEEPQRXFUTZYZ/ https://www.suse.com/security/cve/CVE-2020-15257.html CVE-2020-15257 https://bugzilla.suse.com/1178969 SUSE Bug 1178969 In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user. CVE-2021-21284 openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1 openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1 openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1 openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1 openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1 openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1 openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1 low 2.7 AV:A/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UGKTLORCQ4MPZPDFGWKJEEPQRXFUTZYZ/ https://www.suse.com/security/cve/CVE-2021-21284.html CVE-2021-21284 https://bugzilla.suse.com/1181732 SUSE Bug 1181732 In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. CVE-2021-21285 openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1 openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1 openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1 openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1 openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1 openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1 openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1 openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UGKTLORCQ4MPZPDFGWKJEEPQRXFUTZYZ/ https://www.suse.com/security/cve/CVE-2021-21285.html CVE-2021-21285 https://bugzilla.suse.com/1181730 SUSE Bug 1181730