Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:0065-1 Final 1 1 2020-01-10T10:02:51Z current 2020-01-10T10:02:51Z 2020-01-10T10:02:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issue fixed: - CVE-2019-16884: Fixed incomplete patch for LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308). Bug fixes: - Update to Docker 19.03.5-ce (bsc#1158590). - Update to Docker 19.03.3-ce (bsc#1153367). - Update to Docker 19.03.2-ce (bsc#1150397). - Fixed default installation such that --userns-remap=default works properly (bsc#1143349). - Fixed nginx blocked by apparmor (bsc#1122469). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-Azure-Basic-On-Demand-2020-65,Image SLES12-SP5-Azure-Standard-On-Demand-2020-65,Image SLES12-SP5-EC2-ECS-On-Demand-2020-65,Image SLES12-SP5-EC2-On-Demand-2020-65,Image SLES12-SP5-GCE-On-Demand-2020-65,SUSE-2020-65,SUSE-SLE-Module-Containers-12-2020-65 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20200065-1/ Link for SUSE-SU-2020:0065-1 https://lists.suse.com/pipermail/sle-security-updates/2020-January/006325.html E-Mail link for SUSE-SU-2020:0065-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1122469 SUSE Bug 1122469 https://bugzilla.suse.com/1143349 SUSE Bug 1143349 https://bugzilla.suse.com/1150397 SUSE Bug 1150397 https://bugzilla.suse.com/1152308 SUSE Bug 1152308 https://bugzilla.suse.com/1153367 SUSE Bug 1153367 https://bugzilla.suse.com/1158590 SUSE Bug 1158590 https://www.suse.com/security/cve/CVE-2019-16884/ SUSE CVE CVE-2019-16884 page Image SLES12-SP5-Azure-Basic-On-Demand Image SLES12-SP5-Azure-Standard-On-Demand Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-On-Demand SUSE Linux Enterprise Module for Containers 12 containerd-1.2.10-16.26.1 docker-19.03.5_ce-98.51.1 containerd-ctr-1.2.10-16.26.1 containerd-kubic-1.2.10-16.26.1 containerd-kubic-ctr-1.2.10-16.26.1 docker-bash-completion-19.03.5_ce-98.51.1 docker-kubic-19.03.5_ce-98.51.1 docker-kubic-bash-completion-19.03.5_ce-98.51.1 docker-kubic-kubeadm-criconfig-19.03.5_ce-98.51.1 docker-kubic-test-19.03.5_ce-98.51.1 docker-kubic-zsh-completion-19.03.5_ce-98.51.1 docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-28.1 docker-libnetwork-kubic-0.7.0.1+gitr2877_3eb39382bfa6-28.1 docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1 docker-runc-kubic-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1 docker-test-19.03.5_ce-98.51.1 docker-zsh-completion-19.03.5_ce-98.51.1 golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-28.1 golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2877_3eb39382bfa6-28.1 containerd-1.2.10-16.26.1 as a component of Image SLES12-SP5-Azure-Basic-On-Demand docker-19.03.5_ce-98.51.1 as a component of Image SLES12-SP5-Azure-Basic-On-Demand containerd-1.2.10-16.26.1 as a component of Image SLES12-SP5-Azure-Standard-On-Demand docker-19.03.5_ce-98.51.1 as a component of Image SLES12-SP5-Azure-Standard-On-Demand containerd-1.2.10-16.26.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand docker-19.03.5_ce-98.51.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand containerd-1.2.10-16.26.1 as a component of Image SLES12-SP5-EC2-On-Demand docker-19.03.5_ce-98.51.1 as a component of Image SLES12-SP5-EC2-On-Demand containerd-1.2.10-16.26.1 as a component of Image SLES12-SP5-GCE-On-Demand docker-19.03.5_ce-98.51.1 as a component of Image SLES12-SP5-GCE-On-Demand containerd-1.2.10-16.26.1 as a component of SUSE Linux Enterprise Module for Containers 12 docker-19.03.5_ce-98.51.1 as a component of SUSE Linux Enterprise Module for Containers 12 docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-28.1 as a component of SUSE Linux Enterprise Module for Containers 12 docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1 as a component of SUSE Linux Enterprise Module for Containers 12 runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. CVE-2019-16884 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.2.10-16.26.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-19.03.5_ce-98.51.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.2.10-16.26.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-19.03.5_ce-98.51.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.2.10-16.26.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-19.03.5_ce-98.51.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.2.10-16.26.1 Image SLES12-SP5-EC2-On-Demand:docker-19.03.5_ce-98.51.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.2.10-16.26.1 Image SLES12-SP5-GCE-On-Demand:docker-19.03.5_ce-98.51.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.2.10-16.26.1 SUSE Linux Enterprise Module for Containers 12:docker-19.03.5_ce-98.51.1 SUSE Linux Enterprise Module for Containers 12:docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-28.1 SUSE Linux Enterprise Module for Containers 12:docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20200065-1/ https://www.suse.com/security/cve/CVE-2019-16884.html CVE-2019-16884 https://bugzilla.suse.com/1152308 SUSE Bug 1152308