Описание
Security update for containerd, docker, runc
This update for
- containerd
- docker to 1.12.6
- runc fixes the two issues.
This security issue was fixed:
- CVE-2016-9962: A difficult to exploit race condition caused by passing a file descriptor from the host's filesystem into the container could have allowed the guest to escape(bsc#1012568).
For docker this non-security issue was fixed:
- bsc#1019251: Waiting when starting the docker service
Список пакетов
SUSE Linux Enterprise Module for Containers 12
containerd-0.2.5+gitr569_2a5e70c-15.3
docker-1.12.6-87.2
runc-0.1.1+gitr2819_50a19c6-15.2
SUSE OpenStack Cloud 6
containerd-0.2.5+gitr569_2a5e70c-15.3
docker-1.12.6-87.2
runc-0.1.1+gitr2819_50a19c6-15.2
Ссылки
- Link for SUSE-SU-2017:1964-1
- E-Mail link for SUSE-SU-2017:1964-1
- SUSE Security Ratings
- SUSE Bug 1012568
- SUSE Bug 1019251
- SUSE CVE CVE-2016-9962 page
Описание
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
Затронутые продукты
SUSE Linux Enterprise Module for Containers 12:containerd-0.2.5+gitr569_2a5e70c-15.3
SUSE Linux Enterprise Module for Containers 12:docker-1.12.6-87.2
SUSE Linux Enterprise Module for Containers 12:runc-0.1.1+gitr2819_50a19c6-15.2
SUSE OpenStack Cloud 6:containerd-0.2.5+gitr569_2a5e70c-15.3
Ссылки
- CVE-2016-9962
- SUSE Bug 1012568
- SUSE Bug 1173425