Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc

Announcement ID:	SUSE-SU-2019:0573-1
Rating:	important
References:	bsc#1001161 bsc#1048046 bsc#1051429 bsc#1112980 bsc#1114832 bsc#1118897 bsc#1118898 bsc#1118899 bsc#1121412 bsc#1121967 bsc#1124308
Cross-References:	CVE-2016-9962 CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 CVE-2019-5736
CVSS scores:	CVE-2016-9962 ( NVD ): 6.4 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2018-16873 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2018-16874 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16875 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16875 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-5736 ( SUSE ): 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVE-2019-5736 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2019-5736 ( NVD ): 8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products:	Containers Module 12 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 6 LTSS 6

An update that solves five vulnerabilities and has six security fixes can now be installed.

Description:

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:

Security issues fixed:

• CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
• CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
• CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
• CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967).

Other changes and bug fixes:

• Update shell completion to use Group: System/Shells.
• Add daemon.json file with rotation logs configuration (bsc#1114832)
• Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
• Disable leap based builds for kubic flavor (bsc#1121412).
• Allow users to explicitly specify the NIS domain name of a container (bsc#1001161).
• Update docker.service to match upstream and avoid rlimit problems (bsc#1112980).
• Update go requirements to >= go1.10
• Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
• Remove the usage of 'cp -r' to reduce noise in the build logs.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 6 LTSS 6
  zypper in -t patch SUSE-OpenStack-Cloud-6-LTSS-2019-573=1
• Containers Module 12
  zypper in -t patch SUSE-SLE-Module-Containers-12-2019-573=1

Package List:

• SUSE OpenStack Cloud 6 LTSS 6 (x86_64)
  • docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-1.17.2
  • containerd-1.2.2-16.14.2
  • docker-debugsource-18.09.1_ce-98.34.2
  • golang-github-docker-libnetwork-debugsource-0.7.0.1+gitr2711_2cfbf9b1f981-16.2
  • docker-debuginfo-18.09.1_ce-98.34.2
  • docker-18.09.1_ce-98.34.2
  • docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-16.2
  • docker-libnetwork-debuginfo-0.7.0.1+gitr2711_2cfbf9b1f981-16.2
• Containers Module 12 (ppc64le s390x x86_64)
  • docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-1.17.2
  • containerd-1.2.2-16.14.2
  • docker-debugsource-18.09.1_ce-98.34.2
  • golang-github-docker-libnetwork-debugsource-0.7.0.1+gitr2711_2cfbf9b1f981-16.2
  • docker-debuginfo-18.09.1_ce-98.34.2
  • docker-18.09.1_ce-98.34.2
  • docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-16.2
  • docker-libnetwork-debuginfo-0.7.0.1+gitr2711_2cfbf9b1f981-16.2

References:

• https://www.suse.com/security/cve/CVE-2016-9962.html
• https://www.suse.com/security/cve/CVE-2018-16873.html
• https://www.suse.com/security/cve/CVE-2018-16874.html
• https://www.suse.com/security/cve/CVE-2018-16875.html
• https://www.suse.com/security/cve/CVE-2019-5736.html
• https://bugzilla.suse.com/show_bug.cgi?id=1001161
• https://bugzilla.suse.com/show_bug.cgi?id=1048046
• https://bugzilla.suse.com/show_bug.cgi?id=1051429
• https://bugzilla.suse.com/show_bug.cgi?id=1112980
• https://bugzilla.suse.com/show_bug.cgi?id=1114832
• https://bugzilla.suse.com/show_bug.cgi?id=1118897
• https://bugzilla.suse.com/show_bug.cgi?id=1118898
• https://bugzilla.suse.com/show_bug.cgi?id=1118899
• https://bugzilla.suse.com/show_bug.cgi?id=1121412
• https://bugzilla.suse.com/show_bug.cgi?id=1121967
• https://bugzilla.suse.com/show_bug.cgi?id=1124308