Security update for containerd, docker, runc

Announcement ID: SUSE-SU-2021:3506-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2021-30465 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-30465 ( NVD ): 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
  • CVE-2021-32760 ( SUSE ): 3.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L
  • CVE-2021-32760 ( NVD ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  • CVE-2021-41089 ( SUSE ): 3.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
  • CVE-2021-41089 ( NVD ): 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
  • CVE-2021-41091 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
  • CVE-2021-41091 ( NVD ): 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
  • CVE-2021-41092 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
  • CVE-2021-41092 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-41103 ( SUSE ): 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVE-2021-41103 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • Containers Module 15-SP2
  • Containers Module 15-SP3
  • SUSE CaaS Platform 4.0
  • SUSE Enterprise Storage 6
  • SUSE Enterprise Storage 7
  • SUSE Linux Enterprise High Performance Computing 15
  • SUSE Linux Enterprise High Performance Computing 15 LTSS 15
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise Micro 5.0
  • SUSE Linux Enterprise Micro 5.1
  • SUSE Linux Enterprise Real Time 15 SP3
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server 15 LTSS 15
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
  • SUSE Linux Enterprise Server 15 SP2
  • SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3
  • SUSE Linux Enterprise Server ESPOS 15
  • SUSE Linux Enterprise Server for SAP Applications 15
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
  • SUSE Manager Proxy 4.1
  • SUSE Manager Proxy 4.2
  • SUSE Manager Retail Branch Server 4.1
  • SUSE Manager Retail Branch Server 4.2
  • SUSE Manager Server 4.1
  • SUSE Manager Server 4.2

An update that solves six vulnerabilities and has four security fixes can now be installed.

Description:

This update for containerd, docker, runc fixes the following issues:

Docker was updated to 20.10.9-ce. (bsc#1191355)

See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.

CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103

container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

  • CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)

  • Install systemd service file as well (bsc#1190826)

Update to runc v1.0.2. Upstream changelog is available from

https://github.com/opencontainers/runc/releases/tag/v1.0.2

  • Fixed a failure to set CPU quota period in some cases on cgroup v1.
  • Fixed the inability to start a container with the "adding seccomp filter rule for syscall ..." error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped.
  • Made release builds reproducible from now on.
  • Fixed a rare debug log race in runc init, which can result in occasional harmful "failed to decode ..." errors from runc run or exec.
  • Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working.

Update to runc v1.0.1. Upstream changelog is available from

https://github.com/opencontainers/runc/releases/tag/v1.0.1

  • Fixed occasional runc exec/run failure ("interrupted system call") on an Azure volume.
  • Fixed "unable to find groups ... token too long" error with /etc/group containing lines longer than 64K characters.
  • cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes).
  • cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely.
  • cgroup/systemd/v2: don't freeze cgroup on Set.
  • cgroup/systemd/v1: avoid unnecessary freeze on Set.
  • fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

Update to runc v1.0.0. Upstream changelog is available from

https://github.com/opencontainers/runc/releases/tag/v1.0.0

! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert "number of IOs" statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94 * cgroups/systemd: fixed returning "unit already exists" error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make "runc --version" output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available.

Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95

This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405)

Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94

Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls.

Regression Fixes:

  • seccomp: fix 32-bit compilation errors
  • runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
  • runc start: fix "chdir to cwd: permission denied" for some setups

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Containers Module 15-SP2
    zypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2021-3506=1
  • Containers Module 15-SP3
    zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2021-3506=1
  • SUSE Linux Enterprise Server ESPOS 15
    zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3506=1
  • SUSE Linux Enterprise High Performance Computing 15 LTSS 15
    zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3506=1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3506=1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3506=1
  • SUSE Linux Enterprise Server 15 LTSS 15
    zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3506=1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3506=1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3506=1
  • SUSE Linux Enterprise Server for SAP Applications 15
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3506=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3506=1
  • SUSE Enterprise Storage 6
    zypper in -t patch SUSE-Storage-6-2021-3506=1
  • SUSE Enterprise Storage 7
    zypper in -t patch SUSE-Storage-7-2021-3506=1
  • SUSE CaaS Platform 4.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.
  • SUSE Linux Enterprise Micro 5.0
    zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3506=1
  • SUSE Linux Enterprise Micro 5.1
    zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3506=1

Package List:

  • Containers Module 15-SP2 (aarch64 ppc64le s390x x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • Containers Module 15-SP2 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • Containers Module 15-SP3 (aarch64 ppc64le s390x x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • Containers Module 15-SP3 (noarch)
    • docker-fish-completion-20.10.9_ce-156.1
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server ESPOS 15 (x86_64)
    • containerd-1.4.11-56.1
    • docker-20.10.9_ce-156.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server ESPOS 15 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Linux Enterprise High Performance Computing 15 LTSS 15 (x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Linux Enterprise High Performance Computing 15 LTSS 15 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1 (aarch64 x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64 x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server 15 LTSS 15 (aarch64 ppc64le s390x x86_64)
    • runc-debuginfo-1.0.2-23.1
    • runc-1.0.2-23.1
  • SUSE Linux Enterprise Server 15 LTSS 15 (ppc64le s390x x86_64)
    • containerd-1.4.11-56.1
    • docker-20.10.9_ce-156.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server 15 LTSS 15 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 (x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server for SAP Applications 15 (ppc64le x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server for SAP Applications 15 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1 (ppc64le x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Enterprise Storage 6 (aarch64 x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Enterprise Storage 6 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Enterprise Storage 7 (aarch64 x86_64)
    • runc-debuginfo-1.0.2-23.1
    • runc-1.0.2-23.1
  • SUSE CaaS Platform 4.0 (x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE CaaS Platform 4.0 (noarch)
    • docker-bash-completion-20.10.9_ce-156.1
  • SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1
  • SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64)
    • containerd-1.4.11-56.1
    • runc-debuginfo-1.0.2-23.1
    • docker-20.10.9_ce-156.1
    • runc-1.0.2-23.1
    • docker-debuginfo-20.10.9_ce-156.1

References: