Recommended update for Docker, RunC, Containerd

Announcement ID: SUSE-RU-2017:1965-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2017-8932 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:
  • Containers Module 12
  • Magnum Orchestration 7
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • SUSE OpenStack Cloud 6

An update that solves one vulnerability and has 17 fixes can now be installed.

Description:

This update for Containerd, Docker and RunC provides several fixes and enhancements.

Containerd:

  • Update containerd to the version needed for docker-v17.04.0-ce. (bsc#1034053)
  • Fix spurious messages filling journal. (bsc#1032769)
  • Set TasksMax=infinity to make sure runC doesn't start failing randomly.

Docker:

  • Update to version 17.04.0-ce. (bsc#1034053)
  • Fix execids leaks due to bad error handling. (bsc#1037436)
  • Make Apparmor's pkg/aaparser work on read-only root. (bsc#1037607)
  • Improve Docker's systemd configuration. (bsc#1032287)
  • Check if the docker binary is available before attempting to use it. (bsc#1038476)
  • Build man pages for all architectures. (bsc#953182)
  • Fix DNS resolution when Docker host uses 127.0.0.1 as resolver. (bsc#1034063)
  • Enable Delegate=yes, since systemd will safely ignore lvalues it doesn't understand.
  • Update SUSE secrets patch to handle bsc#1030702.
  • Change lvm2 from Requires to Recommends: Docker usually uses a default storage driver, when it's not configured explicitly. This default driver then depends on the underlying system and gets chosen during installation. (bsc#1032644)
  • Disable libseccomp for Leap 42.1, SLE 12 and 12-SP1, because docker needs a higher version. Otherwise, we get the error "conditional filtering requires libseccomp version >= 2.2.1. (bsc#1028639, bsc#1028638)
  • Add a backport of fix to AppArmor lazy loading docker-exec case.
  • Fix systemd TasksMax default which could throttle docker. (bsc#1026827)
  • Enable pkcs11

For a comprehensive list of changes please refer to /usr/share/doc/packages/docker/CHANGELOG.md

RunC:

  • Update version to the one required by docker-17.04.0-ce. (bsc#1034053)
  • Make sure to ignore cgroup v2 mountpoints. (bsc#1028113)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE OpenStack Cloud 6
    zypper in -t patch SUSE-OpenStack-Cloud-6-2017-1143=1
  • Magnum Orchestration 7
    zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-1143=1
  • Containers Module 12
    zypper in -t patch SUSE-SLE-Module-Containers-12-2017-1143=1

Package List:

  • SUSE OpenStack Cloud 6 (x86_64)
    • containerd-debugsource-0.2.5+gitr639_422e31c-20.2
    • docker-debuginfo-17.04.0_ce-98.2
    • docker-17.04.0_ce-98.2
    • runc-debugsource-0.1.1+gitr2947_9c2d8d1-20.3
    • docker-libnetwork-debuginfo-0.0.0+git20170119.7b2b1fe-4.1
    • docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1
    • containerd-0.2.5+gitr639_422e31c-20.2
    • containerd-debuginfo-0.2.5+gitr639_422e31c-20.2
    • docker-debugsource-17.04.0_ce-98.2
    • runc-debuginfo-0.1.1+gitr2947_9c2d8d1-20.3
    • runc-0.1.1+gitr2947_9c2d8d1-20.3
    • golang-github-docker-libnetwork-debugsource-0.0.0+git20170119.7b2b1fe-4.1
  • Magnum Orchestration 7 (x86_64)
    • containerd-debugsource-0.2.5+gitr639_422e31c-20.2
    • docker-debuginfo-17.04.0_ce-98.2
    • docker-17.04.0_ce-98.2
    • runc-debugsource-0.1.1+gitr2947_9c2d8d1-20.3
    • docker-libnetwork-debuginfo-0.0.0+git20170119.7b2b1fe-4.1
    • docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1
    • containerd-0.2.5+gitr639_422e31c-20.2
    • containerd-debuginfo-0.2.5+gitr639_422e31c-20.2
    • docker-debugsource-17.04.0_ce-98.2
    • runc-debuginfo-0.1.1+gitr2947_9c2d8d1-20.3
    • runc-0.1.1+gitr2947_9c2d8d1-20.3
    • golang-github-docker-libnetwork-debugsource-0.0.0+git20170119.7b2b1fe-4.1
  • Containers Module 12 (ppc64le s390x x86_64)
    • containerd-debugsource-0.2.5+gitr639_422e31c-20.2
    • docker-debuginfo-17.04.0_ce-98.2
    • docker-17.04.0_ce-98.2
    • runc-debugsource-0.1.1+gitr2947_9c2d8d1-20.3
    • docker-libnetwork-debuginfo-0.0.0+git20170119.7b2b1fe-4.1
    • docker-libnetwork-0.0.0+git20170119.7b2b1fe-4.1
    • containerd-0.2.5+gitr639_422e31c-20.2
    • containerd-debuginfo-0.2.5+gitr639_422e31c-20.2
    • docker-debugsource-17.04.0_ce-98.2
    • runc-debuginfo-0.1.1+gitr2947_9c2d8d1-20.3
    • runc-0.1.1+gitr2947_9c2d8d1-20.3
    • golang-github-docker-libnetwork-debugsource-0.0.0+git20170119.7b2b1fe-4.1
  • Containers Module 12 (x86_64)
    • docker-distribution-registry-2.6.1-15.2

References: