Security update for docker

SUSE Security Update: Security update for docker
Announcement ID: SUSE-SU-2015:0082-1
Rating: moderate
References: #909709 #909710 #909712 #913211 #913213
Affected Products:
  • SUSE Linux Enterprise Server 12

  • An update that solves three vulnerabilities and has two fixes is now available.

    Description:

    This docker version upgrade fixes the following security and non security
    issues, and adds the also additional features:

    - Updated to 1.4.1 (2014-12-15):
    * Runtime:
    - Fix issue with volumes-from and bind mounts not being honored after
    create (fixes bnc#913213)

    - Added e2fsprogs as runtime dependency, this is required when the
    devicemapper driver is used. (bnc#913211).
    - Fixed owner & group for docker.socket (thanks to Andrei Dziahel and
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752555#5)

    - Updated to 1.4.0 (2014-12-11):
    * Notable Features since 1.3.0:
    - Set key=value labels to the daemon (displayed in `docker info`),
    applied with new `-label` daemon flag
    - Add support for `ENV` in Dockerfile of the form: `ENV name=value
    name2=value2...`
    - New Overlayfs Storage Driver
    - `docker info` now returns an `ID` and `Name` field
    - Filter events by event name, container, or image
    - `docker cp` now supports copying from container volumes
    - Fixed `docker tag`, so it honors `--force` when overriding a tag for
    existing image.
    - Changes introduced by 1.3.3 (2014-12-11):
    * Security:
    - Fix path traversal vulnerability in processing of absolute symbolic
    links (CVE-2014-9356) - (bnc#909709)
    - Fix decompression of xz image archives, preventing privilege
    escalation (CVE-2014-9357) - (bnc#909710)
    - Validate image IDs (CVE-2014-9358) - (bnc#909712)
    * Runtime:
    - Fix an issue when image archives are being read slowly
    * Client:
    - Fix a regression related to stdin redirection
    - Fix a regression with `docker cp` when destination is the current
    directory

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 12:
      zypper in -t patch SUSE-SLE-SERVER-12-2015-28

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server 12 (x86_64):
      • docker-1.4.1-16.1
      • docker-debuginfo-1.4.1-16.1
      • docker-debugsource-1.4.1-16.1

    References:

    • http://support.novell.com/security/cve/CVE-2014-9356.html
    • http://support.novell.com/security/cve/CVE-2014-9357.html
    • http://support.novell.com/security/cve/CVE-2014-9358.html
    • https://bugzilla.suse.com/show_bug.cgi?id=909709
    • https://bugzilla.suse.com/show_bug.cgi?id=909710
    • https://bugzilla.suse.com/show_bug.cgi?id=909712
    • https://bugzilla.suse.com/show_bug.cgi?id=913211
    • https://bugzilla.suse.com/show_bug.cgi?id=913213