Security update for containerd, docker and go

Announcement ID:	SUSE-SU-2018:4297-1
Rating:	important
References:	bsc#1047218 bsc#1074971 bsc#1080978 bsc#1081495 bsc#1084533 bsc#1086185 bsc#1094680 bsc#1095817 bsc#1098017 bsc#1102522 bsc#1104821 bsc#1105000 bsc#1108038 bsc#1113313 bsc#1113978 bsc#1114209 bsc#1118897 bsc#1118898 bsc#1118899 bsc#1119634 bsc#1119706
Cross-References:	CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 CVE-2018-7187
CVSS scores:	CVE-2018-16873 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2018-16874 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16875 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16875 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-7187 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-7187 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	Containers Module 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves four vulnerabilities and has 17 security fixes can now be installed.

Description:

This update for containerd, docker and go fixes the following issues:

containerd and docker:

• Add backport for building containerd (bsc#1102522, bsc#1113313)
• Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce. (bsc#1102522)
• Enable seccomp support on SLE12 (fate#325877)
• Update to containerd v1.1.1, which is the required version for the Docker v18.06.0-ce upgrade. (bsc#1102522)
• Put containerd under the podruntime slice (bsc#1086185)
• 3rd party registries used the default Docker certificate (bsc#1084533)
• Handle build breakage due to missing 'export GOPATH' (caused by resolution of boo#1119634). I believe Docker is one of the only packages with this problem.

go:

• golang: arbitrary command execution via VCS path (bsc#1081495, CVE-2018-7187)
• Make profile.d/go.sh no longer set GOROOT=, in order to make switching between versions no longer break. This ends up removing the need for go.sh entirely (because GOPATH is also set automatically) (boo#1119634)
• Fix a regression that broke go get for import path patterns containing "..." (bsc#1119706)

Additionally, the package go1.10 has been added.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Containers Module 15
  zypper in -t patch SUSE-SLE-Module-Containers-15-2018-3064=1

Package List:

• Containers Module 15 (ppc64le s390x x86_64)
  • docker-18.06.1_ce-6.8.2
  • docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.3.4
  • docker-debugsource-18.06.1_ce-6.8.2
  • docker-libnetwork-debuginfo-0.7.0.1+gitr2664_3ac297bc7fd0-4.3.5
  • docker-debuginfo-18.06.1_ce-6.8.2
  • docker-runc-debuginfo-1.0.0rc5+gitr3562_69663f0bd4b6-6.3.4
  • containerd-1.1.2-5.3.4
  • docker-libnetwork-0.7.0.1+gitr2664_3ac297bc7fd0-4.3.5
• Containers Module 15 (noarch)
  • docker-bash-completion-18.06.1_ce-6.8.2

References:

• https://www.suse.com/security/cve/CVE-2018-16873.html
• https://www.suse.com/security/cve/CVE-2018-16874.html
• https://www.suse.com/security/cve/CVE-2018-16875.html
• https://www.suse.com/security/cve/CVE-2018-7187.html
• https://bugzilla.suse.com/show_bug.cgi?id=1047218
• https://bugzilla.suse.com/show_bug.cgi?id=1074971
• https://bugzilla.suse.com/show_bug.cgi?id=1080978
• https://bugzilla.suse.com/show_bug.cgi?id=1081495
• https://bugzilla.suse.com/show_bug.cgi?id=1084533
• https://bugzilla.suse.com/show_bug.cgi?id=1086185
• https://bugzilla.suse.com/show_bug.cgi?id=1094680
• https://bugzilla.suse.com/show_bug.cgi?id=1095817
• https://bugzilla.suse.com/show_bug.cgi?id=1098017
• https://bugzilla.suse.com/show_bug.cgi?id=1102522
• https://bugzilla.suse.com/show_bug.cgi?id=1104821
• https://bugzilla.suse.com/show_bug.cgi?id=1105000
• https://bugzilla.suse.com/show_bug.cgi?id=1108038
• https://bugzilla.suse.com/show_bug.cgi?id=1113313
• https://bugzilla.suse.com/show_bug.cgi?id=1113978
• https://bugzilla.suse.com/show_bug.cgi?id=1114209
• https://bugzilla.suse.com/show_bug.cgi?id=1118897
• https://bugzilla.suse.com/show_bug.cgi?id=1118898
• https://bugzilla.suse.com/show_bug.cgi?id=1118899
• https://bugzilla.suse.com/show_bug.cgi?id=1119634
• https://bugzilla.suse.com/show_bug.cgi?id=1119706