Security update for Docker and dependencies

Announcement ID:	SUSE-SU-2016:3084-1
Rating:	moderate
References:	bsc#1004490 bsc#1006368 bsc#1007249 bsc#1009961 bsc#974208 bsc#978260 bsc#983015 bsc#987198 bsc#988408 bsc#989566 bsc#995058 bsc#995102 bsc#995620 bsc#996015 bsc#999582
Cross-References:	CVE-2016-8867
CVSS scores:	CVE-2016-8867 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	Containers Module 12 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 6

An update that solves one vulnerability and has 14 security fixes can now be installed.

Description:

This update for Docker and its dependencies fixes the following issues:

• fix runc and containerd revisions (bsc#1009961)

docker:

• Updates version 1.11.2 to 1.12.3 (bsc#1004490, bsc#996015, bsc#995058)
• Fix ambient capability usage in containers (bsc#1007249, CVE-2016-8867)
• Change the internal mountpoint name to not use ":" as that character can be considered a special character by other tools. (bsc#999582)
• Add dockerd(8) man page.
• Package docker-proxy (which was split out of the docker binary in 1.12). (bsc#995620)
• Docker "migrator" prevents installing "docker", if docker 1.9 was installed before but there were no images. (bsc#995102)
• Specify an "OCI" runtime for our runc package explicitly. (bsc#978260)
• Use gcc6-go instead of gcc5-go (bsc#988408)

For a detailed description of all fixes and improvements, please refer to:

https://github.com/docker/docker/releases/tag/v1.12.3 https://github.com/docker/docker/blob/v1.12.2/CHANGELOG.md https://github.com/docker/docker/releases/tag/v1.12.1 https://github.com/docker/docker/releases/tag/v1.12.0

containerd:

• Update to current version required from Docker 1.12.3.
• Add missing Requires(post): %fillup_prereq. (bsc#1006368)
• Use gcc6-go instead of gcc5-go. (bsc#988408)

runc:

• Update to current version required from Docker 1.12.3.
• Use gcc6-go instead of gcc5-go. (bsc#988408)

rubygem-excon:

• Updates version from 0.39.6 to 0.52.0.

For a detailed description of all fixes and improvements, please refer to the installed changelog.txt.

rubygem-docker-api:

• Updated version from 1.17.0 to 1.31.0.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 6
  zypper in -t patch SUSE-OpenStack-Cloud-6-2016-1794=1
• Containers Module 12
  zypper in -t patch SUSE-SLE-Module-Containers-12-2016-1794=1

Package List:

• SUSE OpenStack Cloud 6 (x86_64)
  • runc-debugsource-0.1.1+gitr2816_02f8fa7-9.1
  • docker-debugsource-1.12.3-81.2
  • runc-debuginfo-0.1.1+gitr2816_02f8fa7-9.1
  • docker-1.12.3-81.2
  • docker-debuginfo-1.12.3-81.2
  • containerd-0.2.4+gitr565_0366d7e-9.1
  • runc-0.1.1+gitr2816_02f8fa7-9.1
  • containerd-debugsource-0.2.4+gitr565_0366d7e-9.1
  • containerd-debuginfo-0.2.4+gitr565_0366d7e-9.1
• Containers Module 12 (ppc64le s390x x86_64)
  • runc-debugsource-0.1.1+gitr2816_02f8fa7-9.1
  • docker-debugsource-1.12.3-81.2
  • runc-debuginfo-0.1.1+gitr2816_02f8fa7-9.1
  • ruby2.1-rubygem-excon-0.52.0-9.1
  • docker-1.12.3-81.2
  • docker-debuginfo-1.12.3-81.2
  • containerd-0.2.4+gitr565_0366d7e-9.1
  • runc-0.1.1+gitr2816_02f8fa7-9.1
  • ruby2.1-rubygem-docker-api-1.31.0-11.2
  • containerd-debugsource-0.2.4+gitr565_0366d7e-9.1
  • containerd-debuginfo-0.2.4+gitr565_0366d7e-9.1

References:

• https://www.suse.com/security/cve/CVE-2016-8867.html
• https://bugzilla.suse.com/show_bug.cgi?id=1004490
• https://bugzilla.suse.com/show_bug.cgi?id=1006368
• https://bugzilla.suse.com/show_bug.cgi?id=1007249
• https://bugzilla.suse.com/show_bug.cgi?id=1009961
• https://bugzilla.suse.com/show_bug.cgi?id=974208
• https://bugzilla.suse.com/show_bug.cgi?id=978260
• https://bugzilla.suse.com/show_bug.cgi?id=983015
• https://bugzilla.suse.com/show_bug.cgi?id=987198
• https://bugzilla.suse.com/show_bug.cgi?id=988408
• https://bugzilla.suse.com/show_bug.cgi?id=989566
• https://bugzilla.suse.com/show_bug.cgi?id=995058
• https://bugzilla.suse.com/show_bug.cgi?id=995102
• https://bugzilla.suse.com/show_bug.cgi?id=995620
• https://bugzilla.suse.com/show_bug.cgi?id=996015
• https://bugzilla.suse.com/show_bug.cgi?id=999582