Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork

Announcement ID:	SUSE-SU-2019:1234-2
Rating:	important
References:	bsc#1114209 bsc#1114832 bsc#1118897 bsc#1118898 bsc#1118899 bsc#1121397 bsc#1121967 bsc#1123013 bsc#1128376 bsc#1128746 bsc#1134068
Cross-References:	CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 CVE-2019-5736 CVE-2019-6486
CVSS scores:	CVE-2018-16873 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2018-16874 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16875 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16875 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-5736 ( SUSE ): 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVE-2019-5736 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2019-5736 ( NVD ): 8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2019-6486 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-6486 ( NVD ): 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Affected Products:	Containers Module 15-SP1 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0

An update that solves five vulnerabilities and has six security fixes can now be installed.

Description:

This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues:

Security issues fixed:

CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967).
CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013).
CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897).
CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898).
CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899).

Other changes and bug fixes:

Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068).
Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068).
Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068).
docker-test: Improvements to test packaging (bsc#1128746).
Move daemon.json file to /etc/docker directory (bsc#1114832).
Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209).
Fix go build failures (bsc#1121397).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

Containers Module 15-SP1
zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2019-1234=1

Package List:

Containers Module 15-SP1 (aarch64 ppc64le s390x x86_64)
- docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1
- docker-debugsource-18.09.6_ce-6.17.1
- docker-18.09.6_ce-6.17.1
- docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1
- containerd-1.2.5-5.13.1
- docker-libnetwork-debuginfo-0.7.0.1+gitr2726_872f0a83c98a-4.12.1
- docker-debuginfo-18.09.6_ce-6.17.1
- docker-runc-debuginfo-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1
Containers Module 15-SP1 (noarch)
- docker-bash-completion-18.09.6_ce-6.17.1

Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork

Description:

Patch Instructions:

Package List:

References: