Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork

Announcement ID:	SUSE-SU-2019:1264-1
Rating:	important
References:	bsc#1114209 bsc#1114832 bsc#1118897 bsc#1118898 bsc#1118899 bsc#1121397 bsc#1123013 bsc#1128376 bsc#1128746 bsc#1134068
Cross-References:	CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 CVE-2019-6486
CVSS scores:	CVE-2018-16873 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2018-16874 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16875 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16875 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-6486 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-6486 ( NVD ): 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Affected Products:	Containers Module 12 Magnum Orchestration 7 SUSE CaaS Platform 3.0 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves four vulnerabilities and has six security fixes can now be installed.

Description:

This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues:

Security issues fixed:

• CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013).
• CVE-2018-16873: go security release, fixing cmd/go remote command execution (bsc#1118897).
• CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898).
• CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899).

Other changes and bug fixes:

• Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, boo#1134068).
• Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, boo#1134068).
• Update to Docker 18.09.6-ce see upstream changelog in the packaged
• Move daemon.json file to /etc/docker directory (bsc#1114832).
• docker-test: Improvements to test packaging (bsc#1128746).
• Update to go1.11.9 (released 2019/04/11)
• Fix go build failures (bsc#1121397).
• Update to golang-github-docker-libnetwork version git.872f0a83c98add6cae255c8859e29532febc0039 which is required for Docker v18.09.6-ce.
• Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Magnum Orchestration 7
  zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2019-1264=1
• Containers Module 12
  zypper in -t patch SUSE-SLE-Module-Containers-12-2019-1264=1
• SUSE CaaS Platform 3.0
  To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

• Magnum Orchestration 7 (x86_64)
  • docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1
  • docker-18.09.6_ce-98.37.1
  • docker-libnetwork-debuginfo-0.7.0.1+gitr2726_872f0a83c98a-19.1
  • containerd-1.2.5-16.17.2
  • docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-19.1
  • docker-debuginfo-18.09.6_ce-98.37.1
  • docker-debugsource-18.09.6_ce-98.37.1
• Containers Module 12 (ppc64le s390x x86_64)
  • docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1
  • docker-18.09.6_ce-98.37.1
  • docker-libnetwork-debuginfo-0.7.0.1+gitr2726_872f0a83c98a-19.1
  • containerd-1.2.5-16.17.2
  • docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-19.1
  • docker-debuginfo-18.09.6_ce-98.37.1
  • docker-debugsource-18.09.6_ce-98.37.1
• SUSE CaaS Platform 3.0 (x86_64)
  • docker-kubic-debugsource-18.09.6_ce-98.37.1
  • docker-runc-kubic-debugsource-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1
  • docker-libnetwork-kubic-0.7.0.1+gitr2726_872f0a83c98a-19.1
  • containerd-kubic-1.2.5-16.17.2
  • docker-kubic-18.09.6_ce-98.37.1
  • docker-runc-kubic-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1
  • docker-libnetwork-kubic-debuginfo-0.7.0.1+gitr2726_872f0a83c98a-19.1
  • docker-runc-kubic-debuginfo-1.0.0rc6+gitr3804_2b18fe1d885e-1.23.1
  • docker-kubic-debuginfo-18.09.6_ce-98.37.1

References:

• https://www.suse.com/security/cve/CVE-2018-16873.html
• https://www.suse.com/security/cve/CVE-2018-16874.html
• https://www.suse.com/security/cve/CVE-2018-16875.html
• https://www.suse.com/security/cve/CVE-2019-6486.html
• https://bugzilla.suse.com/show_bug.cgi?id=1114209
• https://bugzilla.suse.com/show_bug.cgi?id=1114832
• https://bugzilla.suse.com/show_bug.cgi?id=1118897
• https://bugzilla.suse.com/show_bug.cgi?id=1118898
• https://bugzilla.suse.com/show_bug.cgi?id=1118899
• https://bugzilla.suse.com/show_bug.cgi?id=1121397
• https://bugzilla.suse.com/show_bug.cgi?id=1123013
• https://bugzilla.suse.com/show_bug.cgi?id=1128376
• https://bugzilla.suse.com/show_bug.cgi?id=1128746
• https://bugzilla.suse.com/show_bug.cgi?id=1134068