Security update for containerd, docker, runc
Announcement ID: | SUSE-SU-2021:1458-1 |
---|---|
Rating: | important |
References: |
|
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves nine vulnerabilities and has 23 security fixes can now be installed.
Description:
This update for containerd, docker, runc fixes the following issues:
- Docker was updated to 20.10.6-ce
- Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476).
- CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
-
CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730).
-
runc was updated to v1.0.0~rc93 (bsc#1182451 and bsc#1184962).
- Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
- Fixed /dev/null is not available (bsc#1168481).
- Fixed an issue where podman hangs when spawned by salt-minion process (bsc#1149954).
- CVE-2019-19921: Fixed a race condition with shared mounts (bsc#1160452).
- CVE-2019-16884: Fixed an LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308).
- CVE-2019-5736: Fixed potential write attacks to the host runc binary (bsc#1121967).
- Fixed an issue where after a kernel-update docker doesn't run (bsc#1131314 bsc#1131553)
-
Ensure that we always include the version information in runc (bsc#1053532).
-
Switch to Go 1.13 for build.
- CVE-2018-16873: Fixed a potential remote code execution (bsc#1118897).
- CVE-2018-16874: Fixed a directory traversal in "go get" via curly braces in import paths (bsc#1118898).
- CVE-2018-16875: Fixed a CPU denial of service (bsc#1118899).
-
Fixed an issue with building containers (bsc#1095817).
-
containerd was updated to v1.4.4
- CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
- Handle a requirement from docker (bsc#1181594).
- Install the containerd-shim* binaries and stop creating (bsc#1183024).
-
update version to the one required by docker (bsc#1034053)
-
Use -buildmode=pie for tests and binary build (bsc#1048046, bsc#1051429)
- Cleanup seccomp builds similar (bsc#1028638).
- Update to handle the docker-runc removal, and drop the -kubic flavour (bsc#1181677, bsc#1181749)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
Containers Module 12
zypper in -t patch SUSE-SLE-Module-Containers-12-2021-1458=1
Package List:
-
Containers Module 12 (ppc64le s390x x86_64)
- runc-1.0.0~rc93-16.8.1
- containerd-1.4.4-16.38.1
- runc-debuginfo-1.0.0~rc93-16.8.1
- docker-debuginfo-20.10.6_ce-98.66.1
- docker-20.10.6_ce-98.66.1
References:
- https://www.suse.com/security/cve/CVE-2018-16873.html
- https://www.suse.com/security/cve/CVE-2018-16874.html
- https://www.suse.com/security/cve/CVE-2018-16875.html
- https://www.suse.com/security/cve/CVE-2019-16884.html
- https://www.suse.com/security/cve/CVE-2019-19921.html
- https://www.suse.com/security/cve/CVE-2019-5736.html
- https://www.suse.com/security/cve/CVE-2021-21284.html
- https://www.suse.com/security/cve/CVE-2021-21285.html
- https://www.suse.com/security/cve/CVE-2021-21334.html
- https://bugzilla.suse.com/show_bug.cgi?id=1028638
- https://bugzilla.suse.com/show_bug.cgi?id=1034053
- https://bugzilla.suse.com/show_bug.cgi?id=1048046
- https://bugzilla.suse.com/show_bug.cgi?id=1051429
- https://bugzilla.suse.com/show_bug.cgi?id=1053532
- https://bugzilla.suse.com/show_bug.cgi?id=1095817
- https://bugzilla.suse.com/show_bug.cgi?id=1118897
- https://bugzilla.suse.com/show_bug.cgi?id=1118898
- https://bugzilla.suse.com/show_bug.cgi?id=1118899
- https://bugzilla.suse.com/show_bug.cgi?id=1121967
- https://bugzilla.suse.com/show_bug.cgi?id=1131314
- https://bugzilla.suse.com/show_bug.cgi?id=1131553
- https://bugzilla.suse.com/show_bug.cgi?id=1149954
- https://bugzilla.suse.com/show_bug.cgi?id=1152308
- https://bugzilla.suse.com/show_bug.cgi?id=1160452
- https://bugzilla.suse.com/show_bug.cgi?id=1168481
- https://bugzilla.suse.com/show_bug.cgi?id=1175081
- https://bugzilla.suse.com/show_bug.cgi?id=1175821
- https://bugzilla.suse.com/show_bug.cgi?id=1181594
- https://bugzilla.suse.com/show_bug.cgi?id=1181641
- https://bugzilla.suse.com/show_bug.cgi?id=1181677
- https://bugzilla.suse.com/show_bug.cgi?id=1181730
- https://bugzilla.suse.com/show_bug.cgi?id=1181732
- https://bugzilla.suse.com/show_bug.cgi?id=1181749
- https://bugzilla.suse.com/show_bug.cgi?id=1182451
- https://bugzilla.suse.com/show_bug.cgi?id=1182476
- https://bugzilla.suse.com/show_bug.cgi?id=1182947
- https://bugzilla.suse.com/show_bug.cgi?id=1183024
- https://bugzilla.suse.com/show_bug.cgi?id=1183397
- https://bugzilla.suse.com/show_bug.cgi?id=1183855
- https://bugzilla.suse.com/show_bug.cgi?id=1184768
- https://bugzilla.suse.com/show_bug.cgi?id=1184962