Security update for docker

Announcement ID:	SUSE-SU-2015:0082-1
Rating:	moderate
References:	bsc#909709 bsc#909710 bsc#909712 bsc#913211 bsc#913213
Cross-References:	CVE-2014-9356 CVE-2014-9357 CVE-2014-9358
CVSS scores:	CVE-2014-9356 ( NVD ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves three vulnerabilities and has two security fixes can now be installed.

Description:

This docker version upgrade fixes the following security and non security issues, and adds the also additional features:

• Updated to 1.4.1 (2014-12-15):

• Runtime:

  • Fix issue with volumes-from and bind mounts not being honored after create (fixes bnc#913213)

• Added e2fsprogs as runtime dependency, this is required when the devicemapper driver is used. (bnc#913211).

• Fixed owner & group for docker.socket (thanks to Andrei Dziahel and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752555#5)

• Updated to 1.4.0 (2014-12-11):

• Notable Features since 1.3.0:
  • Set key=value labels to the daemon (displayed in docker info), applied with new -label daemon flag
  • Add support for ENV in Dockerfile of the form: ENV name=value name2=value2...
  • New Overlayfs Storage Driver
  • docker info now returns an ID and Name field
  • Filter events by event name, container, or image
  • docker cp now supports copying from container volumes
  • Fixed docker tag, so it honors --force when overriding a tag for existing image.
• Changes introduced by 1.3.3 (2014-12-11):
• Security:
  • Fix path traversal vulnerability in processing of absolute symbolic links (CVE-2014-9356) - (bnc#909709)
  • Fix decompression of xz image archives, preventing privilege escalation (CVE-2014-9357) - (bnc#909710)
  • Validate image IDs (CVE-2014-9358) - (bnc#909712)
• Runtime:
  • Fix an issue when image archives are being read slowly
• Client:
  • Fix a regression related to stdin redirection
  • Fix a regression with docker cp when destination is the current directory

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-28=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-28=1

Package List:

• SUSE Linux Enterprise Server 12 (x86_64)
  • docker-debuginfo-1.4.1-16.1
  • docker-debugsource-1.4.1-16.1
  • docker-1.4.1-16.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • docker-debuginfo-1.4.1-16.1
  • docker-debugsource-1.4.1-16.1
  • docker-1.4.1-16.1

References:

• https://www.suse.com/security/cve/CVE-2014-9356.html
• https://www.suse.com/security/cve/CVE-2014-9357.html
• https://www.suse.com/security/cve/CVE-2014-9358.html
• https://bugzilla.suse.com/show_bug.cgi?id=909709
• https://bugzilla.suse.com/show_bug.cgi?id=909710
• https://bugzilla.suse.com/show_bug.cgi?id=909712
• https://bugzilla.suse.com/show_bug.cgi?id=913211
• https://bugzilla.suse.com/show_bug.cgi?id=913213