docker-1.12.3-4.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10532-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z docker-1.12.3-4.1 on GA media These are all security issues fixed in the docker-1.12.3-4.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10532 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2014-3499/ SUSE CVE CVE-2014-3499 page https://www.suse.com/security/cve/CVE-2014-5277/ SUSE CVE CVE-2014-5277 page https://www.suse.com/security/cve/CVE-2014-6407/ SUSE CVE CVE-2014-6407 page https://www.suse.com/security/cve/CVE-2014-6408/ SUSE CVE CVE-2014-6408 page https://www.suse.com/security/cve/CVE-2014-8178/ SUSE CVE CVE-2014-8178 page https://www.suse.com/security/cve/CVE-2014-8179/ SUSE CVE CVE-2014-8179 page https://www.suse.com/security/cve/CVE-2014-9356/ SUSE CVE CVE-2014-9356 page https://www.suse.com/security/cve/CVE-2014-9357/ SUSE CVE CVE-2014-9357 page https://www.suse.com/security/cve/CVE-2014-9358/ SUSE CVE CVE-2014-9358 page https://www.suse.com/security/cve/CVE-2015-3627/ SUSE CVE CVE-2015-3627 page https://www.suse.com/security/cve/CVE-2015-3629/ SUSE CVE CVE-2015-3629 page https://www.suse.com/security/cve/CVE-2015-3630/ SUSE CVE CVE-2015-3630 page https://www.suse.com/security/cve/CVE-2015-3631/ SUSE CVE CVE-2015-3631 page https://www.suse.com/security/cve/CVE-2016-3697/ SUSE CVE CVE-2016-3697 page https://www.suse.com/security/cve/CVE-2016-8867/ SUSE CVE CVE-2016-8867 page openSUSE Tumbleweed docker-1.12.3-4.1 docker-bash-completion-1.12.3-4.1 docker-test-1.12.3-4.1 docker-zsh-completion-1.12.3-4.1 docker-1.12.3-4.1 as a component of openSUSE Tumbleweed docker-bash-completion-1.12.3-4.1 as a component of openSUSE Tumbleweed docker-test-1.12.3-4.1 as a component of openSUSE Tumbleweed docker-zsh-completion-1.12.3-4.1 as a component of openSUSE Tumbleweed Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors. CVE-2014-3499 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3499.html CVE-2014-3499 https://bugzilla.suse.com/885209 SUSE Bug 885209 Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. CVE-2014-5277 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-5277.html CVE-2014-5277 https://bugzilla.suse.com/904165 SUSE Bug 904165 Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation. CVE-2014-6407 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-6407.html CVE-2014-6407 https://bugzilla.suse.com/907012 SUSE Bug 907012 Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image. CVE-2014-6408 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-6408.html CVE-2014-6408 https://bugzilla.suse.com/907014 SUSE Bug 907014 Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands. CVE-2014-8178 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 important 1.9 AV:L/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8178.html CVE-2014-8178 https://bugzilla.suse.com/949660 SUSE Bug 949660 Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation. CVE-2014-8179 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8179.html CVE-2014-8179 https://bugzilla.suse.com/949660 SUSE Bug 949660 Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile. CVE-2014-9356 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 moderate 8.5 AV:N/AC:L/Au:N/C:N/I:C/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9356.html CVE-2014-9356 https://bugzilla.suse.com/909712 SUSE Bug 909712 https://bugzilla.suse.com/909747 SUSE Bug 909747 Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction. CVE-2014-9357 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 moderate 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9357.html CVE-2014-9357 https://bugzilla.suse.com/909710 SUSE Bug 909710 https://bugzilla.suse.com/909747 SUSE Bug 909747 Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications." CVE-2014-9358 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9358.html CVE-2014-9358 https://bugzilla.suse.com/909709 SUSE Bug 909709 https://bugzilla.suse.com/909747 SUSE Bug 909747 Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image. CVE-2015-3627 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 low 3.2 AV:L/AC:L/Au:S/C:P/I:P/A:N 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3627.html CVE-2015-3627 https://bugzilla.suse.com/930235 SUSE Bug 930235 https://bugzilla.suse.com/945060 SUSE Bug 945060 Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization ("mount namespace breakout") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container. CVE-2015-3629 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3629.html CVE-2015-3629 https://bugzilla.suse.com/930235 SUSE Bug 930235 https://bugzilla.suse.com/945060 SUSE Bug 945060 Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image. CVE-2015-3630 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3630.html CVE-2015-3630 https://bugzilla.suse.com/930235 SUSE Bug 930235 https://bugzilla.suse.com/945060 SUSE Bug 945060 Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc. CVE-2015-3631 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 low 3.6 AV:L/AC:L/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3631.html CVE-2015-3631 https://bugzilla.suse.com/930235 SUSE Bug 930235 https://bugzilla.suse.com/945060 SUSE Bug 945060 libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container. CVE-2016-3697 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3697.html CVE-2016-3697 https://bugzilla.suse.com/976777 SUSE Bug 976777 Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes. CVE-2016-8867 openSUSE Tumbleweed:docker-1.12.3-4.1 openSUSE Tumbleweed:docker-bash-completion-1.12.3-4.1 openSUSE Tumbleweed:docker-test-1.12.3-4.1 openSUSE Tumbleweed:docker-zsh-completion-1.12.3-4.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8867.html CVE-2016-8867 https://bugzilla.suse.com/1007249 SUSE Bug 1007249