* [Buildroot] [PATCH 1/2] package/docker-engine: security bump to version 18.09.7
@ 2019-06-28 6:32 Peter Korsgaard
2019-06-28 6:32 ` [Buildroot] [PATCH 2/2] package/docker-cli: " Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Peter Korsgaard @ 2019-06-28 6:32 UTC (permalink / raw)
To: buildroot
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are
vulnerable to a symlink-exchange attack with Directory Traversal, giving
attackers arbitrary read-write access to the host filesystem with root
privileges, because daemon/archive.go does not do archive operations on a
frozen filesystem (or from within a chroot).
And includes additional post-18.09.6 fixes:
Builder
- Fixed a panic error when building dockerfiles that contain only comments.
moby/moby#38487
- Added a workaround for GCR authentication issue. moby/moby#38246
- Builder-next: Fixed a bug in the GCR token cache implementation
workaround. moby/moby#39183
Runtime
- Added performance optimizations in aufs and layer store that helps in
massively parallel container creation and removal. moby/moby#39107,
moby/moby#39135
- daemon: fixed a mirrors validation issue. moby/moby#38991
- Docker no longer supports sorting UID and GID ranges in ID maps.
moby/moby#39288
Logging
- Added a fix that now allows large log lines for logger plugins.
moby/moby#39038
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/docker-engine/docker-engine.hash | 2 +-
package/docker-engine/docker-engine.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/docker-engine/docker-engine.hash b/package/docker-engine/docker-engine.hash
index 5beceea04b..4ef6905b5d 100644
--- a/package/docker-engine/docker-engine.hash
+++ b/package/docker-engine/docker-engine.hash
@@ -1,3 +1,3 @@
# Locally calculated
-sha256 7cb45266fff79245c81ec86c455d4b0513ca5d4ec1b9be8c8330df30a9467481 docker-engine-18.09.6.tar.gz
+sha256 b4f55831f5e7c5a92cd91f77aad1541ccd572eb18df2f44a01c372bceb3f9b6b docker-engine-18.09.7.tar.gz
sha256 2d81ea060825006fc8f3fe28aa5dc0ffeb80faf325b612c955229157b8c10dc0 LICENSE
diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk
index dd23c59d16..99e3088f65 100644
--- a/package/docker-engine/docker-engine.mk
+++ b/package/docker-engine/docker-engine.mk
@@ -4,7 +4,7 @@
#
################################################################################
-DOCKER_ENGINE_VERSION = 18.09.6
+DOCKER_ENGINE_VERSION = 18.09.7
DOCKER_ENGINE_SITE = $(call github,docker,engine,v$(DOCKER_ENGINE_VERSION))
DOCKER_ENGINE_LICENSE = Apache-2.0
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [Buildroot] [PATCH 2/2] package/docker-cli: security bump to version 18.09.7
2019-06-28 6:32 [Buildroot] [PATCH 1/2] package/docker-engine: security bump to version 18.09.7 Peter Korsgaard
@ 2019-06-28 6:32 ` Peter Korsgaard
2019-07-07 6:30 ` Peter Korsgaard
2019-06-30 12:39 ` [Buildroot] [PATCH 1/2] package/docker-engine: " Arnout Vandecappelle
2019-07-07 6:30 ` Peter Korsgaard
2 siblings, 1 reply; 5+ messages in thread
From: Peter Korsgaard @ 2019-06-28 6:32 UTC (permalink / raw)
To: buildroot
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are
vulnerable to a symlink-exchange attack with Directory Traversal, giving
attackers arbitrary read-write access to the host filesystem with root
privileges, because daemon/archive.go does not do archive operations on a
frozen filesystem (or from within a chroot).
And includes additional post-18.09.6 fixes:
Builder
- Fixed a panic error when building dockerfiles that contain only comments.
moby/moby#38487
- Added a workaround for GCR authentication issue. moby/moby#38246
- Builder-next: Fixed a bug in the GCR token cache implementation
workaround. moby/moby#39183
Runtime
- Added performance optimizations in aufs and layer store that helps in
massively parallel container creation and removal. moby/moby#39107,
moby/moby#39135
- daemon: fixed a mirrors validation issue. moby/moby#38991
- Docker no longer supports sorting UID and GID ranges in ID maps.
moby/moby#39288
Logging
- Added a fix that now allows large log lines for logger plugins.
moby/moby#39038
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/docker-cli/docker-cli.hash | 2 +-
package/docker-cli/docker-cli.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/docker-cli/docker-cli.hash b/package/docker-cli/docker-cli.hash
index 4abc5cf91a..27bf3322c4 100644
--- a/package/docker-cli/docker-cli.hash
+++ b/package/docker-cli/docker-cli.hash
@@ -1,3 +1,3 @@
# Locally calculated
-sha256 02bcb73dde1c9542fa65c8b87078aaa1b01b0dbdd62346637bcf0999a2a0909f docker-cli-18.09.6.tar.gz
+sha256 62e25a0935bee75f999fb95b224ad982054fc1adc4351ce98d704ec00114ce57 docker-cli-18.09.7.tar.gz
sha256 2d81ea060825006fc8f3fe28aa5dc0ffeb80faf325b612c955229157b8c10dc0 LICENSE
diff --git a/package/docker-cli/docker-cli.mk b/package/docker-cli/docker-cli.mk
index eef492d625..0cff46abbd 100644
--- a/package/docker-cli/docker-cli.mk
+++ b/package/docker-cli/docker-cli.mk
@@ -4,7 +4,7 @@
#
################################################################################
-DOCKER_CLI_VERSION = 18.09.6
+DOCKER_CLI_VERSION = 18.09.7
DOCKER_CLI_SITE = $(call github,docker,cli,v$(DOCKER_CLI_VERSION))
DOCKER_CLI_WORKSPACE = gopath
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 2/2] package/docker-cli: security bump to version 18.09.7
2019-06-28 6:32 ` [Buildroot] [PATCH 2/2] package/docker-cli: " Peter Korsgaard
@ 2019-07-07 6:30 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2019-07-07 6:30 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are
> vulnerable to a symlink-exchange attack with Directory Traversal, giving
> attackers arbitrary read-write access to the host filesystem with root
> privileges, because daemon/archive.go does not do archive operations on a
> frozen filesystem (or from within a chroot).
> And includes additional post-18.09.6 fixes:
> Builder
> - Fixed a panic error when building dockerfiles that contain only comments.
> moby/moby#38487
> - Added a workaround for GCR authentication issue. moby/moby#38246
> - Builder-next: Fixed a bug in the GCR token cache implementation
> workaround. moby/moby#39183
> Runtime
> - Added performance optimizations in aufs and layer store that helps in
> massively parallel container creation and removal. moby/moby#39107,
> moby/moby#39135
> - daemon: fixed a mirrors validation issue. moby/moby#38991
> - Docker no longer supports sorting UID and GID ranges in ID maps.
> moby/moby#39288
> Logging
> - Added a fix that now allows large log lines for logger plugins.
> moby/moby#39038
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2019.02.x and 2019.05.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/2] package/docker-engine: security bump to version 18.09.7
2019-06-28 6:32 [Buildroot] [PATCH 1/2] package/docker-engine: security bump to version 18.09.7 Peter Korsgaard
2019-06-28 6:32 ` [Buildroot] [PATCH 2/2] package/docker-cli: " Peter Korsgaard
@ 2019-06-30 12:39 ` Arnout Vandecappelle
2019-07-07 6:30 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Arnout Vandecappelle @ 2019-06-30 12:39 UTC (permalink / raw)
To: buildroot
On 28/06/2019 08:32, Peter Korsgaard wrote:
> Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are
> vulnerable to a symlink-exchange attack with Directory Traversal, giving
> attackers arbitrary read-write access to the host filesystem with root
> privileges, because daemon/archive.go does not do archive operations on a
> frozen filesystem (or from within a chroot).
>
> And includes additional post-18.09.6 fixes:
>
> Builder
> - Fixed a panic error when building dockerfiles that contain only comments.
> moby/moby#38487
> - Added a workaround for GCR authentication issue. moby/moby#38246
> - Builder-next: Fixed a bug in the GCR token cache implementation
> workaround. moby/moby#39183
>
> Runtime
> - Added performance optimizations in aufs and layer store that helps in
> massively parallel container creation and removal. moby/moby#39107,
> moby/moby#39135
> - daemon: fixed a mirrors validation issue. moby/moby#38991
> - Docker no longer supports sorting UID and GID ranges in ID maps.
> moby/moby#39288
>
> Logging
> - Added a fix that now allows large log lines for logger plugins.
> moby/moby#39038
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Both applied to master, thanks.
Regards,
Arnout
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/2] package/docker-engine: security bump to version 18.09.7
2019-06-28 6:32 [Buildroot] [PATCH 1/2] package/docker-engine: security bump to version 18.09.7 Peter Korsgaard
2019-06-28 6:32 ` [Buildroot] [PATCH 2/2] package/docker-cli: " Peter Korsgaard
2019-06-30 12:39 ` [Buildroot] [PATCH 1/2] package/docker-engine: " Arnout Vandecappelle
@ 2019-07-07 6:30 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2019-07-07 6:30 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are
> vulnerable to a symlink-exchange attack with Directory Traversal, giving
> attackers arbitrary read-write access to the host filesystem with root
> privileges, because daemon/archive.go does not do archive operations on a
> frozen filesystem (or from within a chroot).
> And includes additional post-18.09.6 fixes:
> Builder
> - Fixed a panic error when building dockerfiles that contain only comments.
> moby/moby#38487
> - Added a workaround for GCR authentication issue. moby/moby#38246
> - Builder-next: Fixed a bug in the GCR token cache implementation
> workaround. moby/moby#39183
> Runtime
> - Added performance optimizations in aufs and layer store that helps in
> massively parallel container creation and removal. moby/moby#39107,
> moby/moby#39135
> - daemon: fixed a mirrors validation issue. moby/moby#38991
> - Docker no longer supports sorting UID and GID ranges in ID maps.
> moby/moby#39288
> Logging
> - Added a fix that now allows large log lines for logger plugins.
> moby/moby#39038
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2019.02.x and 2019.05.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-07-07 6:30 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-28 6:32 [Buildroot] [PATCH 1/2] package/docker-engine: security bump to version 18.09.7 Peter Korsgaard
2019-06-28 6:32 ` [Buildroot] [PATCH 2/2] package/docker-cli: " Peter Korsgaard
2019-07-07 6:30 ` Peter Korsgaard
2019-06-30 12:39 ` [Buildroot] [PATCH 1/2] package/docker-engine: " Arnout Vandecappelle
2019-07-07 6:30 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox